samba - May 2003 - samba + ldap + pam_mkhomedir ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi list,
I'm on the way to implement samba with ldap on five servers (each owns
a different nt-domain) and a master server which maintains the central
user database which gets replicated to all the other servers. Now I
have just one more problem, namely homedirs. I want every user to have
a homedir to store for example his profile. This has to exist, and it
would be nice if I could use pam_mkhomedir to create it, but (without
testing) I figure that samba has to authenticate against pam, am I
right? But if I let samba autheticate against pam, do I still have all
the information available, when autenticating against ldap?
What I planned is this:
User log onto pdc -> authentication against pam -> pam autheticates
against ldap
                  |
                   -> if homedir exists everything is fine
                    else
                   -> pam_mkhomedir creates homedir on server

Has anyone done something like this before and could provide some
information?


Thanks and cheers
Nicki

- -- 
Linksystem Muenchen GmbH                          info@link-m.de
Schloerstrasse 10                           http://www.link-m.de
80634 Muenchen                              Tel. 089 / 890 518-0
We make the Net work.                       Fax 089 / 890 518-77

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
Comment: Keys at: https://www.link-m.de/pgp

iQA/AwUBPrd9Zes1nPm17iBDEQL54gCfbFQrSoTqxEuzbgqxdaSH9kaMJvUAn1qQ
sWZmIN8l6OiQPhuHXU7nvqEk
=e22D
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Date: Tue, 6 May 2003 12:16:22 +0200
> From: "Nicki Messerschmidt, Linksystem Muenchen GmbH"
<samba@alienn.net>
> To: <samba@lists.samba.org>
> Cc: Charles Trtanj <c.trtanj@buero.link-m.de>
> Subject: [Samba] samba + ldap + pam_mkhomedir ?
> Message-ID: <03ec01c313b8$b4d60160$d0551ec3@linkm.de>
> Content-Type: text/plain;
> 	charset="utf-8"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Precedence: list
> Message: 10
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi list,
> I'm on the way to implement samba with ldap on five servers (each owns
> a different nt-domain) and a master server which maintains the central
> user database which gets replicated to all the other servers.
BTW, I would apprectiate your comments on this document then:

http://ranger.dnsalias.com/samba-ldap-advanced.html
> Now I
> have just one more problem, namely homedirs. I want every user to have
> a homedir to store for example his profile. This has to exist, and it
> would be nice if I could use pam_mkhomedir to create it, but (without
> testing) I figure that samba has to authenticate against pam, am I
> right?
No, you don't need to auth via pam, see "obey pam restrictions".

I guess I should add the stuff about pam_mkhomedir (though we use rsync
and NFS, so we don't need this ourselves).
> But if I let samba autheticate against pam, do I still have all
> the information available, when autenticating against ldap?
> What I planned is this:
> User log onto pdc -> authentication against pam -> pam autheticates
> against ldap
>                   |
>                    -> if homedir exists everything is fine
>                     else
>                    -> pam_mkhomedir creates homedir on server
>
> Has anyone done something like this before and could provide some
> information?
Regards,
Buchan

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+t7LxrJK6UGDSBKcRAoNgAJ9wwN2/KYZc+7n0P2uabTym2m2wLgCfVOMF
H/hKSuBE5YtIwr0TC6z5H9A=3kct
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rauno Tuul wrote:
>>-----Original Message-----
>>From: Buchan Milne [mailto:bgmilne@cae.co.za]
>>Sent: 06. mai 2003. a. 16:05
>>To: samba@lists.samba.org
>>Subject: Re: [Samba] samba + ldap + pam_mkhomedir ?
>>
>>
>>>BTW, I would apprectiate your comments on this document then:
>>
>>http://ranger.dnsalias.com/samba-ldap-advanced.html
>
>
> There is a little mistake in your document.
Well, it's not really a mistake, it's a purposeful omission ... since it
was too complicated an issue, I have played with this before:

[bgmilne@hercules bgmilne]$ ldapsearch  -x "(uid=bgmilne)"
pwdMustChange
- -LLL
dn: uid=bgmilne,ou=People,dc=cae,dc=co,dc=za
pwdMustChange: 0

But there is no easy way to get it working now AFAICS.
>
> Samba's LDAP schema contains a parameter: pwdMustChange
> samba 2.2.* is capable to read the value from there and warn users:
"Your
> password will expire in 14 days". and so on.
> But the only way to set proper value there, is to do it manually.
>
But I think this is the wrong approach, since as far as I understand it
(I will have to look into some of my old mail, I tracked this issue down
before to see how it works), the pwdMustChange value shouldn't need to
be set when the user sets their password, only pwdLastSet. Samba then
compares the current date to pwdLastSet+pwdMustChange, to determine if
it needs to prompt the user to change the password.

But, we will have the same problem, since Samba (at least last time I
checked) does not update pwdLastSet, and will probably also overwrite it
if you set it via smbldaptools or some other password change script.
> Problem is that samba doesn't use any configurable value "password
expire
> time" and changes the default value to year ~2030.
>
> I've written about it to samba-techinal list, but noone responded to
it.
>
> I added my old e-mail about it.
>
Thanks. I think all that needs to happen is:
1)Samba should re-read ldap data after running password program
and
2)Samba should update pwdLastSet when a password has changed.

Maybe I will test with your script and a slightly different patch to
pdb_ldap.c ...

In the meantime, I may provide an example script that will check users
shadowexpire values, and mail them (provided their LDAP account has a
mail attribute) to change their password.

Regards,
Buchan
- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+t7pjrJK6UGDSBKcRAtITAJwNeOy9+mARAcO4NbvvsHzgoo36JgCeLZaT
oZ19Hx8FdE1IoVnBN6fRqt4=bZT3
-----END PGP SIGNATURE-----