Hello,
Just wondering what I should be using for the password change program on a BDC.
Should it be:
passwd program = /usr/bin/smbpasswd -r <PDC address> %u
I'm having a problem with passwords not staying in sync between the PDC and
BDC
with pass backend ldap.
The systems are all Fedora Core 4, Samba 3.0.14a, openldap 2.2.23
Kent N
Hello,
How are you doing? I just switched this summer from RedHat 8.0 with compiled
versions of Samba, OpenLDAP and Berkeley DB to Fedora Core 4 with precompiled
Samba, OpenLDAP and BerkeleyDB. Here is the smb.conf from one school that is a
BDC:
[global]
workgroup = WarehamPS
encrypt passwords = Yes
time offset = 60
time server = Yes
# log level = 5
socket options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
security = user
username map = /etc/samba/smbusers
logon script = whs1.bat
writable = Yes
interfaces = eth0 eth1
directory mask = 02770
preferred master = yes
netbios name = whs1
server string = Fedora Core 4 SAMBA server
passdb backend = ldapsam:ldap://127.0.0.1
ldap passwd sync = Yes
machine password timeout = 604800
passwd program = /usr/bin/smbpasswd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
log file = /var/log/samba/%m.log
debug level = 2
max log size = 50
add machine script = /usr/sbin/addmachine.sh "%u"
logon path logon drive = H:
logon home domain logons = Yes
os level = 64
domain master = No
dns proxy = no
admin users = @domain_admins
wins support = no
wins server = 172.16.0.13
wins proxy = yes
local master = yes
name resolve order = hosts wins bcast
ldap suffix = dc=tow,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=tow,dc=net
ldap ssl = no
[homes]
comment = Home Directories
read only = no
browseable = no
writable = yes
path = %H
# valid users = %S
[netlogon]
root preexec = /accounts/netlogon/prelogon.pl %U
path = /accounts/netlogon
comment = Netlogon share
locking = no
browseable = yes
valid users = @whsstaff, @whsstudent, @whs-cafe, navinstall, kent
read only = yes
hide files = /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/
write list = @domain_admins
[staff]
comment = Staff directory
path = /accounts/common
create mode = 0660
browseable = no
write list = @whsstaff
valid users = @whsstaff
[programs]
comment = Applications
path = /accounts/programs
browseable = no
create mode = 0660
write list = @whsstaff
valid users = @whsstaff
[cafeteria]
path = /accounts/cafeteria/data
browseable = no
valid users = @whs-cafe, dperry
force group = whs-cafe
create mode = 0660
directory mode = 0770
Here is the smb.conf for the PDC:
[global]
workgroup = WarehamPS
encrypt passwords = Yes
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
security = user
writable = Yes
interfaces = eth0 eth1
directory mask = 02770
preferred master = yes
local master = Yes
username map = /etc/samba/smbusers
netbios name = wms1
server string = Fedora Core 4 SAMBA Server
passdb backend = ldapsam:ldap://172.16.0.24
ldap passwd sync = Yes
machine password timeout = 604800
passwd program = /usr/bin/smbpasswd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
log file = /var/log/samba/%m.log
debug level = 2
max log size = 30
# add machine script = /usr/bin/smbpasswd -m %u
add machine script = /usr/sbin/addmachine.sh "%u"
logon script = wms1.bat
logon path logon drive = H:
logon home domain logons = Yes
os level = 255
domain master = Yes
dns proxy = Yes
admin users = @domain_admins
wins support = Yes
remote browse sync = 172.16.0.3 172.16.0.19 172.16.0.15 172.16.0.26
172.16.0.20 172.16.80.1
name resolve order = hosts wins bcast
ldap suffix = dc=tow,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=tow,dc=net
ldap ssl = no
[homes]
comment = Home Directories
read only = no
browseable = no
writable = yes
path = %H
hide files = /.*/
[netlogon]
comment = Netlogon share
root preexec = /accounts/netlogon/prelogon.pl %U
path = /accounts/netlogon
valid users = @wmsstaff, @wmsstudent, @domain_users, @wms-cafe,
navinstall
locking = no
browseable = no
read only = yes
write list = @domain_admins
hide files = /*.dll/*.rap/*.kix/*.bat/*.pl/
[cafeteria]
path = /accounts/cafeteria/data
browseable = yes
valid users = @wms-cafe, dperry
force group = wms-cafe
create mode = 0660
directory mode = 0770
[staff]
path = /accounts/common
browseable = no
valid users = @wmsstaff
force group = wmsstaff
write list = @domain_admins, @wmsstaff
create mode = 0660
directory mode = 0770
[programs]
path = /accounts/programs
browseable = no
valid users = @wmsstaff, @techstaff
create mode = 0660
[tech]
path = /accounts/tech
browseable = no
valid users = @techstaff
force group = techstaff
write list = @techstaff
create mode = 0660
directory mode = 0770
The addmachine.sh script is my own version of an add machine. All users, groups,
computers have corresponding posix accounts in LDAP as well as Samba objectClass
and attributes. I don't use any Windows utilities to manipulate user group
information in LDAP, I have my own set of routines tailored to our system that
allows individual control of LDAP info or we can batch add/delete accounts and
user attributes by interactive shell scripts.
My question to the Samba community is still: should the password program on the
BDC talk to the PDC by smbpasswd -r <PDC address>? I'm having a little
password
out of sync problem.
Kent N.
Marcio Luciano Donada <mdonada@auroraalimentos.com.br> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> kent wrote:
>
> | Hello, Just wondering what I should be using for the password
> | change program on a BDC. Should it be: passwd program > |
/usr/bin/smbpasswd -r <PDC address> %u
> |
> | I'm having a problem with passwords not staying in sync between the
> | PDC and BDC with pass backend ldap.
> |
> | The systems are all Fedora Core 4, Samba 3.0.14a, openldap 2.2.23
> |
> | Kent N
> |
> Ola, I am trying to configure the BDC. How voce this making to add
> them you scheme in the base ldap? Voce can supply its configures
> (smb.conf) for me to give one analyzed and smbldap.conf?
>
> thank's
>
> - --
> Márcio Luciano Donada
> T.I. Aurora Alimentos Chapecó(SC)
> Cooperativa Central Oeste Catarinense
> mdonada at auroraalimentos dot com dot br
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (FreeBSD)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFDFK8uyJq2hZEymxcRAlKbAJ9zHBrhgypVI1s7U5mpm/Frsan+mgCfT+Sa
> AAQEnZuvd72KHjQU5KML1mc> =1iV1
> -----END PGP SIGNATURE-----
>
>
Hi there,
The best (only?) way to go is with a LDAP Master+slave architecture.
All changes must be done at the LDAP Master server which automatically
replicates them to all slave ldap servers.
So, yes, the BDC MUST talk to the PDC, or at least the master ldap server to
change the password.
Best Regards.
Bruno Guerreiro
-----Original Message-----
From: kent [mailto:kent@mail.wareham.mec.edu]
Sent: quarta-feira, 31 de Agosto de 2005 11:15
To: mdonada@auroraalimentos.com.br; Samba
Subject: Re: [Samba] BDC and password change program
Hello,
How are you doing? I just switched this summer from RedHat 8.0 with compiled
versions of Samba, OpenLDAP and Berkeley DB to Fedora Core 4 with
precompiled
Samba, OpenLDAP and BerkeleyDB. Here is the smb.conf from one school that is
a
BDC:
[global]
workgroup = WarehamPS
encrypt passwords = Yes
time offset = 60
time server = Yes
# log level = 5
socket options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
security = user
username map = /etc/samba/smbusers
logon script = whs1.bat
writable = Yes
interfaces = eth0 eth1
directory mask = 02770
preferred master = yes
netbios name = whs1
server string = Fedora Core 4 SAMBA server
passdb backend = ldapsam:ldap://127.0.0.1
ldap passwd sync = Yes
machine password timeout = 604800
passwd program = /usr/bin/smbpasswd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
log file = /var/log/samba/%m.log
debug level = 2
max log size = 50
add machine script = /usr/sbin/addmachine.sh "%u"
logon path logon drive = H:
logon home domain logons = Yes
os level = 64
domain master = No
dns proxy = no
admin users = @domain_admins
wins support = no
wins server = 172.16.0.13
wins proxy = yes
local master = yes
name resolve order = hosts wins bcast
ldap suffix = dc=tow,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=tow,dc=net
ldap ssl = no
[homes]
comment = Home Directories
read only = no
browseable = no
writable = yes
path = %H
# valid users = %S
[netlogon]
root preexec = /accounts/netlogon/prelogon.pl %U
path = /accounts/netlogon
comment = Netlogon share
locking = no
browseable = yes
valid users = @whsstaff, @whsstudent, @whs-cafe, navinstall, kent
read only = yes
hide files = /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/
write list = @domain_admins
[staff]
comment = Staff directory
path = /accounts/common
create mode = 0660
browseable = no
write list = @whsstaff
valid users = @whsstaff
[programs]
comment = Applications
path = /accounts/programs
browseable = no
create mode = 0660
write list = @whsstaff
valid users = @whsstaff
[cafeteria]
path = /accounts/cafeteria/data
browseable = no
valid users = @whs-cafe, dperry
force group = whs-cafe
create mode = 0660
directory mode = 0770
Here is the smb.conf for the PDC:
[global]
workgroup = WarehamPS
encrypt passwords = Yes
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
security = user
writable = Yes
interfaces = eth0 eth1
directory mask = 02770
preferred master = yes
local master = Yes
username map = /etc/samba/smbusers
netbios name = wms1
server string = Fedora Core 4 SAMBA Server
passdb backend = ldapsam:ldap://172.16.0.24
ldap passwd sync = Yes
machine password timeout = 604800
passwd program = /usr/bin/smbpasswd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
log file = /var/log/samba/%m.log
debug level = 2
max log size = 30
# add machine script = /usr/bin/smbpasswd -m %u
add machine script = /usr/sbin/addmachine.sh "%u"
logon script = wms1.bat
logon path logon drive = H:
logon home domain logons = Yes
os level = 255
domain master = Yes
dns proxy = Yes
admin users = @domain_admins
wins support = Yes
remote browse sync = 172.16.0.3 172.16.0.19 172.16.0.15 172.16.0.26
172.16.0.20 172.16.80.1
name resolve order = hosts wins bcast
ldap suffix = dc=tow,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=tow,dc=net
ldap ssl = no
[homes]
comment = Home Directories
read only = no
browseable = no
writable = yes
path = %H
hide files = /.*/
[netlogon]
comment = Netlogon share
root preexec = /accounts/netlogon/prelogon.pl %U
path = /accounts/netlogon
valid users = @wmsstaff, @wmsstudent, @domain_users, @wms-cafe,
navinstall
locking = no
browseable = no
read only = yes
write list = @domain_admins
hide files = /*.dll/*.rap/*.kix/*.bat/*.pl/
[cafeteria]
path = /accounts/cafeteria/data
browseable = yes
valid users = @wms-cafe, dperry
force group = wms-cafe
create mode = 0660
directory mode = 0770
[staff]
path = /accounts/common
browseable = no
valid users = @wmsstaff
force group = wmsstaff
write list = @domain_admins, @wmsstaff
create mode = 0660
directory mode = 0770
[programs]
path = /accounts/programs
browseable = no
valid users = @wmsstaff, @techstaff
create mode = 0660
[tech]
path = /accounts/tech
browseable = no
valid users = @techstaff
force group = techstaff
write list = @techstaff
create mode = 0660
directory mode = 0770
The addmachine.sh script is my own version of an add machine. All users,
groups,
computers have corresponding posix accounts in LDAP as well as Samba
objectClass
and attributes. I don't use any Windows utilities to manipulate user group
information in LDAP, I have my own set of routines tailored to our system
that
allows individual control of LDAP info or we can batch add/delete accounts
and
user attributes by interactive shell scripts.
My question to the Samba community is still: should the password program on
the
BDC talk to the PDC by smbpasswd -r <PDC address>? I'm having a little
password
out of sync problem.
Kent N.
Marcio Luciano Donada <mdonada@auroraalimentos.com.br> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> kent wrote:
>
> | Hello, Just wondering what I should be using for the password
> | change program on a BDC. Should it be: passwd program > |
/usr/bin/smbpasswd -r <PDC address> %u
> |
> | I'm having a problem with passwords not staying in sync between the
> | PDC and BDC with pass backend ldap.
> |
> | The systems are all Fedora Core 4, Samba 3.0.14a, openldap 2.2.23
> |
> | Kent N
> |
> Ola, I am trying to configure the BDC. How voce this making to add
> them you scheme in the base ldap? Voce can supply its configures
> (smb.conf) for me to give one analyzed and smbldap.conf?
>
> thank's
>
> - --
> M?rcio Luciano Donada
> T.I. Aurora Alimentos Chapec?(SC)
> Cooperativa Central Oeste Catarinense
> mdonada at auroraalimentos dot com dot br
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (FreeBSD)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFDFK8uyJq2hZEymxcRAlKbAJ9zHBrhgypVI1s7U5mpm/Frsan+mgCfT+Sa
> AAQEnZuvd72KHjQU5KML1mc> =1iV1
> -----END PGP SIGNATURE-----
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Have you used the -r option for smbpasswd to connect to the PDC in smb.conf? Just wondering what the password chat would be. I can test it out and see what works. Kent N Bruno Guerreiro <bruno.guerreiro@ine.pt> wrote:> Hi there, > The best (only?) way to go is with a LDAP Master+slave architecture. > All changes must be done at the LDAP Master server which automatically > replicates them to all slave ldap servers. > So, yes, the BDC MUST talk to the PDC, or at least the master ldap server to > change the password. > > Best Regards. > Bruno Guerreiro > > -----Original Message----- > From: kent [mailto:kent@mail.wareham.mec.edu] > Sent: quarta-feira, 31 de Agosto de 2005 11:15 > To: mdonada@auroraalimentos.com.br; Samba > Subject: Re: [Samba] BDC and password change program > > > Hello, > How are you doing? I just switched this summer from RedHat 8.0 with compiled > versions of Samba, OpenLDAP and Berkeley DB to Fedora Core 4 with > precompiled > Samba, OpenLDAP and BerkeleyDB. Here is the smb.conf from one school that is > a > BDC: > [global] > workgroup = WarehamPS > encrypt passwords = Yes > time offset = 60 > time server = Yes > # log level = 5 > socket options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192 > SO_SNDBUF=8192 > security = user > username map = /etc/samba/smbusers > logon script = whs1.bat > writable = Yes > interfaces = eth0 eth1 > directory mask = 02770 > preferred master = yes > netbios name = whs1 > server string = Fedora Core 4 SAMBA server > passdb backend = ldapsam:ldap://127.0.0.1 > ldap passwd sync = Yes > machine password