<?xml version="1.0" encoding="UTF-8"?>
|
<!--
|
! CCPL HEADER START
|
!
|
! This work is licensed under the Creative Commons
|
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
|
! To view a copy of this license, visit
|
! http://creativecommons.org/licenses/by-nc-nd/3.0/
|
! or send a letter to Creative Commons, 444 Castro Street,
|
! Suite 900, Mountain View, California, 94041, USA.
|
!
|
! You can also obtain a copy of the license at
|
! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
|
! See the License for the specific language governing permissions
|
! and limitations under the License.
|
!
|
! If applicable, add the following below this CCPL HEADER, with the fields
|
! enclosed by brackets "[]" replaced with your own identifying information:
|
! Portions Copyright [yyyy] [name of copyright owner]
|
!
|
! CCPL HEADER END
|
!
|
! Copyright 2011-2014 ForgeRock AS
|
!
|
-->
|
<chapter xml:id='chap-samba'
|
xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
|
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
xsi:schemaLocation='http://docbook.org/ns/docbook
|
http://docbook.org/xml/5.0/xsd/docbook.xsd'
|
xmlns:xlink='http://www.w3.org/1999/xlink'>
|
<title>Samba Password Synchronization</title>
|
<indexterm><primary>Samba</primary></indexterm>
|
|
<para><link xlink:href="http://www.samba.org/" xlink:show="new">Samba</link>,
|
the Windows interoperability suite for Linux and UNIX, stores accounts because
|
UNIX and Windows password storage management is not interoperable. The default
|
account storage mechanism is designed to work well with relatively small
|
numbers of accounts and configurations with one domain controller. For larger
|
installations, you can configure Samba to use OpenDJ for storing Samba
|
accounts. See the Samba documentation for your platform for instructions on
|
how to configure an LDAP directory server such as OpenDJ as a Samba passdb
|
backend.</para>
|
|
<para>The rest of this chapter focuses on how you keep passwords in sync when
|
using OpenDJ for Samba account storage.</para>
|
|
<para>When you store Samba accounts in OpenDJ, Samba stores its own attributes
|
as defined in the Samba schema. Samba does not use the LDAP standard
|
<literal>userPassword</literal> attribute to store users' Samba passwords.
|
You can configure Samba to apply changes to Samba passwords to LDAP passwords
|
as well, too. Yet, if a user modifies her LDAP password directly without
|
updating the Samba password, the LDAP and Samba passwords get out of
|
sync.</para>
|
|
<para>The OpenDJ Samba Password plugin resolves this problem for you. The
|
plugin intercepts password changes to Samba user profiles, synchronizing Samba
|
password and LDAP password values. For an incoming Password Modify Extended
|
Request or modify request changing the user password, the OpenDJ Samba Password
|
plugin detects whether the user's entry reflects a Samba user profile (entry
|
has object class <literal>sambaSAMAccount</literal>), hashes the incoming
|
password value, and applies the password change to the appropriate password
|
attribute, keeping the password values in sync. The OpenDJ Samba Password
|
plugin can perform synchronization as long as new passwords values are
|
provided in clear text in the modification request. If you configure Samba
|
to synchronize LDAP passwords when it changes Samba passwords, then the
|
plugin can ignore changes by the Samba user to avoid duplicate
|
synchronization.</para>
|
|
<procedure xml:id="setup-samba-administrator-account">
|
<title>To Set Up a Samba Administrator Account</title>
|
|
<para>The Samba Administrator synchronizes LDAP passwords after changing
|
Samba passwords by issuing a Password Modify Extended Request. In Samba's
|
<filename>smb.conf</filename> configuration file, the value of
|
<literal>ldap admin dn</literal> is set to the DN of this account. When
|
the Samba Administrator changes a user password, the plugin ignores
|
the changes, so choose a distinct account different from Directory Manager
|
and other administrators.</para>
|
|
<step>
|
<para>Create or choose an account for the Samba Administrator.</para>
|
|
<screen>
|
$ <userinput>cat samba.ldif</userinput>
|
<computeroutput>dn: uid=samba-admin,ou=Special Users,dc=example,dc=com
|
cn: Samba Administrator
|
givenName: Samba
|
mail: samba@example.com
|
objectClass: person
|
objectClass: inetOrgPerson
|
objectClass: organizationalPerson
|
objectClass: top
|
sn: Administrator
|
uid: samba-admin
|
userPassword: password</computeroutput>
|
|
$ <userinput>ldapmodify \
|
--port 1389 \
|
--bindDN "cn=Directory Manager" \
|
--bindPassword password \
|
--defaultAdd \
|
--filename samba.ldif</userinput>
|
<computeroutput>Processing ADD request for uid=samba-admin,ou=Special Users,dc=example,dc=com
|
ADD operation successful for DN uid=samba-admin,ou=Special Users,
|
dc=example,dc=com</computeroutput>
|
</screen>
|
</step>
|
|
<step>
|
<para>Ensure the Samba Administrator can reset user passwords.</para>
|
|
<screen>
|
$ <userinput>cat samba-rights.ldif</userinput>
|
<computeroutput>dn: uid=samba-admin,ou=Special Users,dc=example,dc=com
|
changetype: modify
|
add: ds-privilege-name
|
ds-privilege-name: password-reset
|
|
dn: dc=example,dc=com
|
changetype: modify
|
add: aci
|
aci: (target="ldap:///dc=example,dc=com") (targetattr ="*")(version 3.0; acl "
|
Samba Admin user rights"; allow(all) groupdn ="ldap:///uid=samba-user,ou=
|
Special Users,dc=example,dc=com";)</computeroutput>
|
|
$ <userinput>ldapmodify \
|
--port 1389 \
|
--bindDN "cn=Directory Manager" \
|
--bindPassword password \
|
--filename samba-rights.ldif</userinput>
|
<computeroutput>Processing MODIFY request for uid=samba-admin,ou=Special Users,dc=example,dc=com
|
MODIFY operation successful for DN
|
uid=samba-admin,ou=Special Users,dc=example,dc=com
|
Processing MODIFY request for dc=example,dc=com
|
MODIFY operation successful for DN dc=example,dc=com</computeroutput>
|
</screen>
|
</step>
|
</procedure>
|
|
<procedure xml:id="setup-samba-pwd-plugin">
|
<title>To Set Up the Samba Password Plugin</title>
|
|
<step>
|
<para>Determine whether the plugin must store passwords hashed like
|
LanManager (<literal>sync-lm-password</literal>) or like Windows NT
|
(<literal>sync-nt-password</literal>), based on how you set up Samba
|
in your environment.</para>
|
</step>
|
|
<step>
|
<para>Enable the plugin.</para>
|
|
<screen>
|
$ <userinput>dsconfig \
|
create-plugin \
|
--port 4444 \
|
--hostname opendj.example.com \
|
--bindDN "cn=Directory Manager" \
|
--bindPassword password \
|
--plugin-name "Samba Password Synchronisation" \
|
--type samba-password \
|
--set enabled:true \
|
--set pwd-sync-policy:sync-nt-password \
|
--set \
|
samba-administrator-dn:"uid=samba-admin,ou=Special Users,dc=example,dc=com" \
|
--trustAll \
|
--no-prompt</userinput>
|
</screen>
|
|
<para>At this point the Samba Password plugin is active.</para>
|
</step>
|
|
<step performance="optional">
|
<para>When troubleshooting Samba Password plugin issues, you can turn on
|
debug logging as follows.</para>
|
|
<screen>
|
$ <userinput>dsconfig \
|
create-debug-target \
|
--port 4444 \
|
--hostname opendj.example.com \
|
--bindDN "cn=Directory Manager" \
|
--bindPassword password \
|
--publisher-name "File-Based Debug Logger" \
|
--target-name org.opends.server.plugins.SambaPasswordPlugin \
|
--set debug-level:all \
|
--trustAll \
|
--no-prompt</userinput>
|
|
$ <userinput>dsconfig \
|
set-log-publisher-prop \
|
--port 4444 \
|
--hostname opendj.example.com \
|
--bindDN "cn=Directory Manager" \
|
--bindPassword password \
|
--publisher-name "File-Based Debug Logger" \
|
--set enabled:true \
|
--trustAll \
|
--no-prompt</userinput>
|
</screen>
|
</step>
|
</procedure>
|
</chapter>
|
