samba - Jan 2005 - changing ldap passwords?

Samba experts,
   I am using Samba 3.0.8 on an AIX 5.1 system with ldap authentication.  I 
have ldap working so that users can authenticate in their samba account via 
ldap.   However, I am trying to figure out the best method for allowing 
users to change their ldap samba account password.
    What is the best method to allow end users to change their LM/NT 
passwords for Samba via LDAP?
Should I be using smbpasswd?  Or should I be using the smbldap-tools and 
use smbldap-passwd.pl? Or is there another option?

Also, what do I need to set for privileges (ACL's) on the ldap server side 
to allow users to change their samba password (if any)?

  Any recommendations and hints about implementing it are much appreciated!
thanks!
  Tim



Tim Tyler
Network Engineer - Beloit College
tyler@beloit.edu

Ok, but I seem to get this error when using smbpasswd
   # smbpasswd goliath
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: Failed to modify user dn= 
uid=goliath,ou=People,dc=lincon,dc=beloit,dc=edu with: Insufficient access

ldapsam_update_sam_account: failed to modify user with uid = goliath, 
error:  (Success)
Failed to modify entry for user goliath.
Failed to modify password entry for user goliath

I am not sure what I am doing wrong in my setups.    Does this acl in 
ldap's slapd.conf look ok?
access to attr=sambaLMPassword,sambaNTPassword
         by 
dn.exact="uid=samba_servers,ou=People,dc=lincon,dc=beloit,dc=edu" read
         by * none


What about this as the account for samba password administration (ldif format)?
# samba_servers, People, lincon.beloit.edu
dn: uid=samba_servers,ou=People,dc=lincon,dc=beloit,dc=edu
objectClass: person
objectClass: uidObject
uid: samba_servers
description: Account used by Samba servers to access user passwords
cn: samba_servers
sn: samba_servers

Any idea why I might be getting the error above?
  Tim

At 04:05 PM 1/24/2005, you wrote:

>Tim,
>
>smbpassword should work fine for modifying the LM/NT passwords.
>
>Also, if your using Fedora or Redhat Enterprise server you might wish
>to check out a program we have written: www.Essay-Software.com
>
>Sincerely,
>
>Scott Alcock
>Essay Software, LLC
>www.Essay-Software.com
>Rockford, Illinois
>
>
>
>Tim Tyler wrote:
>
>>   Samba experts,
>>   I am using Samba 3.0.8 on an AIX 5.1 system with ldap 
>> authentication.  I have ldap working so that users can authenticate in 
>> their samba account via ldap.   However, I am trying to figure out the 
>> best method for allowing users to change their ldap samba account
password.
>>    What is the best method to allow end users to change their LM/NT 
>> passwords for Samba via LDAP?
>>Should I be using smbpasswd?  Or should I be using the smbldap-tools and
>>use smbldap-passwd.pl? Or is there another option?
>>
>>Also, what do I need to set for privileges (ACL's) on the ldap
server
>>side to allow users to change their samba password (if any)?
>>
>>  Any recommendations and hints about implementing it are much
appreciated!
>>thanks!
>>  Tim
>>
>>
>>
>>Tim Tyler
>>Network Engineer - Beloit College
>>tyler@beloit.edu
>
Tim Tyler
Network Engineer - Beloit College
tyler@beloit.edu

En/na Tim Tyler ha escrit:
>   Samba experts,
>   I am using Samba 3.0.8 on an AIX 5.1 system with ldap 
> authentication.  I have ldap working so that users can authenticate in 
> their samba account via ldap.   However, I am trying to figure out the 
> best method for allowing users to change their ldap samba account 
> password.
>    What is the best method to allow end users to change their LM/NT 
> passwords for Samba via LDAP?
> Should I be using smbpasswd?  Or should I be using the smbldap-tools 
> and use smbldap-passwd.pl? Or is there another option?
Hi, i wanted the same a month ago and googling a little i found a litlle 
web based php application which changed the "user password" attribute
of an ldap server (phpLdapPasswd). And i thought, what a fuck, i use the 
NT/LM passwords for samba...
But looking into the code i saw that it's not difficult to access/modify 
ldap attributes with php, so i decided to make a patch for support
nt/lm changing passwords.
you can get the app in its version 0.5 in: 
    http://www.xenos.net/software/phpLdapPasswd/

you may have the mkntpwd (search it, i don't remember where i got it) 
program in order to achieve the LM:NT hashes.
apply the patch attached.
    (save the patch in the phpLdapPasswd directory and patch -p1 < 
passwdSambaSupport.patch
>
> Also, what do I need to set for privileges (ACL's) on the ldap server 
> side to allow users to change their samba password (if any)?
in my /etc/ldap/slapd.conf the part related to LM and NT passwords looks 
like:

access to attribute=sambaNTPassword
          by dn="cn=admin,dc=company,dc=cat"
          by anonymous auth
          by self write
          by * none

access to attribute=sambaLMPassword
          by dn="cn=admin,dc=company,dc=cat"
          by anonymous=auth
          by self write
          by * none

I have to notice that when i put the sambaNTPassword and sambaLMPassword 
in the same ACL (as you) it did'nt work for me...
putting them separetly works. I supose to make a typing mistake that i 
couldn't see.
>
>  Any recommendations and hints about implementing it are much 
> appreciated!
> thanks!
>  Tim
Tell me if you have any problems, nowadays it's working for me ok.

