isso pode ajudar também http://www.e-tinet.com/linux/servidor-samba-com-troca-de-senha-obrigatorio/
2008/5/29 William David FUG-BR <[EMAIL PROTECTED]>: > sim > > tranquilo logo normalmente > > no PAM_LDAP > > use Password_pam SSHA ao invés de password_pam Md5 ou crypt > > só lembre de recadastrar todoas as senhas como SSHA > > > > > 2008/5/29 Israel Lehnen Silva <[EMAIL PROTECTED]>: >> Mas dessa forma se consegue logar no freebsd via ssh logando na base LDAP??? >> >> >> 2008/5/29 William David FUG-BR <[EMAIL PROTECTED]>: >> >>> pq vc nao converte toda base de criptografia do LDAP pra SSHA >>> >>> utilizei isso desde o principio e nao tive problemas com meu smb LDAP >>> >>> nao use md5 selecione direto SSHA >>> >>> da uma olhada >>> http://biosystems.ath.cx:8080/wiki/ >>> >>> 2008/5/28 Israel Lehnen Silva <[EMAIL PROTECTED]>: >>> > O objetivo não é usar o kerberos e sim a autenticação padrão na base LDAP >>> > >>> > Ninguém sabe como fazer isto? >>> > Estou passando pelo mesmo problema... >>> > >>> > att. >>> > >>> > 2008/5/27 Klaus Schneider <[EMAIL PROTECTED]>: >>> > >>> >> Já tentou kerberos? >>> >> >>> >> 2008/5/27 Thiago Dias Torres <[EMAIL PROTECTED]>: >>> >> >>> >> > Parâmetros do smbldap.conf: >>> >> > >>> >> > hash_encrypt="CRYPT" >>> >> > crypt_salt_format="$1$%.8s" >>> >> > >>> >> > Se executar o smbldap-passwd <usuario>, a senha fica correta, com o >>> >> > hash especificado no smbldap.conf e consigo logar normalmente no >>> >> > Windows e FreeBSD. O problema ocorre somente quando altero a senha >>> >> > através do Windows XP. >>> >> > >>> >> > O problema me parece ser no modo que o FreeBSD interpreta essa senha, >>> >> > pois fiz um teste com Linux (Fedora 6) e não ocorre este problema, >>> >> > consigo autenticar no Linux independente do hash que foi utilizado. >>> >> > >>> >> > # Saída do comando getent passwd alterando a senha com o comando >>> >> > smbldap-passwd: >>> >> > >>> >> > newarq# getent passwd | grep thiago >>> >> > thiago:$1$AC3MRqUK$7EgfcjZwReXydnt/aZhab0:100222:30006:Thiago Dias >>> >> > Torres:/home/thiago:/bin/csh >>> >> > >>> >> > # Saída do comando getent passwd alterando a senha pelo Windows XP: >>> >> > >>> >> > newarq# getent passwd | grep thiago >>> >> > thiago:*:100222:30006:Thiago Dias Torres:/home/thiago:/bin/csh >>> >> > >>> >> > >>> >> > 2008/5/27 Jorge Petry <[EMAIL PROTECTED]>: >>> >> > > Olá. >>> >> > > Veja dentro do arquivo do smbtools, o smbldap.conf se esta opção >>> está >>> >> > > assim: >>> >> > > hash_encrypt="MD5" ou hash_encrypt="SSHA" >>> >> > > Reporta depois ai. >>> >> > > Abraço. >>> >> > > >>> >> > > _________________________________________ >>> >> > > Jorge Petry Neto >>> >> > > Administrador de Redes e Servidores >>> >> > > (48) 8401-4436 >>> >> > > [EMAIL PROTECTED] >>> >> > > [2]www.jspnet.com.br >>> >> > > Thiago Dias Torres escreveu: >>> >> > > >>> >> > > Caros, >>> >> > > >>> >> > > Tenho o seguinte cenário: >>> >> > > >>> >> > > Servidor FreeBSD 7.0 Stable autenticando em uma base LDAP através do >>> >> > > PAM (pam_ldap e nss_ldap) >>> >> > > No mesmo servidor, está rodando o SAMBA 3.0.28 autenticando também >>> na >>> >> > > base LDAP e utilizando os scripts smbldap-tools. >>> >> > > Ferramenta LDAPAdmin para administração da base. >>> >> > > >>> >> > > O problema: >>> >> > > >>> >> > > Quando altero a senha do usuário na base LDAP pelo LDAPAdmin, >>> >> > > seleciono a criptografia MD5 Crypt para o atributo userPassword >>> >> > > Desta maneira consigo logar no Windows e no FreeBSD via terminal, >>> ssh, >>> >> > > etc... porém quando altero a senha do usuário através do Windows, a >>> >> > > criptografia da senha do atributo userPassword é alterada para SSHA >>> e >>> >> > > assim não consigo mais logar no FreeBSD, somente no Windows. >>> >> > > >>> >> > > Alguém já implementou este método? FreeBSD e SAMBA autenticando no >>> >> > > LDAP, possibilitando o próprio usuário alterar sua senha pelo >>> Windows >>> >> > > sem interferir na autenticação via terminal ou ssh do FreeBSD? >>> >> > > >>> >> > > Segue arquivo de configuração do Samba: >>> >> > > >>> >> > > # Samba config file created using SWAT >>> >> > > # from 0.0.0.0 (0.0.0.0) >>> >> > > # Date: 2008/05/05 16:13:37 >>> >> > > >>> >> > > [global] >>> >> > > dos charset = CP850 >>> >> > > unix charset = ISO8859-1 >>> >> > > workgroup = NOVOARQ >>> >> > > netbios name = NARQ >>> >> > > server string = LDAP Teste >>> >> > > # update encrypted = Yes >>> >> > > # unix password sync = Yes >>> >> > > passwd program = /usr/local/sbin/smbldap-passwd -u "%u" >>> >> > > encrypt passwords = Yes >>> >> > > # obey pam restrictions = Yes >>> >> > > socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT >>> >> > > SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 >>> >> > > log level = 1 >>> >> > > log file = /var/log/samba/samba.log >>> >> > > max log size = 0 >>> >> > > time server = Yes >>> >> > > machine password timeout = 0 >>> >> > > logon script = %G.bat >>> >> > > logon drive = H: >>> >> > > logon home = \\NARQ\%U >>> >> > > >>> >> > > os level = 255 >>> >> > > preferred master = Yes >>> >> > > domain master = yes >>> >> > > domain logons = yes >>> >> > > local master = yes >>> >> > > >>> >> > > passdb backend = ldapsam:[3]ldap://ldap.dominio.com.br >>> >> > > ldap passwd sync = Yes >>> >> > > ldap delete dn = Yes >>> >> > > ldap ssl = no >>> >> > > ldap admin dn = cn=admin,dc=unilasalle,dc=edu,dc=br >>> >> > > ldap suffix = dc=unilasalle,dc=edu,dc=br >>> >> > > ldap machine suffix = ou=computadores >>> >> > > ldap user suffix = ou=usuarios >>> >> > > ldap group suffix = ou=grupos >>> >> > > ldap idmap suffix = sambaDomainName=NOVOARQ >>> >> > > idmap backend = [4]ldap:ldap://ldap.dominio.com.br >>> >> > > idmap uid = 10000-65000 >>> >> > > idmap gid = 10000-65000 >>> >> > > enable privileges = yes >>> >> > > add user script = /usr/local/sbin/smbldap-useradd -m "%u" >>> >> > > # delete user script = /usr/local/sbin/smbldap-userdel "%u" >>> >> > > add group script = /usr/local/sbin/smbldap-groupadd -p "%g" >>> >> > > # delete group script = /usr/local/sbin/smbldap-groupdel "%g" >>> >> > > add user to group script = /usr/local/sbin/smbldap-groupmod -m >>> >> "%u" >>> >> > "%g" >>> >> > > delete user from group script = >>> >> > > /usr/local/sbin/smbldap-groupmod -x "%u" "%g" >>> >> > > set primary group script = /usr/local/sbin/smbldap-usermod -g >>> >> "%g" >>> >> > "%u" >>> >> > > add machine script = /usr/local/sbin/smbldap-useradd -w "%u" >>> >> > > >>> >> > > utmp = Yes >>> >> > > smb ports = 445 139 >>> >> > > name resolve order = wins bcast hosts >>> >> > > time server = Yes >>> >> > > template shell = /bin/false >>> >> > > winbind use default domain = no >>> >> > > map acl inherit = Yes >>> >> > > strict locking = Yes >>> >> > > wins support = Yes >>> >> > > interfaces = bce0 >>> >> > > bind interfaces only = Yes >>> >> > > >>> >> > > dns proxy = No >>> >> > > create mask = 0770 >>> >> > > force create mode = 0770 >>> >> > > directory mask = 0770 >>> >> > > force directory mode = 0770 >>> >> > > ------------------------- >>> >> > > Histórico: [5]http://www.fug.com.br/historico/html/freebsd/ >>> >> > > Sair da lista: [6]https://www.fug.com.br/mailman/listinfo/freebsd >>> >> > > >>> >> > > >>> >> > > -- >>> >> > > >>> >> > > References >>> >> > > >>> >> > > 1. mailto:[EMAIL PROTECTED] >>> >> > > 2. http://www.jspnet.com.br/ >>> >> > > 3. ldap://ldap.dominio.com.br/ >>> >> > > 4. ldap:ldap://ldap.dominio.com.br >>> >> > > 5. http://www.fug.com.br/historico/html/freebsd/ >>> >> > > 6. https://www.fug.com.br/mailman/listinfo/freebsd >>> >> > > ------------------------- >>> >> > > Histórico: http://www.fug.com.br/historico/html/freebsd/ >>> >> > > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>> >> > > >>> >> > ------------------------- >>> >> > Histórico: http://www.fug.com.br/historico/html/freebsd/ >>> >> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>> >> > >>> >> >>> >> >>> >> >>> >> -- >>> >> /* >>> >> * Klaus Schneider >>> >> */ >>> >> ------------------------- >>> >> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>> >> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>> >> >>> > >>> > >>> > >>> > -- >>> > >>> > Att. Israel Lehnen Silva >>> > ------------------------- >>> > Histórico: http://www.fug.com.br/historico/html/freebsd/ >>> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>> > >>> >>> >>> >>> -- >>> -=-=-=-=-=-=-=-=-=- >>> William David Armstrong <----. Of course it runs >>> Bio Systems Security Networking <----|========================== >>> MSN / GT [EMAIL PROTECTED] <----' OpenBSD or FreeBSD >>> -------------------------------------- >>> ------------------------- >>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>> >> >> >> >> -- >> >> Att. Israel Lehnen Silva >> ------------------------- >> Histórico: http://www.fug.com.br/historico/html/freebsd/ >> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >> > > > > -- > -=-=-=-=-=-=-=-=-=- > William David Armstrong <----. Of course it runs > Bio Systems Security Networking <----|========================== > MSN / GT [EMAIL PROTECTED] <----' OpenBSD or FreeBSD > -------------------------------------- > -- -=-=-=-=-=-=-=-=-=- William David Armstrong <----. Of course it runs Bio Systems Security Networking <----|========================== MSN / GT [EMAIL PROTECTED] <----' OpenBSD or FreeBSD -------------------------------------- ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
