• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

CentOS, LDAP and Samba password sync?

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

Stratus_ss

Overclockix Snake Charming Senior, Alt OS Content
Joined
Jan 24, 2006
Location
South Dakota
Hi guys,

As you may be aware I have worked out how to sync ldap and samba on Ubuntu. Everything works great from an Ubuntu machine. When a user changes their password it ripples through the network syncing the passwords with LDAP and samba.

However when I try to reproduce this with CentOS I can't or at least not exactly. When I issue the 'passwd' command it will indeed change the LDAP login but not the samba password on the CentOS server.

However, if I use 'smbpasswd' it changes both LDAP and SMB passwords successfully. Obviously not ideal. There is no error in any of the logs during the time period I try to change a password. I even turned up the logging to 5. Here is the CentOS smb.conf

Code:
[global]
    workgroup = STRATUS.LOCAL
    #security = domain
    security = user
    passdb backend = ldapsam:ldap://ds.stratus.local
    passwd program = /usr/bin/passwd %u
    ldap admin dn = cn=Directory Manager
    ldap suffix = dc=stratus,dc=local
    ldap user suffix = ou=People
    ldap machine suffix = ou=Computers
    ldap group suffix = ou=Groups
    ldap ssl = start tls

    log level = 5
    log file = /var/log/%m.log
    
    unix password sync = yes
    ldap password sync = yes
    pam password change = yes

    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    os level = 33
    domain logons = yes
    template shell = /bin/false
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    passwd program = /usr/bin/passwd '%u'

Here is the Ubuntu config (almost identical)

Code:
[global]
    workgroup = STRATUS.LOCAL
    security = domain
    passdb backend = ldapsam:ldap://192.168.99.90
    ldap admin dn = cn=Directory Manager
    ldap suffix = dc=stratus,dc=local
    ldap user suffix = ou=People
    ldap machine suffix = ou=Computers
    ldap group suffix = ou=Groups
    ldap ssl = off
    log file = /var/log/%m.log
    unix password sync = yes
    pam password change = yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    os level = 33
    domain logons = yes
    template shell = /bin/false

If this was a pam issue wouldn't I see errors in some log somewhere? Anyone have any pointers?
 
I have all of my Debian VMs and servers authenticating against Active Directory. I had to add the following to my /etc/pam.d/passwd file:
Code:
password        sufficient      pam_winbind.so

I have no clue about LDAP and Samba but there could be something similar you would have to add to make it work how you want with passwd.
 
There is in fact, and as far as I can tell I have it set properly though debian based pam and RHEL based pam are different enough that the files dont translate 1:1
 
So I have narrowed it down the "problem" the RHEL systems do not modify the "sambantpassword" attribute when you change your password. So the problem isnt at all with samba, it has more to do with trying to figure out how to make RHEL version of passwd change that attribute. As an alternative I may alias 'passwd' to 'smbldap-passwd' and change the dialogue since smbldap-passwd modifies all required attributes in LDAP
 
Back