search for: pam_password

WHat is the significance to Samba of pam_password exop vs pam_password md5 in ldap.conf? The reason I ask is that, wherever possible, I prefer to use the vendor supplied tools for manipulating config files. With Fedora 3 it's system-config-authentication and it doesn't give you the option of exop. You either enable MD5, which puts pam_pas...

...g why smbpasswd generate a wrong has whenever there's a non-ascii character part of the password ?? -- Here is part of the samba+ldap config: -- /usr/local/etc/nss_ldap.conf: -- * ls -l /usr/local/etc/ldap.conf /usr/local/etc/ldap.conf -> nss_ldap.conf * Excerpt from the nss_ldap.conf file pam_password clear pam_password exop nss_base_passwd ou=People,dc=XXXX?one nss_base_passwd ou=Hosts,dc=XXXX?one nss_base_shadow ou=People,dc=XXXX?one nss_base_group ou=Group,dc=XXXX?one ssl start_tls tls_checkpeer yes -- /usr/local/etc/openldap/slapd.conf (the ldap server is on another box): -- moduleload...

...plate user # (can be overriden by value of former attribute # in user's entry) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. #pam_password clear # Hash password locally; required for University of # Michigan LDAP server, and works with Netscape # Directory Server if you're using the UNIX-Crypt # hash mechanism and not using the NT Synchronization # service. pam_password crypt # Remove old password first, then update in # cleart...

...ute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody # HEADS UP: the pam_crypt, pam_nds_passwd, # and pam_ad_passwd options are no # longer supported. # # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. #pam_password clear # Hash password locally; required for University of # Michigan LDAP server, and works with Netscape # Directory Server if you're using the UNIX-Crypt # hash mechanism and not using the NT Synchronization # service. #pam_password crypt # Remove old password first, then update in # cleart...

...overriden by value of former attribute # in user's entry) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody # HEADS UP: the pam_crypt, pam_nds_passwd, # and pam_ad_passwd options are no # longer supported. # # If you are using XAD, you can set pam_password # to racf, ad, or exop. Make sure that you have # SSL enabled. # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. #pam_password clear # Hash password locally; required for University of # Michigan LDAP server, and works with Netscape...

...his as example adjust as needed.   base dc=domain,dc=local uri ldap://dc01.domain.local/ ldap://dc02.domain.local/ ldap_version 3 binddn auth_ldap_user at domain.local bindpw password rootbinddn auth_ldap_user at domain.local pam_filter objectclass=user pam_login_attribute sAMAccountName pam_password crypt   ^^ test with and without the pam_password crypt And test with pam_password bind       Greetz,   Louis     Van: Marcel Ebbrecht [mailto:m.ebbrecht at dortmundit.de] Verzonden: maandag 25 januari 2016 19:54 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Sa...

...in,dc=com # random stuff #timelimit 120 #bind_timelimit 120 #bind_policy hard # brought these times down wmodes Aug 11, 2008 timelimit 30 bind_timelimit 30 bind_policy soft idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap # pam config #pam_password md5 pam_password md5 # config for nss nss_base_passwd ou=people,dc=ourdomain,dc=com?one nss_base_shadow ou=people,dc=ourdomain,dc=com?one nss_base_group ou=group,dc=ourdomain,dc=com?one # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LD...

...in,dc=com # random stuff #timelimit 120 #bind_timelimit 120 #bind_policy hard # brought these times down wmodes Aug 11, 2008 timelimit 30 bind_timelimit 30 bind_policy soft idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap # pam config #pam_password md5 pam_password md5 # config for nss nss_base_passwd ou=people,dc=ourdomain,dc=com?one nss_base_shadow ou=people,dc=ourdomain,dc=com?one nss_base_group ou=group,dc=ourdomain,dc=com?one # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LD...

...o change it. sambaAcctFlags includes the X flag which I thought meant "don't expire passwords." The password changing thing has got me even more stumped. Can anyone offer any clues? /etc/pam_ldap.conf: host localhost base dc=trec,dc=us ldap_version 3 rootbinddn cn=admin,dc=trec,dc=us pam_password exop /etc/libnss-ldap.conf: host localhost base dc=trec,dc=us ldap_version 3 rootbinddn cn=admin,dc=trec,dc=us pam_password exop Example user entry: dn: uid=sgoodrich,ou=Users,dc=trec,dc=us objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMailRecipient cn: Suzan...

...ord (and the new password overwrites the LDAP userPassword, thanks to the "ldap password sync = yes" directive in smb.conf). If I want to permit that a user can change his LDAP userPassword and align it to the SambaNTPassword, I have seen that I can do it by using the smbk5pwd overlay and pam_password exop. But I do not know a method for using the existing LDAP userPassword for Samba authentication: I do not want that all the users have to redefine their passwords. Someone of you knows a way for doing that? Thank you in advance

...ap.so My /etc/ldap.conf is setup as (world readable): base dc=pds-support,dc=net rootbinddn cn=nssldap,ou=DSA,dc=pds-support,dc=net nss_base_passwd dc=pds-support,dc=net?sub nss_base_shadow dc=pds-support,dc=net?sub nss_base_group ou=Groups,dc=pds-support,dc=net?one ssl no pam_password md5 and my /etc/nsswitch.conf (world readable) passwd: files ldap shadow: files ldap group: files ldap I have /etc/ldap.secret set to world readable atm moment with the password (I plan on changing this once I have it working)

...overriden by value of former attribute # in user's entry) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody # HEADS UP: the pam_crypt, pam_nds_passwd, # and pam_ad_passwd options are no # longer supported. # # If you are using XAD, you can set pam_password # to racf, ad, or exop. Make sure that you have # SSL enabled. # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. #pam_password clear # Hash password locally; required for University of # Michigan LDAP server, and works with Netscape...

...CentOS 5 i386 machine. /etc/ldap.conf reads ----- %< ----- base dc=DOMAIN,dc=com timelimit 30 bind_timelimit 30 idle_timelimit 300 nss_initgroups_ignoreusers root,ldap,named,[... trimmed ...] uri ldap://ldap1.DOMAIN.com ldap://ldap2.DOMAIN.com ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password md5 ----- %< ----- The client will bind to whichever server is listed first after the 'uri' directive. In the config snippet, it's 'ldap1' -- but it works the other way too. If the first-listed server goes away, the client never seems to try to find or bind to the second...

...team without properly documenting their work # /usr/local/etc/ldap.con on ldap server (FreeBSD 8.1) host LBSD.summitnjhome.com base dc=summitnjhome,dc=com sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com bindpw {SSHA}secret scope sub pam_password exop nss_base_passwd ou=staff,dc=summitnjhome,dc=com nss_base_shadow ou=staff,dc=summitnjhome,dc=com # grep for ldap account shows ldap account on the ldap server itself succeeds [root at LBSD2:/usr/local/etc/openldap] #getent passwd | grep walbs walbs:secret/:1002:1003:Walkiria Soares:/home/wal...

...the user a unixHomeDirectory :( ) In my ldap.conf, I'm using: nss_map_attribute uid sAMAccountName nss_map_attribute uniqueMember member nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute gecos displayName pam_login_attribute sAMAccountName pam_filter objectclass=posixAccount pam_password ad What are people doing for maintaining their Unix accounts in AD? Should all the unix accounts also have oc posixAccount? Also, looks like samba-tool isn't adding the msSFU30NisDomain - this makes the Unix attributes not enabled in ADUC. It should probably add that, yes? M. -- Michael Br...

...c. -- and cannot find any solution that helps or clearly explains what's going on; though many people seem to be having similar issues with "net vampire" I've tried the following: - different pam_ldap versions (156 & 176) - tweaking /etc/ldap.conf settings including pam_password key - tweaking various pam.d config files - confirm my local SID matches the PDC/remote SID Questions: =========== I'm unclear about the following -- and see many conflicting suggestions on the internet: *) Should /etc/samba/smb.conf => encrypt passwords =yes *) My BDC /etc/samba/...

...overriden by value of former attribute # in user's entry) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody # HEADS UP: the pam_crypt, pam_nds_passwd, # and pam_ad_passwd options are no # longer supported. # # If you are using XAD, you can set pam_password # to racf, ad, or exop. Make sure that you have # SSL enabled. # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. #pam_password clear # Hash password locally; required for University of # Michigan LDAP server, and works with Netscape...

...db files ethers: db files rpc: db files publickey: nisplus netgroup: files libnss_ldap.conf host xx.xx.xx.xx base dc=xxx,dc=xxxxx,dc=xxx binddn cn=Administrator,dc=xxx,dc=xxxxx,dc=xxx bindpw xxxxxxx timelimit 50 bind_timelimit 50 bind_policy hard idle_timelimit 3600 pam_password exop nss_base_passwd dc=xxx,dc=xxxxx,dc=xxx nss_base_shadow dc=xxx,dc=xxxxx,dc=xxx nss_base_group dc=xxx,dc=xxxxx,dc=xxx ssl off Thank you, Wasil.

...printable = yes [print$] comment = Printer Driver Download Area path = /etc/samba/drivers browseable = yes guest ok = yes read only = yes ================ /etc/ldap.conf uri ldap://x.x.x.x base dc=test binddn cn=Directory Manager bindpw xxxx #pam_password exop #pam_filter objectclass=sambaSamAccount nss_base_passwd ou=Users,dc=test nss_base_shadow ou=Users,dc=test nss_base_group ou=NTGroups,dc=test ssl no

...orts configurable # network or connect timeouts (see bind_timelimit). #host 127.0.0.1 host 127.0.0.1 # The distinguished name of the search base. base dc=thales,dc=be binddn cn=Manager,dc=thales,dc=be bindpw secret # Use the OpenLDAP password change # extended operation to update the password. pam_password md5 # RFC2307bis naming contexts # Syntax: # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be &'d with the # default filter. # You can omit the suffix eg: # nss_base_passwd ou=People, # to append the default base DN but this # ma...