[Samba] changing ldap passwords?
Hi...This is with reference to the thread posted at the given link: http://lists.samba.org/archive/samba/2005-January/099108.html The message is posted by one Mr.Javier.Leon-Gutierrez . Searching UPC directory , I found your's to be the most matching. If you are indeed the poster of this solution to changing LDAP passwords, Please reply to my mail as I am stuck somewhere midway..else, discard my post. Thanks in anticipation Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing ldap passwords?
En/na Tim Tyler ha escrit: Samba experts, I am using Samba 3.0.8 on an AIX 5.1 system with ldap authentication. I have ldap working so that users can authenticate in their samba account via ldap. However, I am trying to figure out the best method for allowing users to change their ldap samba account password. What is the best method to allow end users to change their LM/NT passwords for Samba via LDAP? Should I be using smbpasswd? Or should I be using the smbldap-tools and use smbldap-passwd.pl? Or is there another option? Hi, i wanted the same a month ago and googling a little i found a litlle web based php application which changed the "user password" attribute of an ldap server (phpLdapPasswd). And i thought, what a fuck, i use the NT/LM passwords for samba... But looking into the code i saw that it's not difficult to access/modify ldap attributes with php, so i decided to make a patch for support nt/lm changing passwords. you can get the app in its version 0.5 in: http://www.xenos.net/software/phpLdapPasswd/ you may have the mkntpwd (search it, i don't remember where i got it) program in order to achieve the LM:NT hashes. apply the patch attached. (save the patch in the phpLdapPasswd directory and patch -p1 < passwdSambaSupport.patch Also, what do I need to set for privileges (ACL's) on the ldap server side to allow users to change their samba password (if any)? in my /etc/ldap/slapd.conf the part related to LM and NT passwords looks like: access to attribute=sambaNTPassword by dn="cn=admin,dc=company,dc=cat" by anonymous auth by self write by * none access to attribute=sambaLMPassword by dn="cn=admin,dc=company,dc=cat" by anonymous=auth by self write by * none I have to notice that when i put the sambaNTPassword and sambaLMPassword in the same ACL (as you) it did'nt work for me... putting them separetly works. I supose to make a typing mistake that i couldn't see. Any recommendations and hints about implementing it are much appreciated! thanks! Tim Tell me if you have any problems, nowadays it's working for me ok. Xavi diff -Naur phpLdapPasswd-0.5/config.php phpLdapPasswd-withSambaSupport-0.5/config.php --- phpLdapPasswd-0.5/config.php2004-08-26 17:48:22.0 +0200 +++ phpLdapPasswd-withSambaSupport-0.5/config.php 2005-01-21 11:27:03.0 +0100 @@ -64,6 +64,22 @@ // default Debian Woody system!) $ENCODING = MD5; +// If you have SambaAccounts in your Ldap database you may want to have both unix +// and samba passwords syncronized. Set this to 1 if you want to do so. Otherwise, +// set it to 0.. +$SAMBASYNCRO = 0; + +// If you set SAMBASYNCRO to 1, you must have the mkntpwd aplication, which makes +// the necessary NTHashes to perform windows authentication. So here, put the +// full mkntpwd file path (with the name of the file too). +$MKNTPWD = "/usr/local/sbin/mkntpwd"; + +// This two attributes is for making it more extensive. Depending on the samba schema, +// this two attributes are named different, so you may put them here. If you don't know +// what they are search in your samba.schema file. +$SAMBANTATTR = "sambaNTPassword"; +$SAMBALMATTR = "sambaLMPassword"; + // This should be set to the attribute for which to search when a login ID // is entered. This attribute should have a unique value in the $LDAPBASEDN // given. diff -Naur phpLdapPasswd-0.5/functions.php phpLdapPasswd-withSambaSupport-0.5/functions.php --- phpLdapPasswd-0.5/functions.php 2004-08-26 17:50:46.0 +0200 +++ phpLdapPasswd-withSambaSupport-0.5/functions.php2005-01-21 11:42:09.0 +0100 @@ -497,4 +497,37 @@ return $ds; } + +// ** +// Function: +// +// Purpose: Update the Samba NT and LM Passwords +// +// Usage: createSambaPasswords($password) +// +// - $password: The password in plain text to encode +// +// Returns: an array of two positions -> sambaLMPassword and SambaNTPassword +// ** +function createSambaPasswords($password) { +global $MKNTPWD; +global $SAMBANTATTR; +global $SAMBALMATTR; +$sambaPass = array("sambaLMPassword" => NULL, + "sambaNTPassword" => NULL); + +if (!(@file_exists($MKNTPWD) && is_executable($MKNTPWD))) { +fatal_error("You don't have the mkntpwd program in the correct path (look in config.php) + or it is not executable"); +} +$sambaPassCommand = $MKNTPWD . " " . $password; +if($sambaPassCommandOutput = shell_exec($sambaPassCommand)) { +$sambaPass[$SAMBALMATTR] = trim(substr($sambaPassCommandOutput, 0, strPos($sambaPassCommandOutput, ':'))); +$sambaPass[$SAMBANTATTR] = trim(substr($sambaPassCommandOutput, strPos($sambaPassCommandOutput, ':') +1)); +} +else { +fatal
Re: [Samba] changing ldap passwords?
On Mon, 2005-01-24 at 16:57 -0600, Tim Tyler wrote: > Ok, but I seem to get this error when using smbpasswd ># smbpasswd goliath > New SMB password: > Retype new SMB password: > ldapsam_modify_entry: Failed to modify user dn= > uid=goliath,ou=People,dc=lincon,dc=beloit,dc=edu with: Insufficient access > > ldapsam_update_sam_account: failed to modify user with uid = goliath, > error: (Success) > Failed to modify entry for user goliath. > Failed to modify password entry for user goliath > > I am not sure what I am doing wrong in my setups.Does this acl in > ldap's slapd.conf look ok? > access to attr=sambaLMPassword,sambaNTPassword > by > dn.exact="uid=samba_servers,ou=People,dc=lincon,dc=beloit,dc=edu" read > by * none access to dn=".*,ou=People,o=MyDomainn,c=US" attr=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=root,o=MyDomainn,c=US" write by dn="cn=admin,o=MyDomainn,c=US" write by self write by * auth (my first ACL in slapd.conf) should solve a few problems of yours... > > What about this as the account for samba password administration (ldif > format)? > # samba_servers, People, lincon.beloit.edu > dn: uid=samba_servers,ou=People,dc=lincon,dc=beloit,dc=edu > objectClass: person > objectClass: uidObject > uid: samba_servers > description: Account used by Samba servers to access user passwords > cn: samba_servers > sn: samba_servers > > Any idea why I might be getting the error above? > Tim is this your setting in smb.conf? ldap admin dn = uid=samba_servers,ou=People,dc=lincon,dc=beloit,dc=edu if so, did you do 'smbpasswd -w' to set the password for access to ldap by the above ldap admin dn? if so, I don't see any password attributes for that dn that you had in your question... userPassword: sambaNTPassword: sambaLMPassword: (not sure that this one is gonna matter) but how is this user gonna authenticate if he doesn't have a password and if it isn't set to be the ldap admin dn in smb.conf and if the password isn't set via smbpasswd -w command? Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing ldap passwords?
Ok, but I seem to get this error when using smbpasswd # smbpasswd goliath New SMB password: Retype new SMB password: ldapsam_modify_entry: Failed to modify user dn= uid=goliath,ou=People,dc=lincon,dc=beloit,dc=edu with: Insufficient access ldapsam_update_sam_account: failed to modify user with uid = goliath, error: (Success) Failed to modify entry for user goliath. Failed to modify password entry for user goliath I am not sure what I am doing wrong in my setups.Does this acl in ldap's slapd.conf look ok? access to attr=sambaLMPassword,sambaNTPassword by dn.exact="uid=samba_servers,ou=People,dc=lincon,dc=beloit,dc=edu" read by * none What about this as the account for samba password administration (ldif format)? # samba_servers, People, lincon.beloit.edu dn: uid=samba_servers,ou=People,dc=lincon,dc=beloit,dc=edu objectClass: person objectClass: uidObject uid: samba_servers description: Account used by Samba servers to access user passwords cn: samba_servers sn: samba_servers Any idea why I might be getting the error above? Tim At 04:05 PM 1/24/2005, you wrote: Tim, smbpassword should work fine for modifying the LM/NT passwords. Also, if your using Fedora or Redhat Enterprise server you might wish to check out a program we have written: www.Essay-Software.com Sincerely, Scott Alcock Essay Software, LLC www.Essay-Software.com Rockford, Illinois Tim Tyler wrote: Samba experts, I am using Samba 3.0.8 on an AIX 5.1 system with ldap authentication. I have ldap working so that users can authenticate in their samba account via ldap. However, I am trying to figure out the best method for allowing users to change their ldap samba account password. What is the best method to allow end users to change their LM/NT passwords for Samba via LDAP? Should I be using smbpasswd? Or should I be using the smbldap-tools and use smbldap-passwd.pl? Or is there another option? Also, what do I need to set for privileges (ACL's) on the ldap server side to allow users to change their samba password (if any)? Any recommendations and hints about implementing it are much appreciated! thanks! Tim Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] changing ldap passwords?
Samba experts, I am using Samba 3.0.8 on an AIX 5.1 system with ldap authentication. I have ldap working so that users can authenticate in their samba account via ldap. However, I am trying to figure out the best method for allowing users to change their ldap samba account password. What is the best method to allow end users to change their LM/NT passwords for Samba via LDAP? Should I be using smbpasswd? Or should I be using the smbldap-tools and use smbldap-passwd.pl? Or is there another option? Also, what do I need to set for privileges (ACL's) on the ldap server side to allow users to change their samba password (if any)? Any recommendations and hints about implementing it are much appreciated! thanks! Tim Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba