[Samba] pam_smbpass.so + samba300RC2 + LDAP
We've got the 'ldap auth sync = yes' working perfectly, but we'd like to have the SMB's passwords updated via passwd an PAM aware apps. We tryed pam_smbpass.so but without any effects no matter of the different required, sufficient or optionnal keywords in the /etc.pam.d/passwd : passwd sufficient pam_ldap.so passwd optionnal pam_smbpass.so audit nullok use_authtok try_first_pass passwd required pam_unix.so try_first_pass ... Has anyone successfully achieved this ? I'm wondering if pam_smbpass has been fully rewrited for 3.0.0's branch to support ldapsam. Further, i'd like that a user with only a valid PAM passwd could init his SMB passwd with a simple passwd... In my oppinion, it should be straightway done by the use_authtok itself in pam_smbpass. NOTE: We use Debian's unstable version of the required packages (samba-*, libpam-smbpass) and the new LDAP SAM schema. Thanks in advance, -- Julien DUPRE Eric DECORNOD Service Informatique IUT Louis Pasteur Schiltigheim Allée d'Athènes 67300 Schiltigheim Tel : 03 902 42 547 Courriel : [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba-3 Ldap Adding Administrator Account
[EMAIL PROTECTED] wrote: How do you add an Administrator account to ldap. I want to leave root in /etc/passwd but have Administrator in ldap I have checked Howto Collection and the Samba-Ldap-3 but they contain no information. The Ldap-Howto has a suggestion but then says not to use. Godfrey I don't know which version of samba you have, i use samba 3.0.0rc2 and LDAP. I didn't wanted to have root in LDAP too as I plan to use my LDAP for two servers and I don't want the same root account/password. In my smb.conf i write : passdb backend = ldapsam:ldap://127.0.0.1 tdbsam guest then restart samba, and launch : pdbedit -b tdbsam -a root You can check if it worked with pdbedit -b tdbsam -L -v It worked for me perfectly. I've added later root and a few others to the Domain Admin group in a LDAP entry. The drawback is that the account's still named 'root', not 'Administrator'. I hope i'll help you a bit. -- Eric DECORNOD, Service Informatique IUT Louis Pasteur Schiltigheim -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba+ldap passwd sync
Antoine Jacoutot wrote: Hi ! I'm in trouble... I'm in the way of building a FreeBSD Samba server with LDAP support. So far, everything works great except password synchronization. It is the only thing I need left to do before my server goes into production, so I'm really looking for help. What I need is to be able to synchronize the Windows passwords with the Unix passwords. All passwords are stored in LDAP (ntPassword, lmPassword, userPassword), so there're no real Unix accounts (I use pam_ldap+nss_ldap). I read a lot of docs, tried a lot of scripts (ldapsync, ldapchpasswd...) but I cannot make it work. First, I think passwd program is never launched, and second, I doubt those scripts work well with FreeBSD and crypted passwords. If there's anyone out there willing to help, I'd really appreciate, I'm out of ideas... Thanks. Antoine In samba 3.0.0 (if you use it) you have 'ldap password sync = yes' to sync when SMB's passwords change. For the reverse, I'm still trying without any results yet. My current tries are about pam_smbpass.so module, but it seems to be more difficult than i'd expect. In my oppinion, when using ldap password sync, the passord program isn't used any more. I hope you'll have more chance than me. -- Eric DECORNOD Service Informatique IUT Louis Pasteur Schiltigheim -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Computer Appears in Wrong Workgroup
Dan Rasmussen wrote: Hello, I'm using Samba 3.0.0rc2-Debian on Debian unstable. At the time being it does everything I want it to except one: I'm in the wrong workgroup. Despite the line workgroup = BETASIG in my smb.conf, I show up in the workgroup WORKGROUP. There is no mention of workgroup or WORKGROUP anywhere else in my smb.conf other than this. Would be happy to share my smb.conf if that helps or provide any other relevant information. Thanks, Daniel Rasmussen You can try to backup and remove the content of /var/lib/samba/ and restart samba or try a dpkg-reconfigure on the main package. I may help, if some of the files are not re-created you can take them back from your backup or extract the content of the .deb package (dpkg-deb --extract) to find a 'clean' verion of them. A more radical stuff you might try is to back-up your smb.conf and 'purge'-reinstall the package. I hope it'll help you, i use the same version of that package and don't have such problem. -- Eric DECORNOD Service Informatique IUT Louis Pasteur Schiltigheim -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.0 PDC + Win2000 Client + Group Policies
We want to build a Debian's unstable samba 3.0.0beta2-1 as PDC with plenty of Windows 2K clients. Joining the domain, Domain Logons, Roaming Profiles, Domain Groups, are Ok. As we thought that Samba 3 cannot handle Win2K's GPOs (isn't it?), we tried NT4 style Group Policies to restrict a bit users posibilities (as we have students as users). Our opinion is that Mandatory Profiles are too restrictive. So as explained in Windows 2000 Group Policy White Paper from Microsoft, at IntelliMirror features w/out Active Directory chapter, we took a unicode enabled poledit.exe, we removed #if and #endif lines from GPO's ADM templates files and created with it the required NTconfig.pol in the netlogon share. We tried DefaultUser, a DomainGroup (net groupmap...), a user, and the policy didn't have any effect at all (we tried to login/logout, secedit /refresh, and even some different case 4 ntconfig.pol just in case). The surprising fact is that from another Win2k, with the same poledit and ADM files, i can remotely connect (without any password) to the Win2K's logged domain user's registry, and check some restriction's boxes, and IT WORKS, means that the changes of the policy were applied directly into the registry (after a reconnection or a restart of explorer.exe) ! It looks like the Win2K doesn't read any \\PDC\netlogon\NTconfig.pol at all, as if he would have done without any NT4 style policies. We'd like to have your feeling/opinions about it, as we're quite stucked... our smb.conf : === smb.conf : start === # We striped out da comments [global] netbios name = VARDA workgroup = ARDA server string = %h server (Samba %v) wins support = yes dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 security = user encrypt passwords = true passdb backend = tdbsam guest unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\... load printers = yes printing = cups printcap name = cups printer admin = @admin # Name mangling options preserve case = yes short preserve case = yes case sensitive = no socket options = TCP_NODELAY domain master = yes local master = yes domain logons = yes preferred master = yes os level = 255 ; logon script = logon.bat logon path = \\%L\profiles\%u logon drive = U: logon home = \\%L\%u\.winprofile # Some defaults for winbind (make sure you're not using the ranges # for something else.) ; idmap uid = 1-2 ; idmap gid = 1-2 ; template shell = /bin/bash [homes] comment = Home Directories browseable = no writable = yes create mask = 0640 directory mask = 0750 # Un-comment the following and create the netlogon directory for Domain Logons # (you need to configure Samba to act as a domain controller too.) [netlogon] comment = Network Logon Service path = /iut/profiles/netlogon guest ok = yes writable = no #browseable = no write list = @admin share modes = no [profiles] comment = Network Profiles path = /iut/profiles/users writable = yes browsable = no create mask = 0600 directory mask = 0700 [printers] comment = Les Imprimantes browseable = no path = /tmp printable = yes public = no writable = no create mode = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no write list = root, @admin === smb.conf : end === Regards, -- Julien DUPRE Eric DECORNOD Service Informatique IUT Louis Pasteur Schiltigheim Allee d'Athenes 67300 Schiltigheim Courriel : iut-ulp.sos-informatique AT iutlpa.u-strasbg.fr -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba