Home / server / Questions / 156334
Accepted
raerek
Asked: 2010-07-01 07:15:02 +0800 CST

How to have samba password changed from linux ldap client?

  • 772

I have set up an ubuntu lucid LDAP+SAMBA PDC, mainly based on this article: http://ubuntuforums.org/showthread.php?t=1499753 - it works. Users can change their password by logging on to a Win Pc, and hitting Ctrl+Alt+Del. This way the unix passwords are changed as well - samba takes care of that.

I use that LDAP server for authentication from ubuntu desktops as well. They can logon, and change their password using /usr/bin/passwd, but this way the samba password does not change.

Questions:

1) Is there a way to change not only the userPassword, but the sambaNTpassword attribute as well? I've read of pam_smbpass.so but I have no clue how to use that - I've even read somewhere that this way only the local smb passwords can be updated.

2) If the answer would be "no" for the 1st question, then is there a way to have slapd sync sambaNTPassword based on unixPassword? Maybe setting up the "exop" to do that?

3) If once again the answer is "no", then I could live with clear thext passwords in the userPassword and run an external script to calculate the hash for sambaNTpassword. I tried jacksum -a md4 -q "txt:password" but the calculated hash is not equal to the ones stored in the ldap. I have no idea why.

4) What else could I do?

synchronization password samba ldap

2 Answers

  1. Best Answer

    You can achieve this by using OpenLDAP's smbk5pwd overlay.

    This overlay needs to be added to your slapd configuration. Then, any password changes via the exop "Change password" operation will also update Samba (and optionally Kerberos) passwords.

    You can simply configure your Ubuntu desktops to use the exop password change operation through /etc/ldap.conf.

    • 1

  2. The way to enable this has changed over the last ten years, so I've written up a post that explains how to enable smbk5pwd in simple terms here.

    Short version:

    Install ldap contrib modules, eg for debian-based systems:

    sudo apt install slapd-contrib

    • Tell OpenLDAP to load the module

    Create smbk5pwd-module.ldif

    dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}smbk5pwd.la

    and apply:

    sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smbk5pwd-module.ldif

    • Configure the module

    Create smbk5pwd-overlay.ldif

    dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSmbK5PwdConfig
olcOverlay: {0}smbk5pwd
olcSmbK5PwdEnable: samba
olcSmbK5PwdMustChange: 0

    and apply

    sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smbk5pwd-overlay.ldif

    olcSmbK5PwdMustChange is the password expiry time in seconds, like 5184000 for two months, or 31968000 for annual changes with a five day grace period. 0 means no expiry.

    • 1