Samba/LDAP password synchronization
From: David Jansen (jansen_at_strw.leidenuniv.nl)
Date: Wed, 8 Sep 2004 15:39:58 +0200 To: firstname.lastname@example.org
We have a setup here with a LDAP server (FC1) which also runs samba.
Usernames, passwords (and more) are stored in LDAP, and with samba, this
machine can also act as PDC for the windows machines in the network.
A problem with such a setup is to keep passwords synchronized between
unix and windows. We had a working setup to change passwords through
samba so changing a password from windows, or from Linux with smbpasswd
changed the unix passwrod, LM-hash and NT-hash in the LDAP database.
Samba with LDAP as password backend seems to change only the windows
password hashes, so for changing the unix password, we had a script
which was called through the 'passwd program' and 'passwd chat' option
in smb.conf . A bit of a hack, but it worked.
... until this setup was moved to a new machine on which FC2 was
installed. Now the passwd program script is never called any more, so
unix passwords are no longer being changed.
To find out what went wrong, we upgraded the FC1 machine to the latest
samba version (3.0.6-2.FC1) and now it exhibits the same behaviour: no
password script or program is executed when a user changes his password.
Does anyone know if something related to this behaviour was changed in
the latest samba release? The release notes mention nothing that looks
Or: does anyone know of another good way to make it possible to change
all passwords of a user at once so a user will always have only one
Relevant parts of the smb.conf file:
workgroup = STRW
server string = noordzee
netbios name = noordzee
passdb backend = ldapsam:ldap://noordzee.our.domain
ldap admin dn = "uid=admin,ou=administrative,dc=our,dc=domain"
ldap ssl = no
ldap suffix = dc=our,dc=domain"
hosts allow = xxx.yyy.zzz.aaa
security = user
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
unix password sync = yes
passwd program = /etc/samba/script %u
passwd chat debug = yes
passwd chat = "*New*UNIX*password*" %n\\n "*UNIX*password* %n\\n
local master = yes
os level = 50
domain master = yes
preferred master = yes
domain logons = yes
comment = Home Directories
browseable = no
writable = yes
-- fedora-list mailing list email@example.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list