En/na Tim Tyler ha escrit:
Samba experts,
I am using Samba 3.0.8 on an AIX 5.1 system with ldap authentication. I have ldap working so that users can authenticate in their samba account via ldap. However, I am trying to figure out the best method for allowing users to change their ldap samba account password.
What is the best method to allow end users to change their LM/NT passwords for Samba via LDAP?
Should I be using smbpasswd? Or should I be using the smbldap-tools and use smbldap-passwd.pl? Or is there another option?
Hi, i wanted the same a month ago and googling a little i found a litlle web based php application which changed the "user password" attribute
of an ldap server (phpLdapPasswd). And i thought, what a fuck, i use the NT/LM passwords for samba...
But looking into the code i saw that it's not difficult to access/modify ldap attributes with php, so i decided to make a patch for support
nt/lm changing passwords.
you can get the app in its version 0.5 in: http://www.xenos.net/software/phpLdapPasswd/
you may have the mkntpwd (search it, i don't remember where i got it) program in order to achieve the LM:NT hashes.
apply the patch attached.
(save the patch in the phpLdapPasswd directory and patch -p1 < passwdSambaSupport.patch
Also, what do I need to set for privileges (ACL's) on the ldap server side to allow users to change their samba password (if any)?
in my /etc/ldap/slapd.conf the part related to LM and NT passwords looks like:
access to attribute=sambaNTPassword by dn="cn=admin,dc=company,dc=cat" by anonymous auth by self write by * none
access to attribute=sambaLMPassword by dn="cn=admin,dc=company,dc=cat" by anonymous=auth by self write by * none
I have to notice that when i put the sambaNTPassword and sambaLMPassword in the same ACL (as you) it did'nt work for me...
putting them separetly works. I supose to make a typing mistake that i couldn't see.
Any recommendations and hints about implementing it are much appreciated!
thanks!
Tim
Tell me if you have any problems, nowadays it's working for me ok.
Xavi
diff -Naur phpLdapPasswd-0.5/config.php phpLdapPasswd-withSambaSupport-0.5/config.php --- phpLdapPasswd-0.5/config.php 2004-08-26 17:48:22.000000000 +0200 +++ phpLdapPasswd-withSambaSupport-0.5/config.php 2005-01-21 11:27:03.000000000 +0100 @@ -64,6 +64,22 @@ // default Debian Woody system!) $ENCODING = MD5; +// If you have SambaAccounts in your Ldap database you may want to have both unix +// and samba passwords syncronized. Set this to 1 if you want to do so. Otherwise, +// set it to 0.. +$SAMBASYNCRO = 0; + +// If you set SAMBASYNCRO to 1, you must have the mkntpwd aplication, which makes +// the necessary NTHashes to perform windows authentication. So here, put the +// full mkntpwd file path (with the name of the file too). +$MKNTPWD = "/usr/local/sbin/mkntpwd"; + +// This two attributes is for making it more extensive. Depending on the samba schema, +// this two attributes are named different, so you may put them here. If you don't know +// what they are search in your samba.schema file. +$SAMBANTATTR = "sambaNTPassword"; +$SAMBALMATTR = "sambaLMPassword"; + // This should be set to the attribute for which to search when a login ID // is entered. This attribute should have a unique value in the $LDAPBASEDN // given. diff -Naur phpLdapPasswd-0.5/functions.php phpLdapPasswd-withSambaSupport-0.5/functions.php --- phpLdapPasswd-0.5/functions.php 2004-08-26 17:50:46.000000000 +0200 +++ phpLdapPasswd-withSambaSupport-0.5/functions.php 2005-01-21 11:42:09.000000000 +0100 @@ -497,4 +497,37 @@ return $ds; } + +// ************************************************************************** +// Function: +// +// Purpose: Update the Samba NT and LM Passwords +// +// Usage: createSambaPasswords($password) +// +// - $password: The password in plain text to encode +// +// Returns: an array of two positions -> sambaLMPassword and SambaNTPassword +// ************************************************************************** +function createSambaPasswords($password) { + global $MKNTPWD; + global $SAMBANTATTR; + global $SAMBALMATTR; + $sambaPass = array("sambaLMPassword" => NULL, + "sambaNTPassword" => NULL); + + if (!(@file_exists($MKNTPWD) && is_executable($MKNTPWD))) { + fatal_error("You don't have the mkntpwd program in the correct path (look in config.php) + or it is not executable"); + } + $sambaPassCommand = $MKNTPWD . " " . $password; + if($sambaPassCommandOutput = shell_exec($sambaPassCommand)) { + $sambaPass[$SAMBALMATTR] = trim(substr($sambaPassCommandOutput, 0, strPos($sambaPassCommandOutput, ':'))); + $sambaPass[$SAMBANTATTR] = trim(substr($sambaPassCommandOutput, strPos($sambaPassCommandOutput, ':') +1)); + } + else { + fatal_error("The mkntpwd has failed making the NTHashes for Samba"); + } + return $sambaPass; +} ?> diff -Naur phpLdapPasswd-0.5/index.php phpLdapPasswd-withSambaSupport-0.5/index.php --- phpLdapPasswd-0.5/index.php 2004-08-26 17:49:50.000000000 +0200 +++ phpLdapPasswd-withSambaSupport-0.5/index.php 2005-01-21 11:51:56.000000000 +0100 @@ -89,6 +89,14 @@ display_template($TEMPLATE_CHANGEPASS, "You gave an incorrect current password"); } +// Change the current sambaNTPassword and sambaLMPassword attributes +if ($SAMBASYNCRO) { + $encodedSambaPass = createSambaPasswords($newpass); + if (!(@ldap_mod_replace($ds, $dn, $encodedSambaPass))) { + fatal_error("Unable to change SambaPasswords."); + } +} + // Change the current password. $encodedpass = encode_password($newpass, $ENCODING); if (!(@ldap_mod_replace($ds, $dn, array('userpassword' => $encodedpass)))) {
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba