Re: FreeBSD + LDAP + SAMBA + WINDOWS

2008-06-06 Thread Ulrich Spoerlein 
On Wed, 28.05.2008 at 19:11:06 -0300, Israel Lehnen Silva wrote:
> Friends,
> 
> I have the following scenario:
> 
> Server FreeBSD 7.0 Stable authenticating in one basis LDAP through of the
> PAM (pam_ldap and nss_ldap)
> In same server, have running the SAMBA 3.0.28 authenticating too in
> basis LDAP and using the scripts smbldap-tools.
> Tool LDAPAdmin for administration of basis LDAP.
> 
> THE PROBLEM:
> 
> When chang the pass of user in basis LDAP trhough of LDAPAdmin,
> select th cryptograpy "MD5 Crypt" for the atribuct userPassword
> This way, I achieve log in the Windows and FreeBSD by terminal, ssh...
> but when chang pass of user by Windows, the cryptograpy of password in
> atribuct userPassword
> is chanded for SSHA and so not conect in FreeBSD, also just conect in
> windows.
> 
> FreeBSD and SAMBA authenticating in LDAP,
> and changing the password by own user, not interfering in auth of ssh in
> FreeBSD...
> Someone implemented???

Hi,

I think you have this backwards. At our setup, with active samba
password sync users can change their samba{LM,NT}passwords and have
their userPassword updated accordingly. Samba will not change the used
algorithm, though (we use {CRYPT}, don't ask ...)

The other way round though will only update the userPassword and not
change the samba{Lm,NT}passwords leading to the old password still being
valid for Windows.

We're using a small CGI script where our users can change (both)
passwords in their browser.

Cheers,
Ulrich Spoerlein
-- 
It is better to remain silent and be thought a fool,
than to speak, and remove all doubt.
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

FreeBSD + LDAP + SAMBA + WINDOWS

2008-05-28 Thread Israel Lehnen Silva 
Friends,

I have the following scenario:

Server FreeBSD 7.0 Stable authenticating in one basis LDAP through of the
PAM (pam_ldap and nss_ldap)
In same server, have running the SAMBA 3.0.28 authenticating too in
basis LDAP and using the scripts smbldap-tools.
Tool LDAPAdmin for administration of basis LDAP.

THE PROBLEM:

When chang the pass of user in basis LDAP trhough of LDAPAdmin,
select th cryptograpy "MD5 Crypt" for the atribuct userPassword
This way, I achieve log in the Windows and FreeBSD by terminal, ssh...
but when chang pass of user by Windows, the cryptograpy of password in
atribuct userPassword
is chanded for SSHA and so not conect in FreeBSD, also just conect in
windows.

FreeBSD and SAMBA authenticating in LDAP,
and changing the password by own user, not interfering in auth of ssh in
FreeBSD...
Someone implemented???

The configuration of Samba:

# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
# Date: 2008/05/05 16:13:37

[global]
  dos charset = CP850
  unix charset = ISO8859-1
  workgroup = NOVOARQ
  netbios name = NARQ
  server string = LDAP Teste
  # update encrypted = Yes
  # unix password sync = Yes
  passwd program = /usr/local/sbin/smbldap-passwd -u "%u"
  encrypt passwords = Yes
  # obey pam restrictions = Yes
  socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
  log level = 1
  log file = /var/log/samba/samba.log
  max log size = 0
  time server = Yes
  machine password timeout = 0
  logon script = %G.bat
  logon drive = H:
  logon home = \\NARQ\%U

  os level = 255
  preferred master = Yes
  domain master = yes
  domain logons = yes
  local master = yes

  passdb backend = ldapsam:ldap://ldap.dominio.com.br
  ldap passwd sync = Yes
  ldap delete dn = Yes
  ldap ssl = no
  ldap admin dn = cn=admin,dc=unilasalle,dc=edu,dc=br
  ldap suffix = dc=unilasalle,dc=edu,dc=br
  ldap machine suffix = ou=computadores
  ldap user suffix = ou=usuarios
  ldap group suffix = ou=grupos
  ldap idmap suffix = sambaDomainName=NOVOARQ
  idmap backend = ldap:ldap://ldap.dominio.com.br
  idmap uid = 1-65000
  idmap gid = 1-65000
  enable privileges = yes
  add user script = /usr/local/sbin/smbldap-useradd -m "%u"
  # delete user script = /usr/local/sbin/smbldap-userdel "%u"
  add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
  # delete group script = /usr/local/sbin/smbldap-groupdel "%g"
  add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
  delete user from group script =
/usr/local/sbin/smbldap-groupmod -x "%u" "%g"
  set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"
  add machine script = /usr/local/sbin/smbldap-useradd -w "%u"

  utmp = Yes
  smb ports = 445 139
  name resolve order = wins bcast hosts
  time server = Yes
  template shell = /bin/false
  winbind use default domain = no
  map acl inherit = Yes
  strict locking = Yes
  wins support = Yes
  interfaces = bce0
  bind interfaces only = Yes

  dns proxy = No
  create mask = 0770
  force create mode = 0770
  directory mask = 0770
  force directory mode = 0770


Best regards,
Israel Lehnen Silva.
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"