Synchronizing passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

Although I think the best solution for this is that Samba only update the
Unix password, and the server generates dinamically the sambaLM and sambaNT
passwords using a plugin (perhaps, in the future, we will contribute with
this plugins, but not right now), I have solved the problem described in my
first message in this way, in the samba configuration:

  * ldap passwd sync = No
  * unix password sync = Yes
  * passwd program = /usr/bin/perl -w
/opt/ldap/smbldap-tools/bin/smbldap-passwd -u %u
  * passwd chat = "Changing UNIX password for*\nNew password*" %n\n "*Retype
new password*" %n\n "*Password changed*"

So when a user tries to modify his password, then Samba tries to call the
"passwd program", and only if the command returns succesfully (the "passwd
chat" is ok), then it tries to update samba passwords, so the LDAP password
policies are checked when calling the smbldap-passwd script, because it will
fail if the password is not strong enough and the server rejects it.

I had to modify the script smbldap-passwd, because when the password is
changed succesfully, it did'nt print anything, and "passwd chat" needs some
string to check that the change has been succesfully (i had added "password
changed" in the script after the ldap operation when it is succesfull).

Hope this can help somebody.

Regards.


El 21 de junio de 2010 15:46, Miguel Medalha <miguelmedalha at sapo.pt>escribi?:

>
>  Emmm, well, this makes samba update userPassword when changing the
>> password from Windows. But if i change the password from Linux, samba
>> passwords are not updated, because linux machines are autheticating directly
>> with LDAP, not with Samba (just userPassword).
>>
>
> In that case, the LDAP server must be capable of updating the Samba
> passwords when the LDAP password is changed, which takes us back to your
> original question.
>
> Anyway, the smb.conf parameter to use for that would be:
>
> "ldap passwd sync = Only"
>
> (Only = Only update the LDAP password and let the LDAP server do the rest.)
>
>
> If the 389 server doesn't do the required operation, I suppose that by
> using the regular LDAP tools (ldapmodify, ldappasswd, etc.) combined with a
> shell script it will be easy to modify all passwords with a single command.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100630/1aff1462/attachment.html 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux