Hi there, The best (only?) way to go is with a LDAP Master+slave architecture. All changes must be done at the LDAP Master server which automatically replicates them to all slave ldap servers. So, yes, the BDC MUST talk to the PDC, or at least the master ldap server to change the password.
Best Regards. Bruno Guerreiro -----Original Message----- From: kent [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 31 de Agosto de 2005 11:15 To: [EMAIL PROTECTED]; Samba Subject: Re: [Samba] BDC and password change program Hello, How are you doing? I just switched this summer from RedHat 8.0 with compiled versions of Samba, OpenLDAP and Berkeley DB to Fedora Core 4 with precompiled Samba, OpenLDAP and BerkeleyDB. Here is the smb.conf from one school that is a BDC: [global] workgroup = WarehamPS encrypt passwords = Yes time offset = 60 time server = Yes # log level = 5 socket options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 security = user username map = /etc/samba/smbusers logon script = whs1.bat writable = Yes interfaces = eth0 eth1 directory mask = 02770 preferred master = yes netbios name = whs1 server string = Fedora Core 4 SAMBA server passdb backend = ldapsam:ldap://127.0.0.1 ldap passwd sync = Yes machine password timeout = 604800 passwd program = /usr/bin/smbpasswd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUnix\spassword:* %n\n log file = /var/log/samba/%m.log debug level = 2 max log size = 50 add machine script = /usr/sbin/addmachine.sh "%u" logon path = logon drive = H: logon home = domain logons = Yes os level = 64 domain master = No dns proxy = no admin users = @domain_admins wins support = no wins server = 172.16.0.13 wins proxy = yes local master = yes name resolve order = hosts wins bcast ldap suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=admin,dc=tow,dc=net ldap ssl = no [homes] comment = Home Directories read only = no browseable = no writable = yes path = %H # valid users = %S [netlogon] root preexec = /accounts/netlogon/prelogon.pl %U path = /accounts/netlogon comment = Netlogon share locking = no browseable = yes valid users = @whsstaff, @whsstudent, @whs-cafe, navinstall, kent read only = yes hide files = /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/ write list = @domain_admins [staff] comment = Staff directory path = /accounts/common create mode = 0660 browseable = no write list = @whsstaff valid users = @whsstaff [programs] comment = Applications path = /accounts/programs browseable = no create mode = 0660 write list = @whsstaff valid users = @whsstaff [cafeteria] path = /accounts/cafeteria/data browseable = no valid users = @whs-cafe, dperry force group = whs-cafe create mode = 0660 directory mode = 0770 Here is the smb.conf for the PDC: [global] workgroup = WarehamPS encrypt passwords = Yes time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 security = user writable = Yes interfaces = eth0 eth1 directory mask = 02770 preferred master = yes local master = Yes username map = /etc/samba/smbusers netbios name = wms1 server string = Fedora Core 4 SAMBA Server passdb backend = ldapsam:ldap://172.16.0.24 ldap passwd sync = Yes machine password timeout = 604800 passwd program = /usr/bin/smbpasswd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUnix\spassword:* %n\n log file = /var/log/samba/%m.log debug level = 2 max log size = 30 # add machine script = /usr/bin/smbpasswd -m %u add machine script = /usr/sbin/addmachine.sh "%u" logon script = wms1.bat logon path = logon drive = H: logon home = domain logons = Yes os level = 255 domain master = Yes dns proxy = Yes admin users = @domain_admins wins support = Yes remote browse sync = 172.16.0.3 172.16.0.19 172.16.0.15 172.16.0.26 172.16.0.20 172.16.80.1 name resolve order = hosts wins bcast ldap suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=admin,dc=tow,dc=net ldap ssl = no [homes] comment = Home Directories read only = no browseable = no writable = yes path = %H hide files = /.*/ [netlogon] comment = Netlogon share root preexec = /accounts/netlogon/prelogon.pl %U path = /accounts/netlogon valid users = @wmsstaff, @wmsstudent, @domain_users, @wms-cafe, navinstall locking = no browseable = no read only = yes write list = @domain_admins hide files = /*.dll/*.rap/*.kix/*.bat/*.pl/ [cafeteria] path = /accounts/cafeteria/data browseable = yes valid users = @wms-cafe, dperry force group = wms-cafe create mode = 0660 directory mode = 0770 [staff] path = /accounts/common browseable = no valid users = @wmsstaff force group = wmsstaff write list = @domain_admins, @wmsstaff create mode = 0660 directory mode = 0770 [programs] path = /accounts/programs browseable = no valid users = @wmsstaff, @techstaff create mode = 0660 [tech] path = /accounts/tech browseable = no valid users = @techstaff force group = techstaff write list = @techstaff create mode = 0660 directory mode = 0770 The addmachine.sh script is my own version of an add machine. All users, groups, computers have corresponding posix accounts in LDAP as well as Samba objectClass and attributes. I don't use any Windows utilities to manipulate user group information in LDAP, I have my own set of routines tailored to our system that allows individual control of LDAP info or we can batch add/delete accounts and user attributes by interactive shell scripts. My question to the Samba community is still: should the password program on the BDC talk to the PDC by smbpasswd -r <PDC address>? I'm having a little password out of sync problem. Kent N. Marcio Luciano Donada <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > kent wrote: > > | Hello, Just wondering what I should be using for the password > | change program on a BDC. Should it be: passwd program = > | /usr/bin/smbpasswd -r <PDC address> %u > | > | I'm having a problem with passwords not staying in sync between the > | PDC and BDC with pass backend ldap. > | > | The systems are all Fedora Core 4, Samba 3.0.14a, openldap 2.2.23 > | > | Kent N > | > Ola, I am trying to configure the BDC. How voce this making to add > them you scheme in the base ldap? Voce can supply its configures > (smb.conf) for me to give one analyzed and smbldap.conf? > > thank's > > - -- > Márcio Luciano Donada > T.I. Aurora Alimentos Chapecó(SC) > Cooperativa Central Oeste Catarinense > mdonada at auroraalimentos dot com dot br > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (FreeBSD) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFDFK8uyJq2hZEymxcRAlKbAJ9zHBrhgypVI1s7U5mpm/Frsan+mgCfT+Sa > AAQEnZuvd72KHjQU5KML1mc= > =1iV1 > -----END PGP SIGNATURE----- > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba