Hi all,
I am trying to set up LDAP + SAMBA to propagate password in both directions but unfortunately I have some small issues I do not know how to resolve.
I set up LDAP and SAMBA server and I can connect to them ( all on one machine )
I can connect to samba server and browse shares with
smbclient //192.168.1.199/home -U user100
Also I can connect using ssh user100@192.168.1.199 ( wirt password I set up for user100 in LDAP system )
where user "user100" is added to samba conf as samba user but its origin is from LDAP and it is is originally added using
ldapadd -c -x -D cn=admin,dc=testdomain,dc=net -W -f user100.ldif ldappasswd -x -D cn=admin,dc=testdomain,dc=net -W -S uid=user100,ou=people,dc=testdomain,dc=net
I can change password for user "user100" once logged over ssh using "passwd" and this new password apply only on LDAP part,
while password for samba is one set up using smbpasswd ( as root on system )
In smb.conf I addedd part passdb backend = ldapsam:ldap://192.168.1.199 ldap admin dn = cn =admin,dc=testdomain,dc=net ldap suffix = dc=testdomain,dc=net ldap user suffix = ou=People ldap group suffix = ou= Group ldap machine suffix = ou= Computers ldap password sync = yes
and in case I change password for user "user100" using smbpasswd ( logged as root ), it's password is propagated to LDAP and I can use new password obtained with smbpasswd to log in over ssh---as I expect
When logged over ssh to LDAM-SAMBA server as user "user100" and want to change password using smbpasswd I am getting error like
smbpasswd Old SMB password: New SMB password: Retype new SMB password: Unable to connect to SMB server on machine 127.0.0.1. Error was : NT_STATUS_CONNECTION_REFUSED. Failed to change password for user100
I do not have address 127.0.0.1 set anywhere in samba configuration
output of testparm is bellow
Question is how can I make it reversible, so when I change password connected via ssh to be propagated to samba system and to use that new password for accessing samba shares.
LDAP and SAMBA servers works ok indenpendently, I can log as LDAP user, home directory is created upon login, connection to samba shares works ok only is question how to set up them to undersdand password of each other.
OS is debian stable and all packages are debian's ones
If someone know some hint I would be very thankful for any suggestions
Thank you and nice regards,
testparm Load smb config files from /etc/samba/smb.conf Processing section "[home]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions
[global] workgroup = TESTDOMAIN interfaces = 192.168.1.199/24, eth2 bind interfaces only = Yes obey pam restrictions = Yes passdb backend = ldapsam:ldap://192.168.1.199 pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . log level = 3 syslog = 0 log file = /var/log/samba/log.%m max log size = 3000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain logons = Yes dns proxy = No ldap admin dn = cn =admin,dc=testdomain,dc=net ldap group suffix = ou= Group ldap machine suffix = ou= Computers ldap passwd sync = Yes ldap suffix = dc=testdomain,dc=net ldap user suffix = ou=People panic action = /usr/share/samba/panic-action %d valid users = %S create mask = 0700 directory mask = 0700
[home] comment = Users' home dir path = /home valid users = user100 write list = user100
pcinformace pcinformace wrote:
I am trying to set up LDAP + SAMBA
I assume this is Samba3. Is it an OpenLDAP server?
Question is how can I make it reversible, so when I change password connected via ssh to be propagated to samba system and to use that new password for accessing samba shares.
For the LDAP bind (used by ssh) the attribute 'userPassword' has to be set when changing the password. For Samba3 the attribute(s) sambaNTPassword (and optionally sambaLMPassword) have to be set with a pre-calculated hash.
I'd recommend to set up OpenLDAP with overlay slapo-smbk5pwd which you have to build separately and is found in directory contrib/slapd-modules/smbk5pwd of the source distribution. This overlay intercepts the Password Modify extended operation and sets userPassword and the Samba password attribute(s). So you have to tell pam_ldap to use ext. op. when setting a new password.
Ciao, Michael.
Thank you for commnet
yes it is 3.2.5 regural package in Lenny.
dpkg -l | grep samba ii samba 2:3.2.5-4lenny7 a LanManager-like file and printer server for Unix ii samba-common 2:3.2.5-4lenny7 Samba common files used by both the server and the client ii samba-doc 2:3.2.5-4lenny7 Samba documentation server:/etc/samba# dpkg -l | grep ldap ii ldap-utils 2.4.11-1 OpenLDAP utilities ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries ii libnss-ldap 261-2.1 NSS module for using LDAP as a naming service ii libpam-ldap 184-4.2 Pluggable Authentication Module for LDAP
I know this stuff is very complex and I am trying to set it up step by step, but I really do not undersand what causing error
smbpasswd Old SMB password: New SMB password: Retype new SMB password: machine 127.0.0.1 rejected the tconX on the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED. Failed to change password for test1
when I logged to system usning ssh and as user1.
I understand that smbpasswd by default look for ip address 127.0.0.1/localhost but I am getting same error in case I set up
127.0.0.1/8 in smb.conf
Also I tried to change samba password for user1 using
smbpasswd -r 192.168.1.201 ( 192.168.1.201 is stated it smb.conf as interface will bind to, ) but again same problem
What is tconX, I did not defined it, what ir set up IPC$....
regards, thanks
2009/11/3 Michael Ströder michael@stroeder.com:
pcinformace pcinformace wrote:
I am trying to set up LDAP + SAMBA
I assume this is Samba3. Is it an OpenLDAP server?
Question is how can I make it reversible, so when I change password connected via ssh to be propagated to samba system and to use that new password for accessing samba shares.
For the LDAP bind (used by ssh) the attribute 'userPassword' has to be set when changing the password. For Samba3 the attribute(s) sambaNTPassword (and optionally sambaLMPassword) have to be set with a pre-calculated hash.
I'd recommend to set up OpenLDAP with overlay slapo-smbk5pwd which you have to build separately and is found in directory contrib/slapd-modules/smbk5pwd of the source distribution. This overlay intercepts the Password Modify extended operation and sets userPassword and the Samba password attribute(s). So you have to tell pam_ldap to use ext. op. when setting a new password.
Ciao, Michael.
-- Michael Ströder E-Mail: michael@stroeder.com http://www.stroeder.com
On Monday, 2 November 2009 15:03:29 pcinformace pcinformace wrote:
Hi all,
I am trying to set up LDAP + SAMBA to propagate password in both directions but unfortunately I have some small issues I do not know how to resolve.
I set up LDAP and SAMBA server and I can connect to them ( all on one machine )
I can connect to samba server and browse shares with
smbclient //192.168.1.199/home -U user100
Also I can connect using ssh user100@192.168.1.199 ( wirt password I set up for user100 in LDAP system )
where user "user100" is added to samba conf as samba user but its origin is from LDAP and it is is originally added using
ldapadd -c -x -D cn=admin,dc=testdomain,dc=net -W -f user100.ldif ldappasswd -x -D cn=admin,dc=testdomain,dc=net -W -S uid=user100,ou=people,dc=testdomain,dc=net
I can change password for user "user100" once logged over ssh using "passwd" and this new password apply only on LDAP part,
If you enabled the smbk5pwd overlay, and assuming you are using pam_ldap, and have configured pam_ldap to use the LDAP password modify extended operation to change passwords ("pam_password exop"), then this would change the samba password too.
When logged over ssh to LDAM-SAMBA server as user "user100" and want to change password using smbpasswd I am getting error like
smbpasswd Old SMB password: New SMB password: Retype new SMB password: Unable to connect to SMB server on machine 127.0.0.1. Error was : NT_STATUS_CONNECTION_REFUSED. Failed to change password for user100
I do not have address 127.0.0.1 set anywhere in samba configuration
See the -r option to smbpasswd.
OS is debian stable and all packages are debian's ones
Let's hope debian ships smbk5pwd overlay (other distros do ....).
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Michael Ströder -
pcinformace pcinformace