timeout = 604800 > passwd program = /usr/bin/smbpasswd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUnix\spassword:* %n\n > log file = /var/log/samba/%m.log > debug level = 2 > max log size = 50 > add machine script = /usr/sbin/addmachine.sh "%u" > logon path > logon drive = H: > logon home > domain logons = Yes > os level = 64 > domain master = No > dns proxy = no > admin users = @domain_admins > wins support = no > wins server = 172.16.0.13 > wins proxy = yes > local master = yes > name resolve order = hosts wins bcast > ldap suffix = dc=tow,dc=net > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap admin dn = cn=admin,dc=tow,dc=net > ldap ssl = no > > [homes] > comment = Home Directories > read only = no > browseable = no > writable = yes > path = %H > # valid users = %S > > [netlogon] > root preexec = /accounts/netlogon/prelogon.pl %U > path = /accounts/netlogon > comment = Netlogon share > locking = no > browseable = yes > valid users = @whsstaff, @whsstudent, @whs-cafe, navinstall, kent > read only = yes > hide files = /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/ > write list = @domain_admins > [staff] > comment = Staff directory > path = /accounts/common > create mode = 0660 > browseable = no > write list = @whsstaff > valid users = @whsstaff > [programs] > comment = Applications > path = /accounts/programs > browseable = no > create mode = 0660 > write list = @whsstaff > valid users = @whsstaff > > [cafeteria] > path = /accounts/cafeteria/data > browseable = no > valid users = @whs-cafe, dperry > force group = whs-cafe > create mode = 0660 > directory mode = 0770 > > Here is the smb.conf for the PDC: > [global] > workgroup = WarehamPS > encrypt passwords = Yes > time server = Yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > security = user > writable = Yes > interfaces = eth0 eth1 > directory mask = 02770 > preferred master = yes > local master = Yes > username map = /etc/samba/smbusers > netbios name = wms1 > server string = Fedora Core 4 SAMBA Server > passdb backend = ldapsam:ldap://172.16.0.24 > ldap passwd sync = Yes > machine password timeout = 604800 > passwd program = /usr/bin/smbpasswd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUnix\spassword:* %n\n > log file = /var/log/samba/%m.log > debug level = 2 > max log size = 30 > # add machine script = /usr/bin/smbpasswd -m %u > add machine script = /usr/sbin/addmachine.sh "%u" > logon script = wms1.bat > logon path > logon drive = H: > logon home > domain logons = Yes > os level = 255 > domain master = Yes > dns proxy = Yes > admin users = @domain_admins > wins support = Yes > remote browse sync = 172.16.0.3 172.16.0.19 172.16.0.15 172.16.0.26 > 172.16.0.20 172.16.80.1 > name resolve order = hosts wins bcast > ldap suffix = dc=tow,dc=net > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap admin dn = cn=admin,dc=tow,dc=net > ldap ssl = no > > [homes] > comment = Home Directories > read only = no > browseable = no > writable = yes > path = %H > hide files = /.*/ > [netlogon] > comment = Netlogon share > root preexec = /accounts/netlogon/prelogon.pl %U > path = /accounts/netlogon > valid users = @wmsstaff, @wmsstudent, @domain_users, @wms-cafe, > navinstall > locking = no > browseable = no > read only = yes > write list = @domain_admins > hide files = /*.dll/*.rap/*.kix/*.bat/*.pl/ > > [cafeteria] > path = /accounts/cafeteria/data > browseable = yes > valid users = @wms-cafe, dperry > force group = wms-cafe > create mode = 0660 > directory mode = 0770 > > [staff] > path = /accounts/common > browseable = no > valid users = @wmsstaff > force group = wmsstaff > write list = @domain_admins, @wmsstaff > create mode = 0660 > directory mode = 0770 > [programs] > path = /accounts/programs > browseable = no > valid users = @wmsstaff, @techstaff > create mode = 0660 > [tech] > path = /accounts/tech > browseable = no > valid users = @techstaff > force group = techstaff > write list = @techstaff > create mode = 0660 > directory mode = 0770 > > The addmachine.sh script is my own version of an add machine. All users, > groups, > computers have corresponding posix accounts in LDAP as well as Samba > objectClass > and attributes. I don't use any Windows utilities to manipulate user group > information in LDAP, I have my own set of routines tailored to our system > that > allows individual control of LDAP info or we can batch add/delete accounts > and > user attributes by interactive shell scripts. > > My question to the Samba community is still: should the password program on > the > BDC talk to the PDC by smbpasswd -r <PDC address>? I'm having a little > password > out of sync problem. > > Kent N. > > Marcio Luciano Donada <mdonada@auroraalimentos.com.br> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > kent wrote: > > > > | Hello, Just wondering what I should be using for the password > > | change program on a BDC. Should it be: passwd program > > | /usr/bin/smbpasswd -r <PDC address> %u > > | > > | I'm having a problem with passwords not staying in sync between the > > | PDC and BDC with pass backend ldap. > > | > > | The systems are all Fedora Core 4, Samba 3.0.14a, openldap 2.2.23 > > | > > | Kent N > > | > > Ola, I am trying to configure the BDC. How voce this making to add > > them you scheme in the base ldap? Voce can supply its configures > > (smb.conf) for me to give one analyzed and smbldap.conf? > > > > thank's > > > > - -- > > Márcio Luciano Donada > > T.I. Aurora Alimentos Chapecó(SC) > > Cooperativa Central Oeste Catarinense > > mdonada at auroraalimentos dot com dot br > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.2 (FreeBSD) > > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > > > iD8DBQFDFK8uyJq2hZEymxcRAlKbAJ9zHBrhgypVI1s7U5mpm/Frsan+mgCfT+Sa > > AAQEnZuvd72KHjQU5KML1mc> > =1iV1 > > -----END PGP SIGNATURE----- > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
I'm using smbldap-tools, so i don't use smbpasswd directly In command line... [root@slavedc root]# smbpasswd -r masterdc -U test.user Old SMB password: New SMB password: Retype new SMB password: Password changed for user test.user on masterdc. [root@slavedc root]# It ask's for the old password. Altough i'm root at slavedc, I may not be at masterdc, therefore the need to provide the old password Can you pass the old value to smbpasswd in smb.conf? Ever tried smbldap-tools ( http://www.idealx.org/prj/samba/index.en.html )? Best Regards, Bruno Guerreiro -----Original Message----- From: kent [mailto:kent@mail.wareham.mec.edu] Sent: quarta-feira, 31 de Agosto de 2005 12:41 To: bruno.guerreiro@ine.pt; Samba Subject: RE: [Samba] BDC and password change program Have you used the -r option for smbpasswd to connect to the PDC in smb.conf? Just wondering what the password chat would be. I can test it out and see what works. Kent N Bruno Guerreiro <bruno.guerreiro@ine.pt> wrote:> Hi there, > The best (only?) way to go is with a LDAP Master+slave architecture. > All changes must be done at the LDAP Master server which automatically > replicates them to all slave ldap servers. > So, yes, the BDC MUST talk to the PDC, or at least the master ldap serverto> change the password. > > Best Regards. > Bruno Guerreiro > > -----Original Message----- > From: kent [mailto:kent@mail.wareham.mec.edu] > Sent: quarta-feira, 31 de Agosto de 2005 11:15 > To: mdonada@auroraalimentos.com.br; Samba > Subject: Re: [Samba] BDC and password change program > > > Hello, > How are you doing? I just switched this summer from RedHat 8.0 withcompiled> versions of Samba, OpenLDAP and Berkeley DB to Fedora Core 4 with > precompiled > Samba, OpenLDAP and BerkeleyDB. Here is the smb.conf from one school thatis> a > BDC: > [global] > workgroup = WarehamPS > encrypt passwords = Yes > time offset = 60 > time server = Yes > # log level = 5 > socket options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192 > SO_SNDBUF=8192 > security = user > username map = /etc/samba/smbusers > logon script = whs1.bat > writable = Yes > interfaces = eth0 eth1 > directory mask = 02770 > preferred master = yes > netbios name = whs1 > server string = Fedora Core 4 SAMBA server > passdb backend = ldapsam:ldap://127.0.0.1 > ldap passwd sync = Yes > machine password timeout = 604800 > passwd program = /usr/bin/smbpasswd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUnix\spassword:* %n\n > log file = /var/log/samba/%m.log > debug level = 2 > max log size = 50 > add machine script = /usr/sbin/addmachine.sh "%u" > logon path > logon drive = H: > logon home > domain logons = Yes > os level = 64 > domain master = No > dns proxy = no > admin users = @domain_admins > wins support = no > wins server = 172.16.0.13 > wins proxy = yes > local master = yes > name resolve order = hosts wins bcast > ldap suffix = dc=tow,dc=net > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap admin dn = cn=admin,dc=tow,dc=net > ldap ssl = no > > [homes] > comment = Home Directories > read only = no > browseable = no > writable = yes > path = %H > # valid users = %S > > [netlogon] > root preexec = /accounts/netlogon/prelogon.pl %U > path = /accounts/netlogon > comment = Netlogon share > locking = no > browseable = yes > valid users = @whsstaff, @whsstudent, @whs-cafe, navinstall, kent > read only = yes > hide files = /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/ > write list = @domain_admins > [staff] > comment = Staff directory > path = /accounts/common > create mode = 0660 > browseable = no > write list = @whsstaff > valid users = @whsstaff > [programs] > comment = Applications > path = /accounts/programs > browseable = no > create mode = 0660 > write list = @whsstaff > valid users = @whsstaff > > [cafeteria] > path = /accounts/cafeteria/data > browseable = no > valid users = @whs-cafe, dperry > force group = whs-cafe > create mode = 0660 > directory mode = 0770 > > Here is the smb.conf for the PDC: > [global] > workgroup = WarehamPS > encrypt passwords = Yes > time server = Yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > security = user > writable = Yes > interfaces = eth0 eth1 > directory mask = 02770 > preferred master = yes > local master = Yes > username map = /etc/samba/smbusers > netbios name = wms1 > server string = Fedora Core 4 SAMBA Server > passdb backend = ldapsam:ldap://172.16.0.24 > ldap passwd sync = Yes > machine password timeout = 604800 > passwd program = /usr/bin/smbpasswd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUnix\spassword:* %n\n > log file = /var/log/samba/%m.log > debug level = 2 > max log size = 30 > # add machine script = /usr/bin/smbpasswd -m %u > add machine script = /usr/sbin/addmachine.sh "%u" > logon script = wms1.bat > logon path > logon drive = H: > logon home > domain logons = Yes > os level = 255 > domain master = Yes > dns proxy = Yes > admin users = @domain_admins > wins support = Yes > remote browse sync = 172.16.0.3 172.16.0.19 172.16.0.15172.16.0.26> 172.16.0.20 172.16.80.1 > name resolve order = hosts wins bcast > ldap suffix = dc=tow,dc=net > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap admin dn = cn=admin,dc=tow,dc=net > ldap ssl = no > > [homes] > comment = Home Directories > read only = no > browseable = no > writable = yes > path = %H > hide files = /.*/ > [netlogon] > comment = Netlogon share > root preexec = /accounts/netlogon/prelogon.pl %U > path = /accounts/netlogon > valid users = @wmsstaff, @wmsstudent, @domain_users, @wms-cafe, > navinstall > locking = no > browseable = no > read only = yes > write list = @domain_admins > hide files = /*.dll/*.rap/*.kix/*.bat/*.pl/ > > [cafeteria] > path = /accounts/cafeteria/data > browseable = yes > valid users = @wms-cafe, dperry > force group = wms-cafe > create mode = 0660 > directory mode = 0770 > > [staff] > path = /accounts/common > browseable = no > valid users = @wmsstaff > force group = wmsstaff > write list = @domain_admins, @wmsstaff > create mode = 0660 > directory mode = 0770 > [programs] > path = /accounts/programs > browseable = no > valid users = @wmsstaff, @techstaff > create mode = 0660 > [tech] > path = /accounts/tech > browseable = no > valid users = @techstaff > force group = techstaff > write list = @techstaff > create mode = 0660 > directory mode = 0770 > > The addmachine.sh script is my own version of an add machine. All users, > groups, > computers have corresponding posix accounts in LDAP as well as Samba > objectClass > and attributes. I don't use any Windows utilities to manipulate user group > information in LDAP, I have my own set of routines tailored to our system > that > allows individual control of LDAP info or we can batch add/delete accounts > and > user attributes by interactive shell scripts. > > My question to the Samba community is still: should the password programon> the > BDC talk to the PDC by smbpasswd -r <PDC address>? I'm having a little > password > out of sync problem. > > Kent N. > > Marcio Luciano Donada <mdonada@auroraalimentos.com.br> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > kent wrote: > > > > | Hello, Just wondering what I should be using for the password > > | change program on a BDC. Should it be: passwd program > > | /usr/bin/smbpasswd -r <PDC address> %u > > | > > | I'm having a problem with passwords not staying in sync between the > > | PDC and BDC with pass backend ldap. > > | > > | The systems are all Fedora Core 4, Samba 3.0.14a, openldap 2.2.23 > > | > > | Kent N > > | > > Ola, I am trying to configure the BDC. How voce this making to add > > them you scheme in the base ldap? Voce can supply its configures > > (smb.conf) for me to give one analyzed and smbldap.conf? > > > > thank's > > > > - -- > > M?rcio Luciano Donada > > T.I. Aurora Alimentos Chapec?(SC) > > Cooperativa Central Oeste Catarinense > > mdonada at auroraalimentos dot com dot br > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.2 (FreeBSD) > > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > > > iD8DBQFDFK8uyJq2hZEymxcRAlKbAJ9zHBrhgypVI1s7U5mpm/Frsan+mgCfT+Sa > > AAQEnZuvd72KHjQU5KML1mc> > =1iV1 > > -----END PGP SIGNATURE----- > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I think simply that with the parameter ldap passwd sync, the passwd chat is not called. The only question that I ask to me is : why changing a passwd on a BDC ? A BDC is a backup DC, if the PDC is down, a BDC can provide authentification. But, you can modifiy the smb.conf of BDC to passdb backend = ldapsam:"ldap://127.0.0.1 ldap://172.16.0.24" kent a ?crit :> Hi, Thanks for getting back to me so fast. > > > Stéphane_Purnelle <stephane.purnelle@tiscali.be> wrote: > >> The LDAP server in 172.16.0.24 is the master ldap server, but on > smb.conf of BDC, the ldap server is on localhost. If the IP adresse > of BDC is 172.16.0.24, you must have no problem. Now, if different, > you must configure ldap for replication. Because changing password > on the PDC is not replicated to BDC. > >> PDC: 172.16.0.13 However the master ldap server is on >> 172.16.0.24. We use LDAP for mail authentication as well as >> OpenGoupware etc. There is no local copy > of LDAP >> directory on the PDC. Everthing including the operating system > points to >> 172.16.0.24. > >> All of the BDCs have replicas. I realize that authentication to a >> > BDC on a >> subnet uses the pass backend which in all of my BDCs is >> localhost. > My problem >> with the BDCs is the password program that I believe is changing > the LDAP >> replica on the BDC and not the PDC. So I end up with a password > mismatch. > >> If I disable the password chat on all BDCs will password chat be > passed on to >> the PDC? > >> Thank you for your help. > >> Kent N > > The BDC not verify password with the PDC, but with the passwd > backend only. You can disable these lines : passwd program > /usr/bin/smbpasswd %u passwd chat = *Enter\snew\sUNIX\spassword:* > %n\n*Retype\snew\sUnix\spassword:* %n\n > > On BDC > > kent a ?crit : > >> Have you used the -r option for smbpasswd to connect to the PDC >> in smb.conf? Just wondering what the password chat would be. I >> can test it out and see what works. > >> Kent N > >> Bruno Guerreiro <bruno.guerreiro@ine.pt> wrote: > >>> Hi there, The best (only?) way to go is with a LDAP >>> Master+slave architecture. All changes must be done at the LDAP >>> Master server which automatically replicates them to all slave >>> ldap servers. So, yes, the BDC MUST talk to the PDC, or at >>> least the master ldap server to change the password. > >>> Best Regards. Bruno Guerreiro > >>> -----Original Message----- From: kent >>> [mailto:kent@mail.wareham.mec.edu] Sent: quarta-feira, 31 de >>> Agosto de 2005 11:15 To: mdonada@auroraalimentos.com.br; Samba >>> Subject: Re: [Samba] BDC and password change program > > >>> Hello, How are you doing? I just switched this summer from >>> RedHat 8.0 with compiled versions of Samba, OpenLDAP and >>> Berkeley DB to Fedora Core 4 with precompiled Samba, OpenLDAP >>> and BerkeleyDB. Here is the smb.conf from one school that is a >>> BDC: [global] workgroup = WarehamPS encrypt passwords = Yes >>> time offset = 60 time server = Yes # log level = 5 socket >>> options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>> security = user username map = /etc/samba/smbusers logon script >>> = whs1.bat writable = Yes interfaces = eth0 eth1 directory mask >>> = 02770 preferred master = yes netbios name = whs1 server >>> string = Fedora Core 4 SAMBA server passdb backend >>> ldapsam:ldap://127.0.0.1 ldap passwd sync = Yes machine >>> password timeout = 604800 passwd program = /usr/bin/smbpasswd >>> %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >>> *Retype\snew\sUnix\spassword:* %n\n log file >>> /var/log/samba/%m.log debug level = 2 max log size = 50 add >>> machine script = /usr/sbin/addmachine.sh "%u" logon path >>> logon drive = H: logon home = domain logons = Yes os level = 64 >>> domain master = No dns proxy = no admin users = @domain_admins >>> wins support = no wins server = 172.16.0.13 wins proxy = yes >>> local master = yes name resolve order = hosts wins bcast ldap >>> suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap >>> user suffix = ou=Users ldap group suffix = ou=Groups ldap admin >>> dn = cn=admin,dc=tow,dc=net ldap ssl = no > >>> [homes] comment = Home Directories read only = no browseable >>> no writable = yes path = %H # valid users = %S > >>> [netlogon] root preexec = /accounts/netlogon/prelogon.pl %U >>> path = /accounts/netlogon comment = Netlogon share locking = no >>> browseable = yes valid users = @whsstaff, @whsstudent, >>> @whs-cafe, navinstall, kent read only = yes hide files >>> /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/ write list >>> @domain_admins [staff] comment = Staff directory path >>> /accounts/common create mode = 0660 browseable = no write list >>> = @whsstaff valid users = @whsstaff [programs] comment >>> Applications path = /accounts/programs browseable = no create >>> mode = 0660 write list = @whsstaff valid users = @whsstaff > >>> [cafeteria] path = /accounts/cafeteria/data browseable = no >>> valid users = @whs-cafe, dperry force group = whs-cafe create >>> mode = 0660 directory mode = 0770 > >>> Here is the smb.conf for the PDC: [global] workgroup >>> WarehamPS encrypt passwords = Yes time server = Yes socket >>> options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 security >>> user writable = Yes interfaces = eth0 eth1 directory mask >>> 02770 preferred master = yes local master = Yes username map >>> /etc/samba/smbusers netbios name = wms1 server string = Fedora >>> Core 4 SAMBA Server passdb backend = ldapsam:ldap://172.16.0.24 >>> ldap passwd sync = Yes machine password timeout = 604800 >>> passwd program = /usr/bin/smbpasswd %u passwd chat >>> *Enter\snew\sUNIX\spassword:* %n\n >>> *Retype\snew\sUnix\spassword:* %n\n log file >>> /var/log/samba/%m.log debug level = 2 max log size = 30 # add >>> machine script = /usr/bin/smbpasswd -m %u add machine script >>> /usr/sbin/addmachine.sh "%u" logon script = wms1.bat logon path >>> = logon drive = H: logon home = domain logons = Yes os level >>> 255 domain master = Yes dns proxy = Yes admin users >>> @domain_admins wins support = Yes remote browse sync >>> 172.16.0.3 172.16.0.19 172.16.0.15 172.16.0.26 172.16.0.20 >>> 172.16.80.1 name resolve order = hosts wins bcast ldap suffix >>> dc=tow,dc=net ldap machine suffix = ou=Computers ldap user >>> suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn >>> cn=admin,dc=tow,dc=net ldap ssl = no > >>> [homes] comment = Home Directories read only = no browseable >>> no writable = yes path = %H hide files = /.*/ [netlogon] >>> comment = Netlogon share root preexec >>> /accounts/netlogon/prelogon.pl %U path = /accounts/netlogon >>> valid users = @wmsstaff, @wmsstudent, @domain_users, @wms-cafe, >>> navinstall locking = no browseable = no read only = yes write >>> list = @domain_admins hide files >>> /*.dll/*.rap/*.kix/*.bat/*.pl/ > >>> [cafeteria] path = /accounts/cafeteria/data browseable = yes >>> valid users = @wms-cafe, dperry force group = wms-cafe create >>> mode = 0660 directory mode = 0770 > >>> [staff] path = /accounts/common browseable = no valid users >>> @wmsstaff force group = wmsstaff write list = @domain_admins, >>> @wmsstaff create mode = 0660 directory mode = 0770 [programs] >>> path = /accounts/programs browseable = no valid users >>> @wmsstaff, @techstaff create mode = 0660 [tech] path >>> /accounts/tech browseable = no valid users = @techstaff force >>> group = techstaff write list = @techstaff create mode = 0660 >>> directory mode = 0770 > >>> The addmachine.sh script is my own version of an add machine. >>> All users, groups, computers have corresponding posix accounts >>> in LDAP as well as Samba objectClass and attributes. I don't >>> use any Windows utilities to manipulate user group information >>> in LDAP, I have my own set of routines tailored to our system >>> that allows individual control of LDAP info or we can batch >>> add/delete accounts and user attributes by interactive shell >>> scripts. > >>> My question to the Samba community is still: should the >>> password program on the BDC talk to the PDC by smbpasswd -r >>> <PDC address>? I'm having a little password out of sync >>> problem. > >>> Kent N. > >>> Marcio Luciano Donada <mdonada@auroraalimentos.com.br> >>> wrote: > >> kent wrote: > >> | Hello, Just wondering what I should be using for the password | >> change program on a BDC. Should it be: passwd program = | >> /usr/bin/smbpasswd -r <PDC address> %u | | I'm having a problem >> with passwords not staying in sync between the | PDC and BDC with >> pass backend ldap. | | The systems are all Fedora Core 4, Samba >> 3.0.14a, openldap 2.2.23 | | Kent N | Ola, I am trying to >> configure the BDC. How voce this making to add them you scheme in >> the base ldap? Voce can supply its configures (smb.conf) for me >> to give one analyzed and smbldap.conf? > >> thank's > >> -- M?rcio Luciano Donada T.I. Aurora Alimentos Chapec?(SC) >> Cooperativa Central Oeste Catarinense mdonada at auroraalimentos >> dot com dot br > > >>> -- To unsubscribe from this list go to the following URL and >>> read the instructions: >>> https://lists.samba.org/mailman/listinfo/samba -- To >>> unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/listinfo/samba > > > > -- St?phane Purnelle <stephane.purnelle@tiscali.be> Site Web : > http://www.linuxplusvalue.be- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba - -- St?phane Purnelle <stephane.purnelle@tiscali.be> Site Web : http://www.linuxplusvalue.be -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDFajc8tswkE3d0ecRAvPFAJ9JmEd41uoSN6oQ7yiawYAILf0ztgCeKTD1 vk0qCgQjf+B62H4r6fcPGKc=xEzS -----END PGP SIGNATURE-----