Hi, I have an existing OpenLDAP directory, that I want to use as the backend for a Samba 3 instance. I do not want for now making Samba a Domain Controller, but only define in it some shares accessible by users on LDAP. I have imported in my slapd.conf the samba schema, and I have inserted in my smb.conf all the directives for connecting to an LDAP server: passdb backend = ldapsam:ldaps://slap1.xxxx.xx ldap suffix = dc=xxxx,dc=xx ldap admin dn = "cn=admin,dc=xxxx,dc=xx" ldap delete dn = No ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap password sync = yes I have defined the admin password with the smbpasswd utility, and everything is working. If I want that a LDAP user uses Samba, I have to use again the smbpasswd utility for adding him to the samba users and defining a new password that will be the LDAP attribute SambaNTPassword (and the new password overwrites the LDAP userPassword, thanks to the "ldap password sync = yes" directive in smb.conf). If I want to permit that a user can change his LDAP userPassword and align it to the SambaNTPassword, I have seen that I can do it by using the smbk5pwd overlay and pam_password exop. But I do not know a method for using the existing LDAP userPassword for Samba authentication: I do not want that all the users have to redefine their passwords. Someone of you knows a way for doing that? Thank you in advance
What does your getent passwd show?
What does your getent group show?
Can your ldap-user login to your linux/unix box?
Is your linux-box auth set to your ladp-server?
Do you have something like this in your slapd.conf!?:
access to attrs=userPassword,shadowLastChange
by anonymous auth
by self write
by dn="cn=youradmin,dc=xxx,dc=xxx" write
by * none
access to attrs=sambaLMPassword
by self write
by anonymous auth
by dn="cn=youradmin,dc=xxx,dc=xxxx" write
by * none
access to attrs=sambaNTPassword
by self write
by anonymous auth
by dn="cn=youradmin,dc=xxx,dc=xxxx" write
by * none
access to attrs=sambaPwdLastSet,sambaPwdMustChange
by self write
by anonymous auth
by dn="cn=youradmin,dc=xxx,dc=xxxx" write
by * none
access to *
by dn="cn=youradmin,dc=xxx,dc=xxxx" write
by users read
by self write
by * read
-----------------------------------------------
EDV Daniel M?ller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
Im
Auftrag von Francesco Storti
Gesendet: Donnerstag, 13. Oktober 2011 12:46
An: samba at lists.samba.org
Betreff: [Samba] Samba, OpenLDAP and Passwords
Hi,
I have an existing OpenLDAP directory, that I want to use as the backend for
a Samba 3 instance.
I do not want for now making Samba a Domain Controller, but only define in
it some shares accessible by users on LDAP.
I have imported in my slapd.conf the samba schema, and I have inserted in my
smb.conf all the directives for connecting to an LDAP server:
passdb backend = ldapsam:ldaps://slap1.xxxx.xx
ldap suffix = dc=xxxx,dc=xx
ldap admin dn = "cn=admin,dc=xxxx,dc=xx"
ldap delete dn = No
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap password sync = yes
I have defined the admin password with the smbpasswd utility, and everything
is working.
If I want that a LDAP user uses Samba, I have to use again the smbpasswd
utility for adding him to the samba users and defining a new password that
will be the LDAP attribute SambaNTPassword (and the new password overwrites
the LDAP userPassword, thanks to the "ldap password sync = yes"
directive in
smb.conf).
If I want to permit that a user can change his LDAP userPassword and align
it to the SambaNTPassword, I have seen that I can do it by using the
smbk5pwd overlay and pam_password exop.
But I do not know a method for using the existing LDAP userPassword for
Samba authentication: I do not want that all the users have to redefine
their passwords.
Someone of you knows a way for doing that?
Thank you in advance
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
The "getent passwd" and "getent group" return respectively users and groups of my LDAP directory. LDAP users can login to all the linux box that are been configured for using LDAP as backend (as specified via PAM and NSS). In my slapd.conf the ACLs that you specified are not present, because I am working on a test environment, and the admin specified in the smb.conf is the rootdn of the LDAP directory (who can do anything on everything). Thank you again 2011/10/13 Daniel M?ller <mueller at tropenklinik.de>> What does your getent passwd show? > What does your getent group show? > Can your ldap-user login to your linux/unix box? > Is your linux-box auth set to your ladp-server? > > Do you have something like this in your slapd.conf!?: > > access to attrs=userPassword,shadowLastChange > by anonymous auth > by self write > by dn="cn=youradmin,dc=xxx,dc=xxx" write > by * none > > access to attrs=sambaLMPassword > by self write > by anonymous auth > by dn="cn=youradmin,dc=xxx,dc=xxxx" write > by * none > > access to attrs=sambaNTPassword > by self write > by anonymous auth > by dn="cn=youradmin,dc=xxx,dc=xxxx" write > by * none > > access to attrs=sambaPwdLastSet,sambaPwdMustChange > by self write > by anonymous auth > by dn="cn=youradmin,dc=xxx,dc=xxxx" write > by * none > > > > access to * > by dn="cn=youradmin,dc=xxx,dc=xxxx" write > by users read > by self write > by * read > > ----------------------------------------------- > EDV Daniel M?ller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 T?bingen > > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: mueller at tropenklinik.de > Internet: www.tropenklinik.de > ----------------------------------------------- > -----Urspr?ngliche Nachricht----- > Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] > Im > Auftrag von Francesco Storti > Gesendet: Donnerstag, 13. Oktober 2011 12:46 > An: samba at lists.samba.org > Betreff: [Samba] Samba, OpenLDAP and Passwords > > Hi, > I have an existing OpenLDAP directory, that I want to use as the backend > for > a Samba 3 instance. > I do not want for now making Samba a Domain Controller, but only define in > it some shares accessible by users on LDAP. > I have imported in my slapd.conf the samba schema, and I have inserted in > my > smb.conf all the directives for connecting to an LDAP server: > > passdb backend = ldapsam:ldaps://slap1.xxxx.xx > ldap suffix = dc=xxxx,dc=xx > ldap admin dn = "cn=admin,dc=xxxx,dc=xx" > ldap delete dn = No > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap password sync = yes > > I have defined the admin password with the smbpasswd utility, and > everything > is working. > If I want that a LDAP user uses Samba, I have to use again the smbpasswd > utility for adding him to the samba users and defining a new password that > will be the LDAP attribute SambaNTPassword (and the new password overwrites > the LDAP userPassword, thanks to the "ldap password sync = yes" directive > in > smb.conf). > If I want to permit that a user can change his LDAP userPassword and align > it to the SambaNTPassword, I have seen that I can do it by using the > smbk5pwd overlay and pam_password exop. > But I do not know a method for using the existing LDAP userPassword for > Samba authentication: I do not want that all the users have to redefine > their passwords. > Someone of you knows a way for doing that? > Thank you in advance > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
From: Francesco Storti <francesco.storti at gmail.com> Date: Thu, 13 Oct 2011 12:46:13 +0200 (snip)> If I want to permit that a user can change his LDAP userPassword and align > it to the SambaNTPassword, I have seen that I can do it by using the > smbk5pwd overlay and pam_password exop. > But I do not know a method for using the existing LDAP userPassword for > Samba authentication: I do not want that all the users have to redefine > their passwords. > Someone of you knows a way for doing that?It's impossible as well as Samba cannot use password information via /etc/passwd. Because the password encryption method using Windows and Unix is completely different. One exception is that Samba still use /etc/passwd using "encrypt passwords = no" which means using plain text password between Windows and Samba. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>