[Date Prev][Date Next]
Re: ppolicy & sambaNTPassword
On Wednesday, 17 February 2010 11:31:42 Ralf Zimmermann wrote:
> Hi Christian,
> * Christian Manal <email@example.com> [16.02.2010 16:41]:
> > > ok. I read it ;-) The Samba Server is a Sles11 with
> > > openldap2-2.4.12 and Samba-3.4.5. The Samba Server is not the LDAP
> > > Master. This is another Server with a self compiled openldap-2.4.20.
> > > The Samba Server runs with the Sles11 shipped openLDAP version. There
> > > it doesn't exits a smbk5pwd overlay.
> > >
> > > I think that I must compile and configure the overlay only on the Samba
> > > Server. Is this correct? Ups and also on the BDC's?
> > The overlay has to be installed on the LDAP master. Wouldn't make sense
> > otherwise, since slaves are usually read-only.
> the overlay smbk5pwd does not really work in this szenario. I have
> compiled heimdal
Why? Do you need LDAP password changes to change Heimdal passwords (IOW, did
you have a Heimdal installation before)?
What version did you install?
> on Sles11 and compiled the smbk5pwd with make and make
From the same source used to build slapd on the box the module runs under?
> <snip Makefile>
So, you shouldn't need Heimdal at all ...
> LDAP_INC=-I../../../include -I../../../servers/slapd
> INCS=$(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
> HEIMDAL_LIB=-L/usr/heimdal/lib -lkrb5 -lkadm5srv
> LDAP_LIB=-lldap_r -llber
> LIBS=$(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB)
> Then I add 'moduleload smbk5pwd.la' and in the hdb section 'overlay
> smbk5pwd'. After this I create the online configuration with 'slaptest
> -d1 -f ...'. All looks fine. slapd starts without a error message. I
> change the smb.conf 'ldap passwd sync = yes' to 'ldap passwd sync = Only'.
> With the overlay smbk5pwd nothing happens when I change a password
> over a Windows Client. Without the overlay I can see the PASSMOD for the
Well, without Heimdal has been working perfectly for me for a long time.
At times (e.g. 1.3.0 without patches), heimdal API changes have broken the
Heimdal support in smbk5pwd.
Note that some distributions ship recent OpenLDAP with a working (at least for
samba) smbk5pwd, others include a smbk5pwd with Heimdal support as well.