Re: [Samba] Samba, OpenLDAP and Passwords
From: Francesco Storti francesco.sto...@gmail.com Date: Thu, 13 Oct 2011 12:46:13 +0200 (snip) If I want to permit that a user can change his LDAP userPassword and align it to the SambaNTPassword, I have seen that I can do it by using the smbk5pwd overlay and pam_password exop. But I do not know a method for using the existing LDAP userPassword for Samba authentication: I do not want that all the users have to redefine their passwords. Someone of you knows a way for doing that? It's impossible as well as Samba cannot use password information via /etc/passwd. Because the password encryption method using Windows and Unix is completely different. One exception is that Samba still use /etc/passwd using encrypt passwords = no which means using plain text password between Windows and Samba. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba, OpenLDAP and Passwords
Hi, I have an existing OpenLDAP directory, that I want to use as the backend for a Samba 3 instance. I do not want for now making Samba a Domain Controller, but only define in it some shares accessible by users on LDAP. I have imported in my slapd.conf the samba schema, and I have inserted in my smb.conf all the directives for connecting to an LDAP server: passdb backend = ldapsam:ldaps://slap1..xx ldap suffix = dc=,dc=xx ldap admin dn = cn=admin,dc=,dc=xx ldap delete dn = No ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap password sync = yes I have defined the admin password with the smbpasswd utility, and everything is working. If I want that a LDAP user uses Samba, I have to use again the smbpasswd utility for adding him to the samba users and defining a new password that will be the LDAP attribute SambaNTPassword (and the new password overwrites the LDAP userPassword, thanks to the ldap password sync = yes directive in smb.conf). If I want to permit that a user can change his LDAP userPassword and align it to the SambaNTPassword, I have seen that I can do it by using the smbk5pwd overlay and pam_password exop. But I do not know a method for using the existing LDAP userPassword for Samba authentication: I do not want that all the users have to redefine their passwords. Someone of you knows a way for doing that? Thank you in advance -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, OpenLDAP and Passwords
What does your getent passwd show? What does your getent group show? Can your ldap-user login to your linux/unix box? Is your linux-box auth set to your ladp-server? Do you have something like this in your slapd.conf!?: access to attrs=userPassword,shadowLastChange by anonymous auth by self write by dn=cn=youradmin,dc=xxx,dc=xxx write by * none access to attrs=sambaLMPassword by self write by anonymous auth by dn=cn=youradmin,dc=xxx,dc= write by * none access to attrs=sambaNTPassword by self write by anonymous auth by dn=cn=youradmin,dc=xxx,dc= write by * none access to attrs=sambaPwdLastSet,sambaPwdMustChange by self write by anonymous auth by dn=cn=youradmin,dc=xxx,dc= write by * none access to * by dn=cn=youradmin,dc=xxx,dc= write by users read by self write by * read --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Francesco Storti Gesendet: Donnerstag, 13. Oktober 2011 12:46 An: samba@lists.samba.org Betreff: [Samba] Samba, OpenLDAP and Passwords Hi, I have an existing OpenLDAP directory, that I want to use as the backend for a Samba 3 instance. I do not want for now making Samba a Domain Controller, but only define in it some shares accessible by users on LDAP. I have imported in my slapd.conf the samba schema, and I have inserted in my smb.conf all the directives for connecting to an LDAP server: passdb backend = ldapsam:ldaps://slap1..xx ldap suffix = dc=,dc=xx ldap admin dn = cn=admin,dc=,dc=xx ldap delete dn = No ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap password sync = yes I have defined the admin password with the smbpasswd utility, and everything is working. If I want that a LDAP user uses Samba, I have to use again the smbpasswd utility for adding him to the samba users and defining a new password that will be the LDAP attribute SambaNTPassword (and the new password overwrites the LDAP userPassword, thanks to the ldap password sync = yes directive in smb.conf). If I want to permit that a user can change his LDAP userPassword and align it to the SambaNTPassword, I have seen that I can do it by using the smbk5pwd overlay and pam_password exop. But I do not know a method for using the existing LDAP userPassword for Samba authentication: I do not want that all the users have to redefine their passwords. Someone of you knows a way for doing that? Thank you in advance -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, OpenLDAP and Passwords
The getent passwd and getent group return respectively users and groups of my LDAP directory. LDAP users can login to all the linux box that are been configured for using LDAP as backend (as specified via PAM and NSS). In my slapd.conf the ACLs that you specified are not present, because I am working on a test environment, and the admin specified in the smb.conf is the rootdn of the LDAP directory (who can do anything on everything). Thank you again 2011/10/13 Daniel Müller muel...@tropenklinik.de What does your getent passwd show? What does your getent group show? Can your ldap-user login to your linux/unix box? Is your linux-box auth set to your ladp-server? Do you have something like this in your slapd.conf!?: access to attrs=userPassword,shadowLastChange by anonymous auth by self write by dn=cn=youradmin,dc=xxx,dc=xxx write by * none access to attrs=sambaLMPassword by self write by anonymous auth by dn=cn=youradmin,dc=xxx,dc= write by * none access to attrs=sambaNTPassword by self write by anonymous auth by dn=cn=youradmin,dc=xxx,dc= write by * none access to attrs=sambaPwdLastSet,sambaPwdMustChange by self write by anonymous auth by dn=cn=youradmin,dc=xxx,dc= write by * none access to * by dn=cn=youradmin,dc=xxx,dc= write by users read by self write by * read --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Francesco Storti Gesendet: Donnerstag, 13. Oktober 2011 12:46 An: samba@lists.samba.org Betreff: [Samba] Samba, OpenLDAP and Passwords Hi, I have an existing OpenLDAP directory, that I want to use as the backend for a Samba 3 instance. I do not want for now making Samba a Domain Controller, but only define in it some shares accessible by users on LDAP. I have imported in my slapd.conf the samba schema, and I have inserted in my smb.conf all the directives for connecting to an LDAP server: passdb backend = ldapsam:ldaps://slap1..xx ldap suffix = dc=,dc=xx ldap admin dn = cn=admin,dc=,dc=xx ldap delete dn = No ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap password sync = yes I have defined the admin password with the smbpasswd utility, and everything is working. If I want that a LDAP user uses Samba, I have to use again the smbpasswd utility for adding him to the samba users and defining a new password that will be the LDAP attribute SambaNTPassword (and the new password overwrites the LDAP userPassword, thanks to the ldap password sync = yes directive in smb.conf). If I want to permit that a user can change his LDAP userPassword and align it to the SambaNTPassword, I have seen that I can do it by using the smbk5pwd overlay and pam_password exop. But I do not know a method for using the existing LDAP userPassword for Samba authentication: I do not want that all the users have to redefine their passwords. Someone of you knows a way for doing that? Thank you in advance -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba