2

I have set up an ubuntu lucid LDAP+SAMBA PDC, mainly based on this article: http://ubuntuforums.org/showthread.php?t=1499753 - it works. Users can change their password by logging on to a Win Pc, and hitting Ctrl+Alt+Del. This way the unix passwords are changed as well - samba takes care of that.

I use that LDAP server for authentication from ubuntu desktops as well. They can logon, and change their password using /usr/bin/passwd, but this way the samba password does not change.

Questions:

1) Is there a way to change not only the userPassword, but the sambaNTpassword attribute as well? I've read of pam_smbpass.so but I have no clue how to use that - I've even read somewhere that this way only the local smb passwords can be updated.

2) If the answer would be "no" for the 1st question, then is there a way to have slapd sync sambaNTPassword based on unixPassword? Maybe setting up the "exop" to do that?

3) If once again the answer is "no", then I could live with clear thext passwords in the userPassword and run an external script to calculate the hash for sambaNTpassword. I tried jacksum -a md4 -q "txt:password" but the calculated hash is not equal to the ones stored in the ldap. I have no idea why.

4) What else could I do?

chicks
  • 3,793
  • 10
  • 27
  • 36
raerek
  • 658
  • 7
  • 12

2 Answers2

2

The way to enable this has changed over the last ten years, so I've written up a post that explains how to enable smbk5pwd in simple terms here.

Short version:

Install ldap contrib modules, eg for debian-based systems:

sudo apt install slapd-contrib

  • Tell OpenLDAP to load the module

Create smbk5pwd-module.ldif

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}smbk5pwd.la

and apply:

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smbk5pwd-module.ldif

  • Configure the module

Create smbk5pwd-overlay.ldif

dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSmbK5PwdConfig
olcOverlay: {0}smbk5pwd
olcSmbK5PwdEnable: samba
olcSmbK5PwdMustChange: 0

and apply

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smbk5pwd-overlay.ldif

olcSmbK5PwdMustChange is the password expiry time in seconds, like 5184000 for two months, or 31968000 for annual changes with a five day grace period. 0 means no expiry.

Myk Dowling
  • 51
  • 2
1

You can achieve this by using OpenLDAP's smbk5pwd overlay.

This overlay needs to be added to your slapd configuration. Then, any password changes via the exop "Change password" operation will also update Samba (and optionally Kerberos) passwords.

You can simply configure your Ubuntu desktops to use the exop password change operation through /etc/ldap.conf.

Jonathan Clarke
  • 1,667
  • 2
  • 11
  • 25
  • I am currently not at that project, but I wil revisit this problem - by about 15th of Aug. Gosh I hope that this is going to work. – raerek Jul 20 '10 at 06:22
  • i finally went back to this issue. Unfortunately cannot set it up in production, as we are using Ubuntu Lucid, and smbk5pwd is not part of that release :((( Anyway, thank you for your help. – raerek Aug 16 '10 at 17:17