-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
I think simply that with the parameter ldap passwd sync, the passwd chat is not called. The only question that I ask to me is : why changing a passwd on a BDC ? A BDC is a backup DC, if the PDC is down, a BDC can provide authentification. But, you can modifiy the smb.conf of BDC to passdb backend = ldapsam:"ldap://127.0.0.1 ldap://172.16.0.24"; kent a écrit : > Hi, Thanks for getting back to me so fast. > > > Stéphane_Purnelle <[EMAIL PROTECTED]> wrote: > > > The LDAP server in 172.16.0.24 is the master ldap server, but on > smb.conf of BDC, the ldap server is on localhost. If the IP adresse > of BDC is 172.16.0.24, you must have no problem. Now, if different, > you must configure ldap for replication. Because changing password > on the PDC is not replicated to BDC. > >> PDC: 172.16.0.13 However the master ldap server is on >> 172.16.0.24. We use LDAP for mail authentication as well as >> OpenGoupware etc. There is no local copy > of LDAP >> directory on the PDC. Everthing including the operating system > points to >> 172.16.0.24. > >> All of the BDCs have replicas. I realize that authentication to a >> > BDC on a >> subnet uses the pass backend which in all of my BDCs is >> localhost. > My problem >> with the BDCs is the password program that I believe is changing > the LDAP >> replica on the BDC and not the PDC. So I end up with a password > mismatch. > >> If I disable the password chat on all BDCs will password chat be > passed on to >> the PDC? > >> Thank you for your help. > >> Kent N > > The BDC not verify password with the PDC, but with the passwd > backend only. You can disable these lines : passwd program = > /usr/bin/smbpasswd %u passwd chat = *Enter\snew\sUNIX\spassword:* > %n\n*Retype\snew\sUnix\spassword:* %n\n > > On BDC > > kent a écrit : > >> Have you used the -r option for smbpasswd to connect to the PDC >> in smb.conf? Just wondering what the password chat would be. I >> can test it out and see what works. > >> Kent N > >> Bruno Guerreiro <[EMAIL PROTECTED]> wrote: > >>> Hi there, The best (only?) way to go is with a LDAP >>> Master+slave architecture. All changes must be done at the LDAP >>> Master server which automatically replicates them to all slave >>> ldap servers. So, yes, the BDC MUST talk to the PDC, or at >>> least the master ldap server to change the password. > >>> Best Regards. Bruno Guerreiro > >>> -----Original Message----- From: kent >>> [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 31 de >>> Agosto de 2005 11:15 To: [EMAIL PROTECTED]; Samba >>> Subject: Re: [Samba] BDC and password change program > > >>> Hello, How are you doing? I just switched this summer from >>> RedHat 8.0 with compiled versions of Samba, OpenLDAP and >>> Berkeley DB to Fedora Core 4 with precompiled Samba, OpenLDAP >>> and BerkeleyDB. Here is the smb.conf from one school that is a >>> BDC: [global] workgroup = WarehamPS encrypt passwords = Yes >>> time offset = 60 time server = Yes # log level = 5 socket >>> options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>> security = user username map = /etc/samba/smbusers logon script >>> = whs1.bat writable = Yes interfaces = eth0 eth1 directory mask >>> = 02770 preferred master = yes netbios name = whs1 server >>> string = Fedora Core 4 SAMBA server passdb backend = >>> ldapsam:ldap://127.0.0.1 ldap passwd sync = Yes machine >>> password timeout = 604800 passwd program = /usr/bin/smbpasswd >>> %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >>> *Retype\snew\sUnix\spassword:* %n\n log file = >>> /var/log/samba/%m.log debug level = 2 max log size = 50 add >>> machine script = /usr/sbin/addmachine.sh "%u" logon path = >>> logon drive = H: logon home = domain logons = Yes os level = 64 >>> domain master = No dns proxy = no admin users = @domain_admins >>> wins support = no wins server = 172.16.0.13 wins proxy = yes >>> local master = yes name resolve order = hosts wins bcast ldap >>> suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap >>> user suffix = ou=Users ldap group suffix = ou=Groups ldap admin >>> dn = cn=admin,dc=tow,dc=net ldap ssl = no > >>> [homes] comment = Home Directories read only = no browseable = >>> no writable = yes path = %H # valid users = %S > >>> [netlogon] root preexec = /accounts/netlogon/prelogon.pl %U >>> path = /accounts/netlogon comment = Netlogon share locking = no >>> browseable = yes valid users = @whsstaff, @whsstudent, >>> @whs-cafe, navinstall, kent read only = yes hide files = >>> /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/ write list = >>> @domain_admins [staff] comment = Staff directory path = >>> /accounts/common create mode = 0660 browseable = no write list >>> = @whsstaff valid users = @whsstaff [programs] comment = >>> Applications path = /accounts/programs browseable = no