[389-users] Synchronizing passwords

Juan Asensio Sánchez okelet at gmail.com
Wed Jun 30 11:12:38 UTC 2010 

Hi

Although I think the best solution for this is that Samba only update the
Unix password, and the server generates dinamically the sambaLM and sambaNT
passwords using a plugin (perhaps, in the future, we will contribute with
this plugins, but not right now), I have solved the problem described in my
first message in this way, in the samba configuration:

  * ldap passwd sync = No
  * unix password sync = Yes
  * passwd program = /usr/bin/perl -w
/opt/ldap/smbldap-tools/bin/smbldap-passwd -u %u
  * passwd chat = "Changing UNIX password for*\nNew password*" %n\n "*Retype
new password*" %n\n "*Password changed*"

So when a user tries to modify his password, then Samba tries to call the
"passwd program", and only if the command returns succesfully (the "passwd
chat" is ok), then it tries to update samba passwords, so the LDAP password
policies are checked when calling the smbldap-passwd script, because it will
fail if the password is not strong enough and the server rejects it.

I had to modify the script smbldap-passwd, because when the password is
changed succesfully, it did'nt print anything, and "passwd chat" needs some
string to check that the change has been succesfully (i had added "password
changed" in the script after the ldap operation when it is succesfull).

Hope this can help somebody.

Regards.


El 21 de junio de 2010 15:46, Miguel Medalha <miguelmedalha at sapo.pt>escribió:

>
>  Emmm, well, this makes samba update userPassword when changing the
>> password from Windows. But if i change the password from Linux, samba
>> passwords are not updated, because linux machines are autheticating directly
>> with LDAP, not with Samba (just userPassword).
>>
>
> In that case, the LDAP server must be capable of updating the Samba
> passwords when the LDAP password is changed, which takes us back to your
> original question.
>
> Anyway, the smb.conf parameter to use for that would be:
>
> "ldap passwd sync = Only"
>
> (Only = Only update the LDAP password and let the LDAP server do the rest.)
>
>
> If the 389 server doesn't do the required operation, I suppose that by
> using the regular LDAP tools (ldapmodify, ldappasswd, etc.) combined with a
> shell script it will be easy to modify all passwords with a single command.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100630/1aff1462/attachment.html>

More information about the 389-users mailing list