Xavi
-------------- next part --------------
diff -Naur phpLdapPasswd-0.5/config.php
phpLdapPasswd-withSambaSupport-0.5/config.php
--- phpLdapPasswd-0.5/config.php	2004-08-26 17:48:22.000000000 +0200
+++ phpLdapPasswd-withSambaSupport-0.5/config.php	2005-01-21 11:27:03.000000000
+0100
@@ -64,6 +64,22 @@
 // default Debian Woody system!)
 $ENCODING = MD5;
 
+// If you have SambaAccounts in your Ldap database you may want to have both
unix
+// and samba passwords syncronized. Set this to 1 if you want to do so.
Otherwise,
+// set it to 0..
+$SAMBASYNCRO = 0;
+
+// If you set SAMBASYNCRO to 1, you must have the mkntpwd aplication, which
makes
+// the necessary NTHashes to perform windows authentication. So here, put the
+// full mkntpwd file path (with the name of the file too).
+$MKNTPWD = "/usr/local/sbin/mkntpwd";
+
+// This two attributes is for making it more extensive. Depending on the samba
schema,
+// this two attributes are named different, so you may put them here. If you
don't know
+// what they are search in your samba.schema file.
+$SAMBANTATTR = "sambaNTPassword";
+$SAMBALMATTR = "sambaLMPassword";
+
 // This should be set to the attribute for which to search when a login ID
 // is entered.  This attribute should have a unique value in the $LDAPBASEDN
 // given.
diff -Naur phpLdapPasswd-0.5/functions.php
phpLdapPasswd-withSambaSupport-0.5/functions.php
--- phpLdapPasswd-0.5/functions.php	2004-08-26 17:50:46.000000000 +0200
+++ phpLdapPasswd-withSambaSupport-0.5/functions.php	2005-01-21
11:42:09.000000000 +0100
@@ -497,4 +497,37 @@
 
 	return $ds;
 }
+
+// **************************************************************************
+// Function:
+//
+// Purpose: Update the Samba NT and LM Passwords
+//
+// Usage: createSambaPasswords($password)
+//
+// - $password:     The password in plain text to encode
+//
+// Returns: an array of two positions -> sambaLMPassword and SambaNTPassword
+// **************************************************************************
+function createSambaPasswords($password) {
+    global $MKNTPWD;
+    global $SAMBANTATTR;
+    global $SAMBALMATTR;
+    $sambaPass = array("sambaLMPassword" => NULL,
+                       "sambaNTPassword" => NULL);
+
+    if (!(@file_exists($MKNTPWD) && is_executable($MKNTPWD))) {
+        fatal_error("You don't have the mkntpwd program in the correct
path (look in config.php)
+                     or it is not executable");
+    }
+    $sambaPassCommand = $MKNTPWD . " " . $password;
+    if($sambaPassCommandOutput = shell_exec($sambaPassCommand)) {
+        $sambaPass[$SAMBALMATTR] = trim(substr($sambaPassCommandOutput, 0,
strPos($sambaPassCommandOutput, ':')));
+        $sambaPass[$SAMBANTATTR] = trim(substr($sambaPassCommandOutput,
strPos($sambaPassCommandOutput, ':') +1));
+    }
+    else {
+        fatal_error("The mkntpwd has failed making the NTHashes for
Samba");
+    }
+    return $sambaPass;
+}
 ?>
diff -Naur phpLdapPasswd-0.5/index.php
phpLdapPasswd-withSambaSupport-0.5/index.php
--- phpLdapPasswd-0.5/index.php	2004-08-26 17:49:50.000000000 +0200
+++ phpLdapPasswd-withSambaSupport-0.5/index.php	2005-01-21 11:51:56.000000000
+0100
@@ -89,6 +89,14 @@
 	display_template($TEMPLATE_CHANGEPASS, "You gave an incorrect current
password");
 }
 
+// Change the current sambaNTPassword and sambaLMPassword attributes
+if ($SAMBASYNCRO) {
+    $encodedSambaPass = createSambaPasswords($newpass);
+    if (!(@ldap_mod_replace($ds, $dn, $encodedSambaPass))) {
+        fatal_error("Unable to change SambaPasswords.");
+    }
+}
+
 // Change the current password.
 $encodedpass = encode_password($newpass, $ENCODING);
 if (!(@ldap_mod_replace($ds, $dn, array('userpassword' =>
$encodedpass)))) {

Hi...This is with reference to the thread posted at the given link:
http://lists.samba.org/archive/samba/2005-January/099108.html
The message is posted by one Mr.Javier.Leon-Gutierrez . Searching UPC 
directory , I found your's to be the most matching.

If you are indeed the poster of this solution to changing LDAP 
passwords, Please reply to my mail as I am stuck somewhere midway..else, 
discard my post.

Thanks in anticipation
Regards