On Wednesday, 17 February 2010 11:31:42 Ralf Zimmermann wrote:
Hi Christian,
- Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 16:41]:
ok. I read it ;-) The Samba Server is a Sles11 with openldap2-2.4.12 and Samba-3.4.5. The Samba Server is not the LDAP Master. This is another Server with a self compiled openldap-2.4.20. The Samba Server runs with the Sles11 shipped openLDAP version. There it doesn't exits a smbk5pwd overlay.
I think that I must compile and configure the overlay only on the Samba Server. Is this correct? Ups and also on the BDC's?
The overlay has to be installed on the LDAP master. Wouldn't make sense otherwise, since slaves are usually read-only.
the overlay smbk5pwd does not really work in this szenario. I have compiled heimdal
Why? Do you need LDAP password changes to change Heimdal passwords (IOW, did you have a Heimdal installation before)?
What version did you install?
on Sles11 and compiled the smbk5pwd with make and make install.
From the same source used to build slapd on the box the module runs under?
<snip Makefile> DEFS=-DDO_SAMBA
So, you shouldn't need Heimdal at all ...
HEIMDAL_INC=-I/usr/heimdal/include #HEIMDAL_INC= SSL_INC= LDAP_INC=-I../../../include -I../../../servers/slapd INCS=$(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
HEIMDAL_LIB=-L/usr/heimdal/lib -lkrb5 -lkadm5srv #HEIMDAL_LIB= SSL_LIB=-lcrypto LDAP_LIB=-lldap_r -llber LIBS=$(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB)
</snip>
Then I add 'moduleload smbk5pwd.la' and in the hdb section 'overlay smbk5pwd'. After this I create the online configuration with 'slaptest -d1 -f ...'. All looks fine. slapd starts without a error message. I change the smb.conf 'ldap passwd sync = yes' to 'ldap passwd sync = Only'.
With the overlay smbk5pwd nothing happens when I change a password over a Windows Client. Without the overlay I can see the PASSMOD for the user.
Well, without Heimdal has been working perfectly for me for a long time.
At times (e.g. 1.3.0 without patches), heimdal API changes have broken the Heimdal support in smbk5pwd.
Note that some distributions ship recent OpenLDAP with a working (at least for samba) smbk5pwd, others include a smbk5pwd with Heimdal support as well.
Regards, Buchan