Re: [Samba] "passwd program" in samba4

2013-05-21 Thread Tomasz D. 
Hello Marc,

On 5/17/13 4:50 PM, Marc Muehlfeld wrote:
> Hello Tomasz,
>
> Am 17.05.2013 15:30, schrieb Tomasz D.:
>> We encounter the same problem. For over 10 years we've been using Samba
>> (2,
>> then 3) with OpenLDAP (and then 389 DS) backend. We have perfectly
>> working
>> LDAP environment with replication, well tuned, with many additional
>> attributes and with a lot of non-samba related services (email, mailing
>> list, address book, user specific data). For all that time we had
>> comfortable situation, that the users had to remeber just one password.
>>
>> And now, if I understand the situation correctly, there is no way to keep
>> the password synchronized between Samba4 and external LDAP. I don't need
>> to
>> authenticate samba against external LDAP, but I want to somehow trigger
>> password change in LDAP in case of  changing it in Windows, and
>> vice-versa.
>>
>> And I really think that migration of our well known and fully functional
>> LDAP system, which is the core of our environment, is not the best and
>> proper way. 
>
>
> I don't know your environment, so maybe the following doesn't fit for your
> situation.
>
> Before I moved our production to Samba4 last autumn, we had about 25
> services (postfix, cyrus, apache, addressbooks, etc.) hooked up to our
> openLDAP backend for authentication and as source for information. But for
> all I found great ways to have everything in sambas AD (ldap). And the
> good thing is: I can administrate now everything in ADUC with just one
> tool.
>
> For the additional attributes (phone, mail, what ever) I wrote a small
> script, that transfers them to AD.
>
> And for your DMZ (mailserver, etc.) you don't need to have a replicated
> Samba-DC with all it's services. I use an openLDAP proxy for that.
>
> Most of my experiences and how to set them up, I wrote down here:
> http://wiki.samba.org/index.php/Samba4/beyond
>
> If you post some information about your environment, maybe there are good
> other ways to bring all your services up to Samba 4.

In my environment (~5000 accounts, over 500 client devices) only relatively
small part (lets say, 20%) relays on Samba. But all authentication issues
relays on LDAP. As I wrote before, we have perfectly working, tuned and well
known dedicated LDAP server, which can be even switched to commercially
supported solution (Red Hat Directory Server). It is developed for years,
scalable, stable as rock, etc. I have tons of scripts that do various LDAP
tasks, I have commercial tools to managing it. Now, migrating
business-critical service to a new product (Samba Internal LDAP), which was
created, so to say, as a side effect (correct me if I'm wrong) and which is
still under development (e.g.: user-defined schemas are still experimental,
as Samba FAQ says) doesn't sounds for me like a good idea.

I'm sure that Samba AD works perfectly for all operations related to SMB/AD
and I'm not agains that. I've read why developers choose that way and I
totally agrees with that. I don't want to push all the Windows attributes in
external LDAP. But also I'd like to let the external LDAP the rest of
authentication/authorisation issues (not related to Windows Auth). In such
scenario, the possibility to synchronise passwords is very important.
Otherwise we are going backwards.

-- 
best regards,
Tomasz



--
View this message in context: 
http://samba.2283325.n4.nabble.com/passwd-program-in-samba4-tp4647906p4648535.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "passwd program" in samba4

2013-05-17 Thread Marc Muehlfeld 

Hello Tomasz,

Am 17.05.2013 15:30, schrieb Tomasz D.:

We encounter the same problem. For over 10 years we've been using Samba (2,
then 3) with OpenLDAP (and then 389 DS) backend. We have perfectly working
LDAP environment with replication, well tuned, with many additional
attributes and with a lot of non-samba related services (email, mailing
list, address book, user specific data). For all that time we had
comfortable situation, that the users had to remeber just one password.

And now, if I understand the situation correctly, there is no way to keep
the password synchronized between Samba4 and external LDAP. I don't need to
authenticate samba against external LDAP, but I want to somehow trigger
password change in LDAP in case of  changing it in Windows, and vice-versa.

And I really think that migration of our well known and fully functional
LDAP system, which is the core of our environment, is not the best and
proper way.



I don't know your environment, so maybe the following doesn't fit for 
your situation.


Before I moved our production to Samba4 last autumn, we had about 25 
services (postfix, cyrus, apache, addressbooks, etc.) hooked up to our 
openLDAP backend for authentication and as source for information. But 
for all I found great ways to have everything in sambas AD (ldap). And 
the good thing is: I can administrate now everything in ADUC with just 
one tool.


For the additional attributes (phone, mail, what ever) I wrote a small 
script, that transfers them to AD.


And for your DMZ (mailserver, etc.) you don't need to have a replicated 
Samba-DC with all it's services. I use an openLDAP proxy for that.


Most of my experiences and how to set them up, I wrote down here:
http://wiki.samba.org/index.php/Samba4/beyond

If you post some information about your environment, maybe there are 
good other ways to bring all your services up to Samba 4.


Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "passwd program" in samba4

2013-05-17 Thread Tomasz D. 
Dear Andrew,

We encounter the same problem. For over 10 years we've been using Samba (2,
then 3) with OpenLDAP (and then 389 DS) backend. We have perfectly working
LDAP environment with replication, well tuned, with many additional
attributes and with a lot of non-samba related services (email, mailing
list, address book, user specific data). For all that time we had
comfortable situation, that the users had to remeber just one password.

And now, if I understand the situation correctly, there is no way to keep
the password synchronized between Samba4 and external LDAP. I don't need to
authenticate samba against external LDAP, but I want to somehow trigger
password change in LDAP in case of  changing it in Windows, and vice-versa.

And I really think that migration of our well known and fully functional
LDAP system, which is the core of our environment, is not the best and
proper way.

Did we reached a dead end?

-- 
kind regards
Tomasz



--
View this message in context: 
http://samba.2283325.n4.nabble.com/passwd-program-in-samba4-tp4647906p4648289.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "passwd program" in samba4

2013-05-10 Thread Andrew Bartlett 
On Fri, 2013-05-10 at 21:22 +0200, Dr. Michael Cinti wrote:
> is there anyone who can explain me how to use "passwd program" in samba4

The Samba 4.0 AD DC does not use this parameter currently.

You can use tools like pam_winbind to have PAM-based programs
authenticate against Samba however, or ask them to authenticate against
LDAP.

Sorry,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] "passwd program" in samba4

2013-05-10 Thread Dr. Michael Cinti 

is there anyone who can explain me how to use "passwd program" in samba4
--
*Dr. Michael Cinti*

*mi.ci...@ausl.fe.it *
U.O. Tecnologia della Comunicazione e della Informazione (I.C.T.)
Azienda Usl Ferrara
Ospedale del Delta - via Valle Oppio, 2 - 44023 Lagosanto (FE)
Tel. +39-0533-723221
Tel. +39-0533-723163

Cortesemente pensa alla tua responsabilità ambientale. Prima di stampare 
questa email chiediti: "Ho veramente bisogno di stamparla?"


*ATTENZIONE - DATI CONFIDENZIALI!*
Questa e-mail contiene informazioni di carattere confidenziale rivolte 
esclusivamente al destinatario sopraindicato. E' vietato l'uso, la 
diffusione, distribuzione o riproduzione da parte di ogni altra persona. 
Nel caso aveste ricevuto questo messaggio per errore, siete pregati 
gentilmente di segnalarlo immediatamente al mittente all?indirizzo in 
calce e distruggere quanto ricevuto senza farne copia. Qualsivoglia 
utilizzo non autorizzato del contenuto di questo messaggio costituisce 
violazione del segreto della corrispondenza, salvo più grave illecito, 
ed espone il responsabile alle relative conseguenze civili e penali.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba