Re: [389-users] Synchronizing passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

Although I think the best solution for this is that Samba only update the Unix password, and the server generates dinamically the sambaLM and sambaNT passwords using a plugin (perhaps, in the future, we will contribute with this plugins, but not right now), I have solved the problem described in my first message in this way, in the samba configuration:

  * ldap passwd sync = No
  * unix password sync = Yes
  * passwd program = /usr/bin/perl -w /opt/ldap/smbldap-tools/bin/smbldap-passwd -u %u
  * passwd chat = "Changing UNIX password for*\nNew password*" %n\n "*Retype new password*" %n\n "*Password changed*"

So when a user tries to modify his password, then Samba tries to call the "passwd program", and only if the command returns succesfully (the "passwd chat" is ok), then it tries to update samba passwords, so the LDAP password policies are checked when calling the smbldap-passwd script, because it will fail if the password is not strong enough and the server rejects it.

I had to modify the script smbldap-passwd, because when the password is changed succesfully, it did'nt print anything, and "passwd chat" needs some string to check that the change has been succesfully (i had added "password changed" in the script after the ldap operation when it is succesfull).

Hope this can help somebody.

Regards.


El 21 de junio de 2010 15:46, Miguel Medalha <miguelmedalha@xxxxxxx> escribió:

Emmm, well, this makes samba update userPassword when changing the password from Windows. But if i change the password from Linux, samba passwords are not updated, because linux machines are autheticating directly with LDAP, not with Samba (just userPassword).

In that case, the LDAP server must be capable of updating the Samba passwords when the LDAP password is changed, which takes us back to your original question.

Anyway, the smb.conf parameter to use for that would be:

"ldap passwd sync = Only"

( update the LDAP password and let the LDAP server do the rest.)


If the 389 server doesn't do the required operation, I suppose that by using the regular LDAP tools (ldapmodify, ldappasswd, etc.) combined with a shell script it will be easy to modify all passwords with a single command.


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux