Cisanius
27.07.06, 13:05
Moin Leude,
habe da ein kleines Problemchen:
Habe nun erfolgreich einen Samba PDC mit einem LDAP Backend aufgesetzt. Der Login über windows, sowohl als auch der login über ssh beispielsweise funktionieren tadellos. Auch die Profile werden verwendet, die Freigaben funktionieren und eigentlich bin ich ganz glücklich damit.
ABER ...
da gibt es ein kleines Programm namens passwd mit dem User ihr Kennwort auf der Shell ändern können. Soweit so gut - das _LDAP_ Kennwort - und damit ihren Login für Linux - können sie ändern. Aber das Samba Passwort wird nicht geändert. Habe ich etwas übersehen? - Laut config sollte doch samba selbstständig dafür sorgen, dass die NT und LM passes mit denen des LDAP übereinstimmen, sobald das LDAP kennwort geändert wird?!
Wenn ich dagegen unter windows mein Kennwort ändere, wird sowohl das LM, das NT als auch das LDAP Kennwort angepasst.
Hat da jemand ein Idee, bzw. weiß jemand, obs überhaupt geht?
vielen Dank
ciao
Cisanius
Appendix - configuration files:
-------------- smb.conf --------------
[global]
netbios name = IAF-CME
workgroup = iafcme
server string = Samba PDC %v
hosts allow = 192.168.21.
security = user
encrypt passwords = true
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = eth0 //Bind to Interface ...
#bind interfaces only = yes
log level = 0
log file = /var/log/samba/log.%m
max log size = 10000
local master = yes
os level = 65
domain master = yes
preferred master = yes
domain logons = yes
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = P:
null passwords = no
hide unreadable = yes
hide dot files = yes
unix password sync = true
passwd program = /usr/bin/passwd %u
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
ldap passwd sync = yes
passdb backend = ldapsam:ldap://127.0.0.1/
#ldap admin dn = cn=admin,dc=iafcme
ldap admin dn = cn=samba,ou=DSA,dc=iafcme
ldap suffix = dc=iafcme
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
dos charset = 850
unix charset = ISO8859-1
[netlogon]
path = /home/samba/netlogon
public = no
writeable = no
browseable = no
[profiles]
path=/home/samba/profiles
browseable = no
writeable = yes
guest ok = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
write list = "@Domain Users" "@Domain Admins"
create mode = 0600
directory mode = 0700
default case = lower
preserve case = no
case sensitive = no
[homes]
path = /home/%U
browseable = no
valid users = %S
public = no
writeable = yes
guest ok = no
inherit permissions = yes
[public]
comment = Free for all
path = /home/samba/public
browseable = yes
valid users = "@iafusers" "@Domain Users"
guest ok = no
#force group = "@iafusers"
----------------- /smb.conf ---------------
----------------- libnss-ldap.conf && pam_ldap.conf ---------------
host 127.0.0.1
base dc=iafcme
ldap_version 3
binddn cn=nssldap,ou=DSA,dc=iafcme
bindpw secret
rootbinddn cn=admin,dc=iafcme
nss_base_passwd ou=Users,dc=iafcme?one
nss_base_passwd ou=Computers,dc=iafcme?one
nss_base_shadow ou=Users,dc=iafcme?one
nss_base_group ou=Groups,dc=iafcme?one
ssl no
pam_password md5
----------------- /libnss-ldap.conf && pam_ldap.conf ---------------
----------------- slapd.conf ---------------
allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 1480
modulepath /usr/lib/ldap
moduleload back_bdb
backend bdb
checkpoint 512 30
database bdb
suffix "dc=iafcme"
directory "/var/lib/ldap"
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
lastmod on
password-hash {crypt}
password-crypt-salt-format "$1$%.8s"
rootdn "cn=admin,dc=iafcme"
rootpw {SSHA}......
# ACLs ...
access to dn.base="" by * read
# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword ,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=admin,dc=iafcme" write
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by dn="cn=nssldap,ou=DSA,dc=iafcme" write
by self write
by anonymous auth
by * none
# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,homeDirectory,uid,uidNumbe r,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by * read
# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber,roomNumber,homeP hone,loginShell,gecos,cn,sn,givenname
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by self write
by * read
# some attributes need to be writable for samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdL astSet,sambaLogonTime,sambaLogoffTime,sambaKickoff Time,sambaPwdCanChange,sambaPwdMustChange,sambaAcc tFlags,displayName,sambaHomePath,sambaHomeDrive,sa mbaLogonScript,sambaProfilePath,description,sambaU serWorkstations,sambaPrimaryGroupSID,sambaDomainNa me,sambaMungedDial,sambaBadPasswordCount,sambaBadP asswordTime,sambaPasswordHistory,sambaLogonHours,s ambaSID,sambaSIDList,sambaTrustFlags,sambaGroupTyp e,sambaNextRid,sambaNextGroupRid,sambaNextUserRid, sambaAlgorithmicRidBase,sambaShareName,sambaOption Name,sambaBoolOption,sambaIntegerOption,sambaStrin gOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by self read
by * none
# samba need to be able to create the samba domain account
access to dn.base="dc=iafcme"
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by * none
# samba need to be able to create new users account
access to dn="ou=Users,dc=iafcme"
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=iafcme"
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by * none
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=iafcme"
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by * none
access to *
by dn="cn=admin,dc=iafcme" write
by self read
by * none
--------------- /slapd.conf ------------
habe da ein kleines Problemchen:
Habe nun erfolgreich einen Samba PDC mit einem LDAP Backend aufgesetzt. Der Login über windows, sowohl als auch der login über ssh beispielsweise funktionieren tadellos. Auch die Profile werden verwendet, die Freigaben funktionieren und eigentlich bin ich ganz glücklich damit.
ABER ...
da gibt es ein kleines Programm namens passwd mit dem User ihr Kennwort auf der Shell ändern können. Soweit so gut - das _LDAP_ Kennwort - und damit ihren Login für Linux - können sie ändern. Aber das Samba Passwort wird nicht geändert. Habe ich etwas übersehen? - Laut config sollte doch samba selbstständig dafür sorgen, dass die NT und LM passes mit denen des LDAP übereinstimmen, sobald das LDAP kennwort geändert wird?!
Wenn ich dagegen unter windows mein Kennwort ändere, wird sowohl das LM, das NT als auch das LDAP Kennwort angepasst.
Hat da jemand ein Idee, bzw. weiß jemand, obs überhaupt geht?
vielen Dank
ciao
Cisanius
Appendix - configuration files:
-------------- smb.conf --------------
[global]
netbios name = IAF-CME
workgroup = iafcme
server string = Samba PDC %v
hosts allow = 192.168.21.
security = user
encrypt passwords = true
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = eth0 //Bind to Interface ...
#bind interfaces only = yes
log level = 0
log file = /var/log/samba/log.%m
max log size = 10000
local master = yes
os level = 65
domain master = yes
preferred master = yes
domain logons = yes
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = P:
null passwords = no
hide unreadable = yes
hide dot files = yes
unix password sync = true
passwd program = /usr/bin/passwd %u
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
ldap passwd sync = yes
passdb backend = ldapsam:ldap://127.0.0.1/
#ldap admin dn = cn=admin,dc=iafcme
ldap admin dn = cn=samba,ou=DSA,dc=iafcme
ldap suffix = dc=iafcme
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
dos charset = 850
unix charset = ISO8859-1
[netlogon]
path = /home/samba/netlogon
public = no
writeable = no
browseable = no
[profiles]
path=/home/samba/profiles
browseable = no
writeable = yes
guest ok = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
write list = "@Domain Users" "@Domain Admins"
create mode = 0600
directory mode = 0700
default case = lower
preserve case = no
case sensitive = no
[homes]
path = /home/%U
browseable = no
valid users = %S
public = no
writeable = yes
guest ok = no
inherit permissions = yes
[public]
comment = Free for all
path = /home/samba/public
browseable = yes
valid users = "@iafusers" "@Domain Users"
guest ok = no
#force group = "@iafusers"
----------------- /smb.conf ---------------
----------------- libnss-ldap.conf && pam_ldap.conf ---------------
host 127.0.0.1
base dc=iafcme
ldap_version 3
binddn cn=nssldap,ou=DSA,dc=iafcme
bindpw secret
rootbinddn cn=admin,dc=iafcme
nss_base_passwd ou=Users,dc=iafcme?one
nss_base_passwd ou=Computers,dc=iafcme?one
nss_base_shadow ou=Users,dc=iafcme?one
nss_base_group ou=Groups,dc=iafcme?one
ssl no
pam_password md5
----------------- /libnss-ldap.conf && pam_ldap.conf ---------------
----------------- slapd.conf ---------------
allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 1480
modulepath /usr/lib/ldap
moduleload back_bdb
backend bdb
checkpoint 512 30
database bdb
suffix "dc=iafcme"
directory "/var/lib/ldap"
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
lastmod on
password-hash {crypt}
password-crypt-salt-format "$1$%.8s"
rootdn "cn=admin,dc=iafcme"
rootpw {SSHA}......
# ACLs ...
access to dn.base="" by * read
# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword ,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=admin,dc=iafcme" write
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by dn="cn=nssldap,ou=DSA,dc=iafcme" write
by self write
by anonymous auth
by * none
# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,homeDirectory,uid,uidNumbe r,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by * read
# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber,roomNumber,homeP hone,loginShell,gecos,cn,sn,givenname
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by self write
by * read
# some attributes need to be writable for samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdL astSet,sambaLogonTime,sambaLogoffTime,sambaKickoff Time,sambaPwdCanChange,sambaPwdMustChange,sambaAcc tFlags,displayName,sambaHomePath,sambaHomeDrive,sa mbaLogonScript,sambaProfilePath,description,sambaU serWorkstations,sambaPrimaryGroupSID,sambaDomainNa me,sambaMungedDial,sambaBadPasswordCount,sambaBadP asswordTime,sambaPasswordHistory,sambaLogonHours,s ambaSID,sambaSIDList,sambaTrustFlags,sambaGroupTyp e,sambaNextRid,sambaNextGroupRid,sambaNextUserRid, sambaAlgorithmicRidBase,sambaShareName,sambaOption Name,sambaBoolOption,sambaIntegerOption,sambaStrin gOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by self read
by * none
# samba need to be able to create the samba domain account
access to dn.base="dc=iafcme"
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by * none
# samba need to be able to create new users account
access to dn="ou=Users,dc=iafcme"
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=iafcme"
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by * none
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=iafcme"
by dn="cn=samba,ou=DSA,dc=iafcme" write
by dn="cn=smbldap-tools,ou=DSA,dc=iafcme" write
by * none
access to *
by dn="cn=admin,dc=iafcme" write
by self read
by * none
--------------- /slapd.conf ------------