FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 06-21-2010, 12:19 PM
Miguel Medalha
 
Default Synchronizing passwords

> Is 389DS able to compute sambaLMPassword and sambaNTPassword
> automatically when userPassword is updated? Is there any pugin? If
> not, which plugin is the best to take as base to do this?

There is a parameter in smb.conf:

"ldap passwd sync = Yes"

Doesn't it work for you?

Or maybe you are referring to

"ldap passwd sync = Only"


From the smb.conf man page:

-----------------------
ldap passwd sync (G)
This option is used to define whether or not Samba should sync the LDAP
password with the NT and LM hashes for normal accounts (NOT for
workstation, server or domain trusts) on a password change via SAMBA.

The ldap passwd sync can be set to one of three values:

Yes = Try to update the LDAP, NT and LM passwords and update the
pwdLastSet time.

No = Update NT and LM passwords and update the pwdLastSet time.

Only = Only update the LDAP password and let the LDAP server do the rest.

Default: ldap passwd sync = no
-----------------------

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-21-2010, 01:33 PM
Juan Asensio Sánchez
 
Default Synchronizing passwords

Emmm, well, this makes samba update userPassword when changing the
password from Windows. But if i change the password from Linux, samba
passwords are not updated, because linux machines are autheticating
directly with LDAP, not with Samba (just userPassword).


I have found this message (in 2006), about the same, but without
concrete solution.

http://www.redhat.com/archives/fedora-directory-devel/2006-May/msg00000.html

Regards.




El 21 de junio de 2010 14:19, Miguel Medalha <miguelmedalha@sapo.pt> escribió:





Is 389DS able to compute sambaLMPassword and sambaNTPassword automatically when userPassword is updated? Is there any pugin? If not, which plugin is the best to take as base to do this?




There is a parameter in smb.conf:



"ldap passwd sync = Yes"



Doesn't it work for you?



Or maybe you are referring to



"ldap passwd sync = Only"





>From the smb.conf man page:



-----------------------

ldap passwd sync (G)

This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password change via SAMBA.



The ldap passwd sync can be set to one of three values:



Yes = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.



No = Update NT and LM passwords and update the pwdLastSet time.



update the LDAP password and let the LDAP server do the rest.



Default: ldap passwd sync = no

-----------------------





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-30-2010, 11:12 AM
Juan Asensio Sánchez
 
Default Synchronizing passwords

Hi

Although I think the best solution for this is that Samba only update the Unix password, and the server generates dinamically the sambaLM and sambaNT passwords using a plugin (perhaps, in the future, we will contribute with this plugins, but not right now), I have solved the problem described in my first message in this way, in the samba configuration:



* * ldap passwd sync = No
* * unix password sync = Yes
* * passwd program = /usr/bin/perl -w /opt/ldap/smbldap-tools/bin/smbldap-passwd -u %u
* * passwd chat = "Changing UNIX password for*
New password*" %n
"*Retype new password*" %n
"*Password changed*"



So when a user tries to modify his password, then Samba tries to call the "passwd program", and only if the command returns succesfully (the "passwd chat" is ok), then it tries to update samba passwords, so the LDAP password policies are checked when calling the smbldap-passwd script, because it will fail if the password is not strong enough and the server rejects it.



I had to modify the script smbldap-passwd, because when the password is changed succesfully, it did'nt print anything, and "passwd chat" needs some string to check that the change has been succesfully (i had added "password changed" in the script after the ldap operation when it is succesfull).



Hope this can help somebody.

Regards.


El 21 de junio de 2010 15:46, Miguel Medalha <miguelmedalha@sapo.pt> escribió:





Emmm, well, this makes samba update userPassword when changing the password from Windows. But if i change the password from Linux, samba passwords are not updated, because linux machines are autheticating directly with LDAP, not with Samba (just userPassword).






In that case, the LDAP server must be capable of updating the Samba passwords when the LDAP password is changed, which takes us back to your original question.



Anyway, the smb.conf parameter to use for that would be:



"ldap passwd sync = Only"



( update the LDAP password and let the LDAP server do the rest.)





If the 389 server doesn't do the required operation, I suppose that by using the regular LDAP tools (ldapmodify, ldappasswd, etc.) combined with a shell script it will be easy to modify all passwords with a single command.







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-30-2010, 11:09 PM
Miguel Medalha
 
Default Synchronizing passwords

> I had to modify the script smbldap-passwd, because when the password
> is changed succesfully, it did'nt print anything, and "passwd chat"
> needs some string to check that the change has been succesfully (i had
> added "password changed" in the script after the ldap operation when
> it is succesfull).

Would it be possible for you to detail the change you made to the
smbldap-passwd script?

Thank you.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-11-2010, 03:52 PM
Maurizio Marini
 
Default Synchronizing passwords

On Thu, 01 Jul 2010 00:09:23 +0100
Miguel Medalha <miguelmedalha@sapo.pt> wrote:

>
> > I had to modify the script smbldap-passwd, because when the password
> > is changed succesfully, it did'nt print anything, and "passwd chat"
> > needs some string to check that the change has been succesfully (i had
> > added "password changed" in the script after the ldap operation when
> > it is succesfull).
>
> Would it be possible for you to detail the change you made to the
> smbldap-passwd script?
>
> Thank you.
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

you don't need to do that

man smb.conf

If the send string in any part of the chat sequence is a full stop ".", then
no string is sent. Similarly, if the expect string is a full stop then no
string is expected.

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 12:57 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org