John A. Sullivan III wrote: > On Wed, 2009-05-13 at 13:37 -0600, Rich Megginson wrote: > >> John A. Sullivan III wrote: >> >>> On Wed, 2009-05-13 at 15:06 -0400, John A. Sullivan III wrote: >>> >>> >>>> Hello, all. Several hours of googling and testing have not solved my >>>> problem. We are using Directory Server as our authentication mechanism >>>> for as much as possible in our environment. So far, we have integrated >>>> all our Linux servers, synchronized with AD, and are using it for >>>> Zimbra. >>>> >>>> We have just implemented a standalone SAMBA server and are having >>>> trouble synchronizing passwords. I see plenty of examples of how to >>>> have changes made using smbpasswd passed to the posix password in LDAP. >>>> But that's not what we want. We want users (some of whom use SAMBA and >>>> some of whom do not) to have a single place to change their password. >>>> The users are all KDE. Changing their passwords in the KDE control >>>> module for security changes everything brilliantly EXCEPT SAMBA. >>>> >>>> How do we make password changes executed by the users or by the LDAP >>>> admin in idm-console propagate to the SAMBA password attributes? Thanks >>>> - John >>>> >>>> >>> I forgot to mention, we did change pam as follows: >>> >>> password requisite pam_cracklib.so try_first_pass retry=3 >>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>> use_authtok >>> password sufficient pam_smbpass.so use_authtok >>> password sufficient pam_ldap.so use_authtok >>> password required pam_deny.so >>> >>> However, I would think this would affect password changes made only on >>> the SAMBA server itself and not changes made by users at their desktops >>> and reflected through to Linux. We really need changes made in LDAP >>> from wherever they are made to affect the SAMBA password attributes in >>> Linux. Is that possible? If so, how? Thanks - John >>> >>> >> freeIPA has a password plugin for 389 that syncs userPassword with the >> samba password hashes and vice versa (and kerberos too). >> > I'm very interested in implementing freeIPA as it matures and as we have > some breathing room after our initial product rollout. Is there any way > to do this without researching and deploying a new product? Anything > either built into 389 or PAM? No, not afaik. > Thanks - John > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090513/439c1934/attachment.bin
