Samba/LDAP password synchronization

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



We have a setup here with a LDAP server (FC1) which also runs samba. 
Usernames, passwords (and more) are stored in LDAP, and with samba, this
machine can also act as PDC for the windows machines in the network.

A problem with such a setup is to keep passwords synchronized between
unix and windows. We had a working setup to change passwords through
samba so changing a password from windows, or from Linux with smbpasswd
changed the unix passwrod, LM-hash and NT-hash in the LDAP database.

Samba with LDAP as password backend seems to change only the windows
password hashes, so for changing the unix password, we had a script
which was called through the 'passwd program' and 'passwd chat' option
in smb.conf . A bit of a hack, but it worked.

... until this setup was moved to a new machine on which FC2 was
installed. Now the passwd program script is never called any more, so
unix passwords are no longer being changed.
To find out what went wrong, we upgraded the FC1 machine to the latest
samba version (3.0.6-2.FC1) and now it exhibits the same behaviour: no
password script or program is executed when a user changes his password.

Does anyone know if something related to this behaviour was changed in
the latest samba release? The release notes mention nothing that looks
related. 

Or: does anyone know of another good way to make it possible to change
all passwords of a user at once so a user will always have only one
password?

Relevant parts of the smb.conf file:

[global]

   workgroup = STRW
   server string = noordzee
   netbios name  = noordzee

passdb backend = ldapsam:ldap://noordzee.our.domain
ldap admin dn = "uid=admin,ou=administrative,dc=our,dc=domain"
ldap ssl = no
ldap suffix = dc=our,dc=domain"

hosts allow = xxx.yyy.zzz.aaa

security = user
  encrypt passwords = yes
  smb passwd file = /etc/samba/smbpasswd

unix password sync = yes
passwd program = /etc/samba/script %u
passwd chat debug = yes
passwd chat = "*New*UNIX*password*" %n\\n "*UNIX*password* %n\\n
"*succesfully*"

   local master = yes
   os level = 50
   domain master = yes
   preferred master = yes
   domain logons = yes

[homes]
   comment = Home Directories
   browseable = no
   writable = yes



David Jansen



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux