[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy & sambaNTPassword

Ralf Zimmermann schrieb:
> Hi Christian,
> * Christian Manal <moenoel@informatik.uni-bremen.de> [16.02.2010 16:18]:
>> Ralf Zimmermann schrieb:
>>> Hi Christian,
>>> * Christian Manal <moenoel@informatik.uni-bremen.de> [16.02.2010 16:05]:
>>>>> the option  'ldap passwd sync'  is set  to yes. I  will looking to  the overlay
>>>>> smbk5pwd again. But I think it will not resolve the problem because samba makes
>>>>> a modify for the samba attributes.
>>>>> We  have a  default  ppolicy.  But this  policy  works  only with  pwdAttribute
>>>>> userPassword not with  sambaNTPassword. The problem is, that a  User can change
>>>>> his password with a Windows Client.  The sambaNTPassword is always set whatever
>>>>> in the policy is configured.
>>>> If you set 'ldap passwd sync' to 'only' the Samba server triggers an
>>>> extended operation for password change and doesn't touch the Samba
>>>> attributes. smbk5pwd will take care of the Samba passwords.
>>>> Best regards,
>>>> Christian Manal
>>> thanks, I take a  look at smbk5pwd. Must I install heimdal  kerberos? I need it
>>> only for samba and we have installed mit kerberos.
>> You can disable Kerberos support in the Makefile.
> ok.  I read  it ;-)  The Samba  Server is  a Sles11  with openldap2-2.4.12  and
> Samba-3.4.5. The  Samba Server is not  the LDAP Master. This  is another Server
> with a  self compiled  openldap-2.4.20. The  Samba Server runs with  the Sles11
> shipped openLDAP version. There it doesn't exits a smbk5pwd overlay.
> I think that I must compile and configure the overlay only on the Samba Server.
> Is this correct? Ups and also on the BDC's?

The overlay has to be installed on the LDAP master. Wouldn't make sense
otherwise, since slaves are usually read-only.

Best regards,
Christian Manal