Deas, Jim escreveu:
Ryan, Wish I could say yes but no, not clear. My existing users are all Mac OSX clients using the netatalk package.
I never used a Mac or Netatalk, but ...
Netatalk uses the PAM system to authenticate. I have the ldap modules in pam.d setup to use the LDAP posix structure for netatalk authentication. The issue is how to create and sync a smbpassword to the the exisiting LDAP/POSIX structure. I am half way there by adding the new sambaSam.schema to the LDAP system. I can now create a user with the standard smbpasswd program and authenticate them into a smb share. I don't mind telling the users that they need to change their password to gain access to the new smb services so a migration script is not needed. From what I understand there is no way to take the MD5 unix password and convert it to smb anyhow.
Well, you probably will want to change the accounts adding the samba attributes first. (Sure, if you make that, you will have a nonworking password). Then make the clients change the passwords and sync.
Best Option, find a way to make Fedora DS run a script that updates the users smb data including syncing the password when changes to the posix structure happen.
I think I saw something like that as a patch to LDAP, but I dont remember even the name. I saw it and I didn't like it.
Second Option, find a way to make pam.d execute both the passwd and smbpasswd processes for password changes. This is second choice as some of the Fedora DS tools would not be usefull.
Here we have a contradiction, smbpasswd uses samba to do its job it doesn't do it directly, if you have that option (ask samba to do it) read below. You can make pam execute pam_winbind.so after pam_ldap.so and it will try to find a remote Winbind daemon, and ask it to change the samba password (and this Winbind will be using the LDAP password database). Maybe you dont like it, but its the only solution that I know that works using pam (the client can then use "passwd" and pam will sync both passwords). And NO, pam_smbpass.so that anyone tries to use don't do that, you really need winbind.
I do not need to sync the other way around (smb->(md5)posix).
Ok. Lets say that the other way around is the configuration made inside samba, so samba will sync the unix password inside LDAP by its own. Then it will be used by the samba tools, pdbedit, net, smbpasswd, etc.
I will not authenticate WinX workstations with this system. Only smb disk share authentication via smbd. So in a sense, the PDC is only used by the several samba instances to authenticate disk shares.
The last option is to make a custom script by your own. The smbldap-passwd script from smbldap-tools is made in Perl and makes almost that, accessing LDAP directly. I don't know if it will be the best option, as to bind to the base you need a password. So to change your password you need your password first, annoying.
Web applications are an option too, but I never liked to do that this way. (...) Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
