Re: [Samba] RE: Sync passwords unix/smb with FDS backend?
On Wed, 2008-01-09 at 21:31 -0500, Adam Tauno Williams wrote: Sorry about the acro, I am working with Fedora Directory Server (ldap). Currently user passwords stored in FDS can be changed from netatalk (apple protocol), FDS web interface, or unix/passwd via the PAM interface. To hit all three of these areas I would think that the password sync would need to somehow be down in FDS. Looking forward I would like to find an ldap solution. Anything else will cause additional steps when I add new users to the network. I will read through pbedit but unless I can trigger it through ldap I don't know what good it will do. See if FDS has an overlay/plugin/yadayada like OpenLDAP's smbk5pwd (sp?) that lets the client perform an change-password exop and have all the passwords managed by the server (DSA). Samba supports this mode, don't know about netatalk. I have written a slapi plugin specific to the FreeIPA project, but you can easily extract what you need probably, see the ipa-pwd-extop plugin here: http://hg.fedorahosted.org/hg/freeipa/file/ef7de25000ff/ipa-server/ipa-slapi-plugins/ Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Sync passwords unix/smb with FDS backend?
Ryan Novosielski wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Denis Cardon wrote: Hi Jim, Using simple authentication I have been able to tie FDS to Samba 3.x.24. Knowing that the unix passwd and smb passwd are different, dare I ask how difficult it would be to have them sync? Most of my users are using netatalk w/ posix user info and MD5 password. I would like to swing this over to samba without the worries of two passwords per user. I have seen blips on this but not directly related to FDS if you store both your samba and your unix password in the ldap, you can get them in sync by updating both of them when one change its password. You'll need to update the smb.conf file to take that into account for the windows part, and update your other password changing apps accordingly. If what you want is in fact getting a NTLM hash from the existing md5 hash, I'm afraid it won't be possible. Users will have to change their password once to update both ntlm and md5 password hash. Not entirely true, or at least it wasn't last time I tried this. For me, I used a method that included a PAM module that, on successful auth (actually, for HP-UX, any auth, which was unfortunate, since they have no 'requisite' directive in PAM), populated the smbpasswd file. I don't know what FDS is, but it seems to me you could go this route and then convert the smbpasswd file to whatever you wanted via pdbedit. =R - -- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHhStZmb+gadEcsb4RAoxpAJ4ueyjIEKhv+mBdSN+qjVuN4niWfQCgi1NS 4K1ZQsfiaFFzoXdqAcFV0xg= =l57P -END PGP SIGNATURE- Scratch my last message about FDS; I was thinking of Apache Directory Server. FDS is pretty mature. Sorry about that. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] RE: Sync passwords unix/smb with FDS backend?
Sorry about the acro, I am working with Fedora Directory Server (ldap). Currently user passwords stored in FDS can be changed from netatalk (apple protocol), FDS web interface, or unix/passwd via the PAM interface. To hit all three of these areas I would think that the password sync would need to somehow be down in FDS. Looking forward I would like to find an ldap solution. Anything else will cause additional steps when I add new users to the network. I will read through pbedit but unless I can trigger it through ldap I don't know what good it will do. JD -Original Message- From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2008 12:43 PM To: Ryan Novosielski Cc: Denis Cardon; samba@lists.samba.org; Deas, Jim Subject: Re: Sync passwords unix/smb with FDS backend? Ryan Novosielski wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Denis Cardon wrote: Hi Jim, Using simple authentication I have been able to tie FDS to Samba 3.x.24. Knowing that the unix passwd and smb passwd are different, dare I ask how difficult it would be to have them sync? Most of my users are using netatalk w/ posix user info and MD5 password. I would like to swing this over to samba without the worries of two passwords per user. I have seen blips on this but not directly related to FDS if you store both your samba and your unix password in the ldap, you can get them in sync by updating both of them when one change its password. You'll need to update the smb.conf file to take that into account for the windows part, and update your other password changing apps accordingly. If what you want is in fact getting a NTLM hash from the existing md5 hash, I'm afraid it won't be possible. Users will have to change their password once to update both ntlm and md5 password hash. Not entirely true, or at least it wasn't last time I tried this. For me, I used a method that included a PAM module that, on successful auth (actually, for HP-UX, any auth, which was unfortunate, since they have no 'requisite' directive in PAM), populated the smbpasswd file. I don't know what FDS is, but it seems to me you could go this route and then convert the smbpasswd file to whatever you wanted via pdbedit. =R - -- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHhStZmb+gadEcsb4RAoxpAJ4ueyjIEKhv+mBdSN+qjVuN4niWfQCgi1NS 4K1ZQsfiaFFzoXdqAcFV0xg= =l57P -END PGP SIGNATURE- Scratch my last message about FDS; I was thinking of Apache Directory Server. FDS is pretty mature. Sorry about that. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Sync passwords unix/smb with FDS backend?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The PAM module I mentioned is not for sync, really, but for initial migration from /etc/passwd to an NT-hashed password store (in smbpasswd format). If you're trying to sync passwords (a person has accounts in both places with working passwords on both sides already and just wants them both to change at the same time), then there are other ways to handle this natively. Deas, Jim wrote: Sorry about the acro, I am working with Fedora Directory Server (ldap). Currently user passwords stored in FDS can be changed from netatalk (apple protocol), FDS web interface, or unix/passwd via the PAM interface. To hit all three of these areas I would think that the password sync would need to somehow be down in FDS. Looking forward I would like to find an ldap solution. Anything else will cause additional steps when I add new users to the network. I will read through pbedit but unless I can trigger it through ldap I don't know what good it will do. JD -Original Message- From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2008 12:43 PM To: Ryan Novosielski Cc: Denis Cardon; samba@lists.samba.org; Deas, Jim Subject: Re: Sync passwords unix/smb with FDS backend? Ryan Novosielski wrote: Denis Cardon wrote: Hi Jim, Using simple authentication I have been able to tie FDS to Samba 3.x.24. Knowing that the unix passwd and smb passwd are different, dare I ask how difficult it would be to have them sync? Most of my users are using netatalk w/ posix user info and MD5 password. I would like to swing this over to samba without the worries of two passwords per user. I have seen blips on this but not directly related to FDS if you store both your samba and your unix password in the ldap, you can get them in sync by updating both of them when one change its password. You'll need to update the smb.conf file to take that into account for the windows part, and update your other password changing apps accordingly. If what you want is in fact getting a NTLM hash from the existing md5 hash, I'm afraid it won't be possible. Users will have to change their password once to update both ntlm and md5 password hash. Not entirely true, or at least it wasn't last time I tried this. For me, I used a method that included a PAM module that, on successful auth (actually, for HP-UX, any auth, which was unfortunate, since they have no 'requisite' directive in PAM), populated the smbpasswd file. I don't know what FDS is, but it seems to me you could go this route and then convert the smbpasswd file to whatever you wanted via pdbedit. =R Scratch my last message about FDS; I was thinking of Apache Directory Server. FDS is pretty mature. Sorry about that. - -- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHhTVgmb+gadEcsb4RAqMjAJ0WTEmNaf0Ch45Sxdds/zRYoYDZowCfaX/A 9Np+27j7yavYzSD2FeJWA00= =FOhp -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] RE: Sync passwords unix/smb with FDS backend?
Ryan, That is close. We have several hundred unix accounts used by our Mac clients via pam/ldap authentication. Here is the scenario. Consider 300 Macs tired of native file services and willing to use smb. I can't move them all in one year much less one weekend. Their account/password must be valid for both realms. Currently no password or user data exist for the smb side. In small systems I could run smbpasswd -a macuser for all users but that does not address future password issues. It is also an additional step when adding users to the system. What would be slick is an ldap launched app that changed the smbpassword whenever the unix one was changed. Same thing with a new unix user. -Original Message- From: Ryan Novosielski [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2008 12:58 PM To: Deas, Jim Cc: Scott Lovenberg; Denis Cardon; samba@lists.samba.org Subject: Re: Sync passwords unix/smb with FDS backend? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The PAM module I mentioned is not for sync, really, but for initial migration from /etc/passwd to an NT-hashed password store (in smbpasswd format). If you're trying to sync passwords (a person has accounts in both places with working passwords on both sides already and just wants them both to change at the same time), then there are other ways to handle this natively. Deas, Jim wrote: Sorry about the acro, I am working with Fedora Directory Server (ldap). Currently user passwords stored in FDS can be changed from netatalk (apple protocol), FDS web interface, or unix/passwd via the PAM interface. To hit all three of these areas I would think that the password sync would need to somehow be down in FDS. Looking forward I would like to find an ldap solution. Anything else will cause additional steps when I add new users to the network. I will read through pbedit but unless I can trigger it through ldap I don't know what good it will do. JD -Original Message- From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2008 12:43 PM To: Ryan Novosielski Cc: Denis Cardon; samba@lists.samba.org; Deas, Jim Subject: Re: Sync passwords unix/smb with FDS backend? Ryan Novosielski wrote: Denis Cardon wrote: Hi Jim, Using simple authentication I have been able to tie FDS to Samba 3.x.24. Knowing that the unix passwd and smb passwd are different, dare I ask how difficult it would be to have them sync? Most of my users are using netatalk w/ posix user info and MD5 password. I would like to swing this over to samba without the worries of two passwords per user. I have seen blips on this but not directly related to FDS if you store both your samba and your unix password in the ldap, you can get them in sync by updating both of them when one change its password. You'll need to update the smb.conf file to take that into account for the windows part, and update your other password changing apps accordingly. If what you want is in fact getting a NTLM hash from the existing md5 hash, I'm afraid it won't be possible. Users will have to change their password once to update both ntlm and md5 password hash. Not entirely true, or at least it wasn't last time I tried this. For me, I used a method that included a PAM module that, on successful auth (actually, for HP-UX, any auth, which was unfortunate, since they have no 'requisite' directive in PAM), populated the smbpasswd file. I don't know what FDS is, but it seems to me you could go this route and then convert the smbpasswd file to whatever you wanted via pdbedit. =R Scratch my last message about FDS; I was thinking of Apache Directory Server. FDS is pretty mature. Sorry about that. - -- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHhTVgmb+gadEcsb4RAqMjAJ0WTEmNaf0Ch45Sxdds/zRYoYDZowCfaX/A 9Np+27j7yavYzSD2FeJWA00= =FOhp -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] RE: Sync passwords unix/smb with FDS backend?
On Wed, 2008-01-09 at 13:56 -0800, Deas, Jim wrote: Ryan, That is close. We have several hundred unix accounts used by our Mac clients via pam/ldap authentication. Here is the scenario. Consider 300 Macs tired of native file services and willing to use smb. I can't move them all in one year much less one weekend. Their account/password must be valid for both realms. Currently no password or user data exist for the smb side. In small systems I could run smbpasswd -a macuser for all users but that does not address future password issues. It is also an additional step when adding users to the system. What would be slick is an ldap launched app that changed the smbpassword whenever the unix one was changed. Same thing with a new unix user. I understand such a plugin for Fedora DS does exist, because Simo was building it for FreeIPA. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] RE: Sync passwords unix/smb with FDS backend?
Sorry about the acro, I am working with Fedora Directory Server (ldap). Currently user passwords stored in FDS can be changed from netatalk (apple protocol), FDS web interface, or unix/passwd via the PAM interface. To hit all three of these areas I would think that the password sync would need to somehow be down in FDS. Looking forward I would like to find an ldap solution. Anything else will cause additional steps when I add new users to the network. I will read through pbedit but unless I can trigger it through ldap I don't know what good it will do. See if FDS has an overlay/plugin/yadayada like OpenLDAP's smbk5pwd (sp?) that lets the client perform an change-password exop and have all the passwords managed by the server (DSA). Samba supports this mode, don't know about netatalk. -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
