Samba password sync
Samba, the Windows interoperability suite for Linux,
stores accounts because Linux and Windows password storage management is not interoperable.
The default account storage mechanism works well with small numbers of accounts and one domain controller.
For larger installations, Samba can use DS replicas to store Samba accounts.
Refer to the Samba documentation for your platform for instructions
on how to configure LDAP directory servers as Samba passdb
backends.
The procedures that follow focus on how to keep passwords in sync for Samba account storage.
When you store Samba accounts in a directory server, Samba stores its own attributes as defined in the Samba schema.
Samba does not use the LDAP standard userPassword
attribute to store users' Samba passwords.
You can configure Samba to apply changes to Samba passwords to LDAP passwords as well.
Yet, if a user modifies their LDAP password directly without updating the Samba password,
the LDAP and Samba passwords get out of sync.
The DS Samba Password plugin resolves this problem for you.
The plugin intercepts password changes to Samba user profiles, synchronizing Samba password and LDAP password values.
For an incoming Password Modify Extended Request or modify request to change the user password,
the DS Samba Password plugin detects whether the user’s entry is a Samba user profile
(entry has object class sambaSAMAccount
), hashes the incoming password value,
and applies the password change to the appropriate password attribute, keeping the password values in sync.
The DS Samba Password plugin can perform synchronization
as long as new passwords are provided in plaintext in the modification request.
If you configure Samba to synchronize LDAP passwords when it changes Samba passwords,
the plugin can ignore changes by the Samba user to avoid duplicate synchronization.
Create the Samba administrator
The Samba Administrator updates the LDAP password when a Samba password changes.
In Samba’s smb.conf
configuration file, the value of ldap admin dn
is set to the DN of this account.
When the Samba Administrator changes a user password, the plugin ignores the changes.
Choose a distinct account different from the directory superuser and other administrators:
-
Create or choose an account for the Samba Administrator:
$ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword password << EOF dn: uid=Samba Admin,ou=Special Users,dc=example,dc=com cn: Samba Administrator givenName: Samba mail: samba@example.com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top sn: Administrator uid: Samba Admin userPassword: chngthspwd EOF
-
Let the Samba Administrator reset user passwords:
$ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword password << EOF dn: uid=Samba Admin,ou=Special Users,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com")(targetattr ="*") (version 3.0; acl "Samba Admin user rights"; allow(all) userdn="ldap:///uid=Samba Admin,ou=Special Users,dc=example,dc=com";) EOF
Enable the Samba password plugin
-
Determine whether the plugin must store passwords hashed like LanManager (
sync-lm-password
) or like Windows NT (sync-nt-password
), based on the Samba configuration. -
Enable the plugin:
$ dsconfig \ create-plugin \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --plugin-name "Samba Password Synchronisation" \ --type samba-password \ --set enabled:true \ --set pwd-sync-policy:sync-nt-password \ --set samba-administrator-dn:"uid=Samba Admin,ou=Special Users,dc=example,dc=com" \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt
The Samba Password plugin is active immediately.