[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy & sambaNTPassword



On Wednesday, 17 February 2010 11:31:42 Ralf Zimmermann wrote:
> Hi Christian,
> 
> * Christian Manal <moenoel@informatik.uni-bremen.de> [16.02.2010 16:41]:
> > > ok.  I read  it ;-)  The Samba  Server is  a Sles11  with
> > > openldap2-2.4.12  and Samba-3.4.5. The  Samba Server is not  the LDAP
> > > Master. This  is another Server with a  self compiled  openldap-2.4.20.
> > > The  Samba Server runs with  the Sles11 shipped openLDAP version. There
> > > it doesn't exits a smbk5pwd overlay.
> > >
> > > I think that I must compile and configure the overlay only on the Samba
> > > Server. Is this correct? Ups and also on the BDC's?
> >
> > The overlay has to be installed on the LDAP master. Wouldn't make sense
> > otherwise, since slaves are usually read-only.
> 
> the overlay  smbk5pwd does not  really work in  this szenario. I  have
>  compiled heimdal

Why? Do you need LDAP password changes to change Heimdal passwords (IOW, did 
you have a Heimdal installation before)?

What version did you install?


>  on Sles11 and compiled the smbk5pwd with make and make
>  install.

From the same source used to build slapd on the box the module runs under?

> <snip Makefile>
> DEFS=-DDO_SAMBA

So, you shouldn't need Heimdal at all ...

> HEIMDAL_INC=-I/usr/heimdal/include
> #HEIMDAL_INC=
> SSL_INC=
> LDAP_INC=-I../../../include -I../../../servers/slapd
> INCS=$(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
> 
> HEIMDAL_LIB=-L/usr/heimdal/lib -lkrb5 -lkadm5srv
> #HEIMDAL_LIB=
> SSL_LIB=-lcrypto
> LDAP_LIB=-lldap_r -llber
> LIBS=$(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB)
> </snip>
> 
> Then I add 'moduleload smbk5pwd.la' and  in the hdb section 'overlay
>  smbk5pwd'. After this  I create the online  configuration with 'slaptest
>  -d1  -f ...'. All looks fine. slapd  starts without a error message. I 
>  change the smb.conf 'ldap passwd sync = yes' to 'ldap passwd sync = Only'.
> 
> With  the overlay  smbk5pwd nothing  happens when  I change  a password 
>  over a Windows Client. Without the overlay I can see the PASSMOD for the
>  user.

Well, without Heimdal has been working perfectly for me for a long time.

At times (e.g. 1.3.0 without patches), heimdal API changes have broken the 
Heimdal support in smbk5pwd.

Note that some distributions ship recent OpenLDAP with a working (at least for 
samba) smbk5pwd, others include a smbk5pwd with Heimdal support as well.

Regards,
Buchan