create >>> mode = 0660 write list = @whsstaff valid users = @whsstaff > >>> [cafeteria] path = /accounts/cafeteria/data browseable = no >>> valid users = @whs-cafe, dperry force group = whs-cafe create >>> mode = 0660 directory mode = 0770 > >>> Here is the smb.conf for the PDC: [global] workgroup = >>> WarehamPS encrypt passwords = Yes time server = Yes socket >>> options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 security = >>> user writable = Yes interfaces = eth0 eth1 directory mask = >>> 02770 preferred master = yes local master = Yes username map = >>> /etc/samba/smbusers netbios name = wms1 server string = Fedora >>> Core 4 SAMBA Server passdb backend = ldapsam:ldap://172.16.0.24 >>> ldap passwd sync = Yes machine password timeout = 604800 >>> passwd program = /usr/bin/smbpasswd %u passwd chat = >>> *Enter\snew\sUNIX\spassword:* %n\n >>> *Retype\snew\sUnix\spassword:* %n\n log file = >>> /var/log/samba/%m.log debug level = 2 max log size = 30 # add >>> machine script = /usr/bin/smbpasswd -m %u add machine script = >>> /usr/sbin/addmachine.sh "%u" logon script = wms1.bat logon path >>> = logon drive = H: logon home = domain logons = Yes os level = >>> 255 domain master = Yes dns proxy = Yes admin users = >>> @domain_admins wins support = Yes remote browse sync = >>> 172.16.0.3 172.16.0.19 172.16.0.15 172.16.0.26 172.16.0.20 >>> 172.16.80.1 name resolve order = hosts wins bcast ldap suffix = >>> dc=tow,dc=net ldap machine suffix = ou=Computers ldap user >>> suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = >>> cn=admin,dc=tow,dc=net ldap ssl = no > >>> [homes] comment = Home Directories read only = no browseable = >>> no writable = yes path = %H hide files = /.*/ [netlogon] >>> comment = Netlogon share root preexec = >>> /accounts/netlogon/prelogon.pl %U path = /accounts/netlogon >>> valid users = @wmsstaff, @wmsstudent, @domain_users, @wms-cafe, >>> navinstall locking = no browseable = no read only = yes write >>> list = @domain_admins hide files = >>> /*.dll/*.rap/*.kix/*.bat/*.pl/ > >>> [cafeteria] path = /accounts/cafeteria/data browseable = yes >>> valid users = @wms-cafe, dperry force group = wms-cafe create >>> mode = 0660 directory mode = 0770 > >>> [staff] path = /accounts/common browseable = no valid users = >>> @wmsstaff force group = wmsstaff write list = @domain_admins, >>> @wmsstaff create mode = 0660 directory mode = 0770 [programs] >>> path = /accounts/programs browseable = no valid users = >>> @wmsstaff, @techstaff create mode = 0660 [tech] path = >>> /accounts/tech browseable = no valid users = @techstaff force >>> group = techstaff write list = @techstaff create mode = 0660 >>> directory mode = 0770 > >>> The addmachine.sh script is my own version of an add machine. >>> All users, groups, computers have corresponding posix accounts >>> in LDAP as well as Samba objectClass and attributes. I don't >>> use any Windows utilities to manipulate user group information >>> in LDAP, I have my own set of routines tailored to our system >>> that allows individual control of LDAP info or we can batch >>> add/delete accounts and user attributes by interactive shell >>> scripts. > >>> My question to the Samba community is still: should the >>> password program on the BDC talk to the PDC by smbpasswd -r >>> <PDC address>? I'm having a little password out of sync >>> problem. > >>> Kent N. > >>> Marcio Luciano Donada <[EMAIL PROTECTED]> >>> wrote: > >> kent wrote: > >> | Hello, Just wondering what I should be using for the password | >> change program on a BDC. Should it be: passwd program = | >> /usr/bin/smbpasswd -r <PDC address> %u | | I'm having a problem >> with passwords not staying in sync between the | PDC and BDC with >> pass backend ldap. | | The systems are all Fedora Core 4, Samba >> 3.0.14a, openldap 2.2.23 | | Kent N | Ola, I am trying to >> configure the BDC. How voce this making to add them you scheme in >> the base ldap? Voce can supply its configures (smb.conf) for me >> to give one analyzed and smbldap.conf? > >> thank's > >> -- Márcio Luciano Donada T.I. Aurora Alimentos Chapecó(SC) >> Cooperativa Central Oeste Catarinense mdonada at auroraalimentos >> dot com dot br > > >>> -- To unsubscribe from this list go to the following URL and >>> read the instructions: >>> https://lists.samba.org/mailman/listinfo/samba -- To >>> unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/listinfo/samba > > > > -- Stéphane Purnelle <[EMAIL PROTECTED]> Site Web : > http://www.linuxplusvalue.be - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba - -- Stéphane Purnelle <[EMAIL PROTECTED]> Site Web : http://www.linuxplusvalue.be -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDFajc8tswkE3d0ecRAvPFAJ9JmEd41uoSN6oQ7yiawYAILf0ztgCeKTD1 vk0qCgQjf+B62H4r6fcPGKc= =xEzS -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
