samba - Mar 2010 - Samba/Unix password sync with LDAP backend

I have been using Samba+Linux+openLDAP. The password synchronization 
between the Samba and Unix accounts works well with the use of the "ldap 
passwd sync" parameter in smb.conf.

Now I am in the process of installing my first server using CentOS/Red 
Hat/389 Directory Server and this does not work in the same way. It 
seems that some additional software must be installed in each Windows 
client machine in order to enable password sync.

I noticed that it is possible to include the "nss_map_attribute"
option
in /etc/ldap.conf.
Would it be possible to map the "userPassword" attribute to the 
"sambaNTPassword" attribute in order to have both password requests 
pointing to a single place?

Of course I can experiment with this, but I thought that perhaps someone 
here has already some acquired knowledge on this...

Thank you!

I suppose that this is not possible due to differences in hashing methods.

On 03/14/2010 04:07 PM, Miguel Medalha wrote:
> I have been using Samba+Linux+openLDAP. The password synchronization 
> between the Samba and Unix accounts works well with the use of the 
> "ldap passwd sync" parameter in smb.conf.
>
> Now I am in the process of installing my first server using CentOS/Red 
> Hat/389 Directory Server and this does not work in the same way. It 
> seems that some additional software must be installed in each Windows 
> client machine in order to enable password sync.
>
> I noticed that it is possible to include the "nss_map_attribute" 
> option in /etc/ldap.conf.
> Would it be possible to map the "userPassword" attribute to the 
> "sambaNTPassword" attribute in order to have both password
requests
> pointing to a single place?
>
> Of course I can experiment with this, but I thought that perhaps 
> someone here has already some acquired knowledge on this...
>
> Thank you!

I am using Sun Directory Server.  I believe that both the Sun Directory 
server and the RedHat/Fedora directory server are forks of the earlier 
Iplanet/Netscape directory server.    The samba servers are running on 
Solaris.   With a local (non-ldap) password, root can easily use the 
passwd command to change a user's password, since entering the old 
password is not required.  But with ldap accounts this doesn't work-  if 
root tries to change another user's password with "passwd -r
ldap", the
old password is required.  Instead you need to use the "ldapasswd" 
command and authenticate as a user with the appropriate ldap 
administrative powers.

my smb.conf includes

         passwd program = /etc/samba/smbldappasswd.sh %u
         passwd chat =*New* %n\n *changed*
         unix password sync = yes



#cat /etc/samba/smbldappasswd.sh


#!/bin/bash
USER="uid="$1",ou=people,o=mydomain.com"
echo -n  New password:
read NEWPASS
#uncomment the following 3 lines for diagnostics only
#date >> /etc/samba/smbldappasswd.log
#echo $USER >> /etc/samba/smbldappasswd.log
#echo $NEWPASS >> /etc/samba/smbldappasswd.log
/opt/SUNWdsee/dsee6/bin/ldappasswd -h obelix -D "LDAP Admin" -w 
ldap_admin_password  -v -s $NEWPASS  $USER




The script is owned by root, with perms 700.   I really did not like 
putting a password in a script but couldn't find away around it.


The other approach I had tried, with out luck, was trying to pass old 
password (%o) to the "passwd -r" command.   I don't think the old 
password got passed to the "passwd program."