Fedora directory users - May 2009 - [389-users] LDAP to samba password synchronization

Hello, all.  Several hours of googling and testing have not solved my
problem.  We are using Directory Server as our authentication mechanism
for as much as possible in our environment.  So far, we have integrated
all our Linux servers, synchronized with AD, and are using it for
Zimbra.

We have just implemented a standalone SAMBA server and are having
trouble synchronizing passwords.  I see plenty of examples of how to
have changes made using smbpasswd passed to the posix password in LDAP.
But that''s not what we want.  We want users (some of whom use SAMBA and
some of whom do not) to have a single place to change their password.
The users are all KDE.  Changing their passwords in the KDE control
module for security changes everything brilliantly EXCEPT SAMBA.

How do we make password changes executed by the users or by the LDAP
admin in idm-console propagate to the SAMBA password attributes? Thanks
- John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

On Wed, 2009-05-13 at 15:06 -0400, John A. Sullivan III
wrote:
> Hello, all.  Several hours of googling and testing have not solved my
> problem.  We are using Directory Server as our authentication mechanism
> for as much as possible in our environment.  So far, we have integrated
> all our Linux servers, synchronized with AD, and are using it for
> Zimbra.
> 
> We have just implemented a standalone SAMBA server and are having
> trouble synchronizing passwords.  I see plenty of examples of how to
> have changes made using smbpasswd passed to the posix password in LDAP.
> But that''s not what we want.  We want users (some of whom use
SAMBA and
> some of whom do not) to have a single place to change their password.
> The users are all KDE.  Changing their passwords in the KDE control
> module for security changes everything brilliantly EXCEPT SAMBA.
> 
> How do we make password changes executed by the users or by the LDAP
> admin in idm-console propagate to the SAMBA password attributes? Thanks
> - John
I forgot to mention, we did change pam as follows:

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_smbpass.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

However, I would think this would affect password changes made only on
the SAMBA server itself and not changes made by users at their desktops
and reflected through to Linux.  We really need changes made in LDAP
from wherever they are made to affect the SAMBA password attributes in
Linux.  Is that possible? If so, how? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

John A. Sullivan III wrote:
> On Wed, 2009-05-13 at 15:06 -0400, John A. Sullivan III wrote:
>   
>> Hello, all.  Several hours of googling and testing have not solved my
>> problem.  We are using Directory Server as our authentication mechanism
>> for as much as possible in our environment.  So far, we have integrated
>> all our Linux servers, synchronized with AD, and are using it for
>> Zimbra.
>>
>> We have just implemented a standalone SAMBA server and are having
>> trouble synchronizing passwords.  I see plenty of examples of how to
>> have changes made using smbpasswd passed to the posix password in LDAP.
>> But that''s not what we want.  We want users (some of whom use
SAMBA and
>> some of whom do not) to have a single place to change their password.
>> The users are all KDE.  Changing their passwords in the KDE control
>> module for security changes everything brilliantly EXCEPT SAMBA.
>>
>> How do we make password changes executed by the users or by the LDAP
>> admin in idm-console propagate to the SAMBA password attributes? Thanks
>> - John
>>     
> I forgot to mention, we did change pam as follows:
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_smbpass.so use_authtok
> password    sufficient    pam_ldap.so use_authtok
> password    required      pam_deny.so
>
> However, I would think this would affect password changes made only on
> the SAMBA server itself and not changes made by users at their desktops
> and reflected through to Linux.  We really need changes made in LDAP
> from wherever they are made to affect the SAMBA password attributes in
> Linux.  Is that possible? If so, how? Thanks - John
>   
freeIPA has a password plugin for 389 that syncs userPassword with the 
samba password hashes and vice versa (and kerberos too).

On Wed, 2009-05-13 at 13:37 -0600, Rich Megginson wrote:
> John A. Sullivan III wrote:
> > On Wed, 2009-05-13 at 15:06 -0400, John A. Sullivan III wrote:
> >   
> >> Hello, all.  Several hours of googling and testing have not solved
my
> >> problem.  We are using Directory Server as our authentication
mechanism
> >> for as much as possible in our environment.  So far, we have
integrated
> >> all our Linux servers, synchronized with AD, and are using it for
> >> Zimbra.
> >>
> >> We have just implemented a standalone SAMBA server and are having
> >> trouble synchronizing passwords.  I see plenty of examples of how
to
> >> have changes made using smbpasswd passed to the posix password in
LDAP.
> >> But that''s not what we want.  We want users (some of whom
use SAMBA and
> >> some of whom do not) to have a single place to change their
password.
> >> The users are all KDE.  Changing their passwords in the KDE
control
> >> module for security changes everything brilliantly EXCEPT SAMBA.
> >>
> >> How do we make password changes executed by the users or by the
LDAP
> >> admin in idm-console propagate to the SAMBA password attributes?
Thanks
> >> - John
> >>     
> > I forgot to mention, we did change pam as follows:
> >
> > password    requisite     pam_cracklib.so try_first_pass retry=3
> > password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> > use_authtok
> > password    sufficient    pam_smbpass.so use_authtok
> > password    sufficient    pam_ldap.so use_authtok
> > password    required      pam_deny.so
> >
> > However, I would think this would affect password changes made only on
> > the SAMBA server itself and not changes made by users at their
desktops
> > and reflected through to Linux.  We really need changes made in LDAP
> > from wherever they are made to affect the SAMBA password attributes in
> > Linux.  Is that possible? If so, how? Thanks - John
> >   
> freeIPA has a password plugin for 389 that syncs userPassword with the 
> samba password hashes and vice versa (and kerberos too).
I''m very interested in implementing freeIPA as it matures and as we
have
some breathing room after our initial product rollout.  Is there any way
to do this without researching and deploying a new product? Anything
either built into 389 or PAM? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

John A. Sullivan III wrote:
> On Wed, 2009-05-13 at 13:37 -0600, Rich Megginson wrote:
>   
>> John A. Sullivan III wrote:
>>     
>>> On Wed, 2009-05-13 at 15:06 -0400, John A. Sullivan III wrote:
>>>   
>>>       
>>>> Hello, all.  Several hours of googling and testing have not
solved my
>>>> problem.  We are using Directory Server as our authentication
mechanism
>>>> for as much as possible in our environment.  So far, we have
integrated
>>>> all our Linux servers, synchronized with AD, and are using it
for
>>>> Zimbra.
>>>>
>>>> We have just implemented a standalone SAMBA server and are
having
>>>> trouble synchronizing passwords.  I see plenty of examples of
how to
>>>> have changes made using smbpasswd passed to the posix password
in LDAP.
>>>> But that''s not what we want.  We want users (some of
whom use SAMBA and
>>>> some of whom do not) to have a single place to change their
password.
>>>> The users are all KDE.  Changing their passwords in the KDE
control
>>>> module for security changes everything brilliantly EXCEPT
SAMBA.
>>>>
>>>> How do we make password changes executed by the users or by the
LDAP
>>>> admin in idm-console propagate to the SAMBA password
attributes? Thanks
>>>> - John
>>>>     
>>>>         
>>> I forgot to mention, we did change pam as follows:
>>>
>>> password    requisite     pam_cracklib.so try_first_pass retry=3
>>> password    sufficient    pam_unix.so md5 shadow nullok
try_first_pass
>>> use_authtok
>>> password    sufficient    pam_smbpass.so use_authtok
>>> password    sufficient    pam_ldap.so use_authtok
>>> password    required      pam_deny.so
>>>
>>> However, I would think this would affect password changes made only
on
>>> the SAMBA server itself and not changes made by users at their
desktops
>>> and reflected through to Linux.  We really need changes made in
LDAP
>>> from wherever they are made to affect the SAMBA password attributes
in
>>> Linux.  Is that possible? If so, how? Thanks - John
>>>   
>>>       
>> freeIPA has a password plugin for 389 that syncs userPassword with the 
>> samba password hashes and vice versa (and kerberos too).
>>     
> I''m very interested in implementing freeIPA as it matures and as
we have
> some breathing room after our initial product rollout.  Is there any way
> to do this without researching and deploying a new product? Anything
> either built into 389 or PAM?
No, not afaik.
> Thanks - John
>

On Wed, May 13, 2009 at 9:13 PM, John A. Sullivan III <
jsullivan@opensourcedevel.com> wrote:
> On Wed, 2009-05-13 at 15:06 -0400, John A. Sullivan III wrote:
> > Hello, all.  Several hours of googling and testing have not solved my
> > problem.  We are using Directory Server as our authentication
mechanism
> > for as much as possible in our environment.  So far, we have
integrated
> > all our Linux servers, synchronized with AD, and are using it for
> > Zimbra.
> >
> > We have just implemented a standalone SAMBA server and are having
> > trouble synchronizing passwords.  I see plenty of examples of how to
> > have changes made using smbpasswd passed to the posix password in
LDAP.
> > But that''s not what we want.  We want users (some of whom use
SAMBA and
> > some of whom do not) to have a single place to change their password.
> > The users are all KDE.  Changing their passwords in the KDE control
> > module for security changes everything brilliantly EXCEPT SAMBA.
> >
> > How do we make password changes executed by the users or by the LDAP
> > admin in idm-console propagate to the SAMBA password attributes?
Thanks
> > - John
>
See if the allegated program smbpasswd-sync.pl can help. I use it for a
similar purpose
against a Tivoli DIRECTORY SERVER. Do perldoc mbpasswd-sync.pl for the
intended usage.

hth

> I''m very interested in implementing freeIPA as it matures and as
we have
> some breathing room after our initial product rollout.  Is there any way
> to do this without researching and deploying a new product? Anything
> either built into 389 or PAM? Thanks - John

FreeIPA uses a plugin to sync the passwords, you could in theory pull
the plugin out of freeipa and add it to 389.  I started working on
doing this a few months ago and ran out of time.   When I looked at
it, a conversion didn''t look like it would be that hard.

-Nate