Hi Although I think the best solution for this is that Samba only update the Unix password, and the server generates dinamically the sambaLM and sambaNT passwords using a plugin (perhaps, in the future, we will contribute with this plugins, but not right now), I have solved the problem described in my first message in this way, in the samba configuration: * ldap passwd sync = No * unix password sync = Yes * passwd program = /usr/bin/perl -w /opt/ldap/smbldap-tools/bin/smbldap-passwd -u %u * passwd chat = "Changing UNIX password for*\nNew password*" %n\n "*Retype new password*" %n\n "*Password changed*" So when a user tries to modify his password, then Samba tries to call the "passwd program", and only if the command returns succesfully (the "passwd chat" is ok), then it tries to update samba passwords, so the LDAP password policies are checked when calling the smbldap-passwd script, because it will fail if the password is not strong enough and the server rejects it. I had to modify the script smbldap-passwd, because when the password is changed succesfully, it did'nt print anything, and "passwd chat" needs some string to check that the change has been succesfully (i had added "password changed" in the script after the ldap operation when it is succesfull). Hope this can help somebody. Regards. El 21 de junio de 2010 15:46, Miguel Medalha <miguelmedalha at sapo.pt>escribi?: > > Emmm, well, this makes samba update userPassword when changing the >> password from Windows. But if i change the password from Linux, samba >> passwords are not updated, because linux machines are autheticating directly >> with LDAP, not with Samba (just userPassword). >> > > In that case, the LDAP server must be capable of updating the Samba > passwords when the LDAP password is changed, which takes us back to your > original question. > > Anyway, the smb.conf parameter to use for that would be: > > "ldap passwd sync = Only" > > (Only = Only update the LDAP password and let the LDAP server do the rest.) > > > If the 389 server doesn't do the required operation, I suppose that by > using the regular LDAP tools (ldapmodify, ldappasswd, etc.) combined with a > shell script it will be easy to modify all passwords with a single command. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100630/1aff1462/attachment.html