On Thu, Aug 9, 2012 at 10:17 AM, Gaiseric Vandal
gaiseric.van...@gmail.com wrote:
The best approach is to configure samba to change the ldap password when
a samba password changes. See the smb.conf man page and password sync
and password chat options.
LDAP doesn't usually actually have the password information. In most
modern setups, *Kerberos* has the passwords and provides the
authentication, and LDAP provides other account information,
integrated with Kerberos.
It turns out to be easy to switch from using local passwords to
Kerberos authentication on Linux and many UNIX systems. The exact
commands very, but on RHEL 6 with DNS properly configured to use Samba
or AD Kerberos authentication:
sudo authconfig --enablekrb5 --krb5realm=[name of realm]
--enablekrb5kdcdns --test
sudo authconfig --enablekrb5 --krb5realm=[name of realm]
--enablekrb5kdcdns --update
Configure the local UNIX passwords to have locked passwords which do
not expire, and you can rely on the Kerberos for account expiration,
instead.
sudo -s -H # do this first in case you're locking your own account
usermod -p '!!' username # lock local password thoroughly
chage -l username # check settings
chage -M -1 -E -1 username # disable password obsolescence and
non-Kerberos expiration
chage -l username # verify settings
Do the 'sudo -s -H' becuase chage gets a bit weird when run as a
non-root user through sudo.
The end result is to enable the kerberized authentication, and disable
local passwords entirely. Passwords should then be updateable with the
kpasswd command, and tools like recent versions of SSH and Apache
can manage Kerberos tickets for genuine single-sign-on, as well as
relying on the Kerberos authentication instead of local passwords.
Samba and Unix use different password hash mechanisms so you have to
have separate password fields. The only other secure way may be to
configure Windows clients to use kerberos authentication- but that is a
much bigger project.
See above. If you're using various Samba configurations that rely on
Kerberos for authentication, such as ads, then this can save a lot
of password management trouble.
On 08/09/12 09:55, RAKESH PRITMANI wrote:
Is there a way to syncronize SambaLmPassword NTLMpassword from LDAP
password. ldap passwd sync allows to sync ldap passwd from samba, I
need the other way. I already have external LDAP server with CRYPT
passwords and need to set SambaLMPasswd with these LDAP passwords.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
