Samba Password Synchronization

Samba Password Synchronization Samba Samba, the Windows interoperability suite for Linux and UNIX, stores accounts because UNIX and Windows password storage management is not interoperable. The default account storage mechanism is designed to work well with relatively small numbers of accounts and configurations with one domain controller. For larger installations, you can configure Samba to use OpenDJ for storing Samba accounts. See the Samba documentation for your platform for instructions on how to configure an LDAP directory server such as OpenDJ as a Samba passdb backend. The rest of this chapter focuses on how you keep passwords in sync when using OpenDJ for Samba account storage. When you store Samba accounts in OpenDJ, Samba stores its own attributes as defined in the Samba schema. Samba does not use the LDAP standard userPassword attribute to store users' Samba passwords. You can configure Samba to apply changes to Samba passwords to LDAP passwords as well, too. Yet, if a user modifies her LDAP password directly without updating the Samba password, the LDAP and Samba passwords get out of sync. The OpenDJ Samba Password plugin resolves this problem for you. The plugin intercepts password changes to Samba user profiles, synchronizing Samba password and LDAP password values. For an incoming Password Modify Extended Request or modify request changing the user password, the OpenDJ Samba Password plugin detects whether the user's entry reflects a Samba user profile (entry has object class sambaSAMAccount), hashes the incoming password value, and applies the password change to the appropriate password attribute, keeping the password values in sync. The OpenDJ Samba Password plugin can perform synchronization as long as new passwords values are provided in clear text in the modification request. If you configure Samba to synchronize LDAP passwords when it changes Samba passwords, then the plugin can ignore changes by the Samba user to avoid duplicate synchronization. To Set Up a Samba Administrator Account The Samba Administrator synchronizes LDAP passwords after changing Samba passwords by issuing a Password Modify Extended Request. In Samba's smb.conf configuration file, the value of ldap admin dn is set to the DN of this account. When the Samba Administrator changes a user password, the plugin ignores the changes, so choose a distinct account different from Directory Manager and other administrators. Create or choose an account for the Samba Administrator. $ cat samba.ldif dn: uid=samba-admin,ou=Special Users,dc=example,dc=com cn: Samba Administrator givenName: Samba mail: samba@example.com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top sn: Administrator uid: samba-admin userPassword: password $ ldapmodify \ --port 1389 \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --defaultAdd \ --filename samba.ldif Processing ADD request for uid=samba-admin,ou=Special Users,dc=example,dc=com ADD operation successful for DN uid=samba-admin,ou=Special Users, dc=example,dc=com Ensure the Samba Administrator can reset user passwords. $ cat samba-rights.ldif dn: uid=samba-admin,ou=Special Users,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com") (targetattr ="*")(version 3.0; acl " Samba Admin user rights"; allow(all) groupdn ="ldap:///uid=samba-user,ou= Special Users,dc=example,dc=com";) $ ldapmodify \ --port 1389 \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --filename samba-rights.ldif Processing MODIFY request for uid=samba-admin,ou=Special Users,dc=example,dc=com MODIFY operation successful for DN uid=samba-admin,ou=Special Users,dc=example,dc=com Processing MODIFY request for dc=example,dc=com MODIFY operation successful for DN dc=example,dc=com To Set Up the Samba Password Plugin Determine whether the plugin must store passwords hashed like LanManager (sync-lm-password) or like Windows NT (sync-nt-password), based on how you set up Samba in your environment. Enable the plugin. $ dsconfig \ create-plugin \ --port 4444 \ --hostname opendj.example.com \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --plugin-name "Samba Password Synchronisation" \ --type samba-password \ --set enabled:true \ --set pwd-sync-policy:sync-nt-password \ --set \ samba-administrator-dn:"uid=samba-admin,ou=Special Users,dc=example,dc=com" \ --trustAll \ --no-prompt At this point the Samba Password plugin is active. When troubleshooting Samba Password plugin issues, you can turn on debug logging as follows. $ dsconfig \ set-log-publisher-prop \ --hostname opendj.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --publisher-name "File-Based Debug Logger" \ --set enabled:true \ --no-prompt \ --trustAll $ dsconfig \ create-debug-target \ --port 4444 \ --hostname opendj.example.com \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --publisher-name "File-Based Debug Logger" \ --target-name org.opends.server.plugins.SambaPasswordPlugin \ --set enabled:true \ --trustAll \ --no-prompt $ tail -f /path/to/opendj/logs/debug