[389-users] LDAP to samba password synchronization

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2009-05-13 at 13:37 -0600, Rich Megginson wrote:
> John A. Sullivan III wrote:
> > On Wed, 2009-05-13 at 15:06 -0400, John A. Sullivan III wrote:
> >   
> >> Hello, all.  Several hours of googling and testing have not solved my
> >> problem.  We are using Directory Server as our authentication mechanism
> >> for as much as possible in our environment.  So far, we have integrated
> >> all our Linux servers, synchronized with AD, and are using it for
> >> Zimbra.
> >>
> >> We have just implemented a standalone SAMBA server and are having
> >> trouble synchronizing passwords.  I see plenty of examples of how to
> >> have changes made using smbpasswd passed to the posix password in LDAP.
> >> But that's not what we want.  We want users (some of whom use SAMBA and
> >> some of whom do not) to have a single place to change their password.
> >> The users are all KDE.  Changing their passwords in the KDE control
> >> module for security changes everything brilliantly EXCEPT SAMBA.
> >>
> >> How do we make password changes executed by the users or by the LDAP
> >> admin in idm-console propagate to the SAMBA password attributes? Thanks
> >> - John
> >>     
> > I forgot to mention, we did change pam as follows:
> >
> > password    requisite     pam_cracklib.so try_first_pass retry=3
> > password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> > use_authtok
> > password    sufficient    pam_smbpass.so use_authtok
> > password    sufficient    pam_ldap.so use_authtok
> > password    required      pam_deny.so
> >
> > However, I would think this would affect password changes made only on
> > the SAMBA server itself and not changes made by users at their desktops
> > and reflected through to Linux.  We really need changes made in LDAP
> > from wherever they are made to affect the SAMBA password attributes in
> > Linux.  Is that possible? If so, how? Thanks - John
> >   
> freeIPA has a password plugin for 389 that syncs userPassword with the 
> samba password hashes and vice versa (and kerberos too).
I'm very interested in implementing freeIPA as it matures and as we have
some breathing room after our initial product rollout.  Is there any way
to do this without researching and deploying a new product? Anything
either built into 389 or PAM? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux