I thought I would just add my two cents here; I am not sure I completely
understand your problem; logs are useful to help . You mentioned you are having
issues with users changing passwords, I am not sure if your clients are windows
or not, or a yast issue - but common problem if users cannot change passwords
from windows is openldap acl's
I have not used yast before, but what tools are you using to manage
samba/openldap accounts with - ie smbldap-tools (maybe they need to be checked
to)
So you would have something like this in smb.conf ldap admin "dn =
cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" substitute
"sambaadmin" or "syncuser" below with 'Manager"
(depends on openldap version as well)
Samba Openldap acl's
access to attrs=userPassword
by self write
by dn="cn=sambaadmin,dc=samba,dc=org" write
by dn="cn=syncuser,dc=samba,dc=org" read
by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=sambaadmin,dc=samba,dc=org" write
by dn="cn=syncuser,dc=samba,dc=org" read
access to *
by dn="cn=sambaadmin,dc=samba,dc=org" write
by dn="cn=syncuser,dc=samba,dc=org" read
by * read
It would be best to explain your setup a little more clear and some samba /
openldap logs may give us some more info if this or the below reply do not help.
As mentioned Samba 3 by Example should answer most of your questions / queries
Regards,
Adrian Sender
Subject: Re: [Samba] Convert existing Samba DB to LDAP
CC: samba@lists.samba.org
Date: Fri, 11 Jan 2008 18:23:35 -0600
To: eboulian@cbnco.com
you'll need to config samba to use your LDAP backend. in smb.conf
you'll need:
passdb backend = ldapsam:ldap://gomer.mdah.state.ms.us
ldap suffix = dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
idmap backend = ldap:ldap://gomer.mdah.state.ms.us
ldap passwd sync = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
and you can load your smbpasswd/tdbsam users with:
pdbedit --import=smbpasswd:/etc/samba/smbpasswd
--export=ldapsam:ldap://gomer.mdah.state.ms.us
and because the ldap passwd sync = yes, when your users do ctrl alt del
and click on change password, it should change it in LDAP for their unix
shell acct and their samba password that is in their LDAP dn.
read chapter 5 of the Samba-3 By Example PDF, it kind of explains
everything.
Eric Bouliane wrote:> We currently have an OpenLDAP server with many nodes authenticating to
> it for various things. We have an existing server that is now using
> LDAP to authenticate, but would like to have Samba in turn
> authenticate to it. We've configured the smb.conf file accordingly and
> can get this working.
>
> Our dilemma is in adding the "Manage samba account parameters"
plug-in
> via the Yast User/Group modification. When doing this and attempting
> to finish editing existing users, it errors out with "Change the
> passwordto create the Samba account". We would like to prevent having
> all of our LDAP users come to our desks to change the password
> individually, is there a way to globally set this and use either
> existing passwords within the samba/secrets.tdb file or those set
> within LDAP already?
>
> Cheers.
>
_________________________________________________________________
New music from the Rogue Traders - listen now!
http://ninemsn.com.au/share/redir/adTrack.asp?mode=click&clientID=832&referral=hotmailtaglineOct07&URL=http://music.ninemsn.com.au/roguetraders