6443N/A<?
xml version="1.0" encoding="UTF-8"?>
6443N/A ! This work is licensed under the Creative Commons 6443N/A ! Attribution-NonCommercial-NoDerivs 3.0 Unported License. 6443N/A ! To view a copy of this license, visit 6443N/A ! or send a letter to Creative Commons, 444 Castro Street, 6443N/A ! Suite 900, Mountain View, California, 94041, USA. 6443N/A ! You can also obtain a copy of the license at 6443N/A ! See the License for the specific language governing permissions 6443N/A ! and limitations under the License. 6443N/A ! If applicable, add the following below this CCPL HEADER, with the fields 6443N/A ! enclosed by brackets "[]" replaced with your own identifying information: 6443N/A ! Portions Copyright [yyyy] [name of copyright owner] 7097N/A ! Copyright 2011-2014 ForgeRock AS 6443N/A<
chapter xml:
id='chap-samba' 6443N/A <
title>Samba Password Synchronization</
title>
6443N/A <
indexterm><
primary>Samba</
primary></
indexterm>
6443N/A the Windows interoperability suite for Linux and UNIX, stores accounts because
6443N/A UNIX and Windows password storage management is not interoperable. The default
6443N/A account storage mechanism is designed to work well with relatively small
6443N/A numbers of accounts and configurations with one domain controller. For larger
6443N/A installations, you can configure Samba to use OpenDJ for storing Samba
6443N/A accounts. See the Samba documentation for your platform for instructions on
6443N/A how to configure an LDAP directory server such as OpenDJ as a Samba passdb
6443N/A <
para>The rest of this chapter focuses on how you keep passwords in sync when
6443N/A using OpenDJ for Samba account storage.</
para>
6443N/A <
para>When you store Samba accounts in OpenDJ, Samba stores its own attributes
6443N/A as defined in the Samba schema. Samba does not use the LDAP standard
6443N/A <
literal>userPassword</
literal> attribute to store users' Samba passwords.
6443N/A You can configure Samba to apply changes to Samba passwords to LDAP passwords
6443N/A as well, too. Yet, if a user modifies her LDAP password directly without
6443N/A updating the Samba password, the LDAP and Samba passwords get out of
6443N/A <
para>The OpenDJ Samba Password plugin resolves this problem for you. The
6443N/A plugin intercepts password changes to Samba user profiles, synchronizing Samba
6443N/A password and LDAP password values. For an incoming Password Modify Extended
6443N/A Request or modify request changing the user password, the OpenDJ Samba Password
6443N/A plugin detects whether the user's entry reflects a Samba user profile (entry
6443N/A has object class <
literal>sambaSAMAccount</
literal>), hashes the incoming
6443N/A password value, and applies the password change to the appropriate password
6443N/A attribute, keeping the password values in sync. The OpenDJ Samba Password
6443N/A plugin can perform synchronization as long as new passwords values are
6443N/A provided in clear text in the modification request. If you configure Samba
6443N/A to synchronize LDAP passwords when it changes Samba passwords, then the
6443N/A plugin can ignore changes by the Samba user to avoid duplicate
6443N/A <
procedure xml:
id="setup-samba-administrator-account">
6443N/A <
title>To Set Up a Samba Administrator Account</
title>
6443N/A <
para>The Samba Administrator synchronizes LDAP passwords after changing
6443N/A Samba passwords by issuing a Password Modify Extended Request. In Samba's
6443N/A <
literal>ldap admin dn</
literal> is set to the DN of this account. When
6443N/A the Samba Administrator changes a user password, the plugin ignores
6443N/A the changes, so choose a distinct account different from Directory Manager
6443N/A and other administrators.</
para>
6443N/A <
para>Create or choose an account for the Samba Administrator.</
para>
7097N/A<
computeroutput>dn: uid=samba-admin,ou=Special Users,dc=example,dc=com
6443N/AobjectClass: organizationalPerson
7097N/AuserPassword: password</
computeroutput>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A<
computeroutput>Processing ADD request for uid=samba-admin,ou=Special Users,dc=example,dc=com
6443N/AADD operation successful for DN uid=samba-admin,ou=Special Users,
7097N/A dc=example,dc=com</
computeroutput>
6443N/A <
para>Ensure the Samba Administrator can reset user passwords.</
para>
7097N/A<
computeroutput>dn: uid=samba-admin,ou=Special Users,dc=example,dc=com
6443N/Ads-privilege-name: password-reset
6443N/Aaci: (target="ldap:///dc=example,dc=com") (targetattr ="*")(version 3.0; acl "
6443N/A Samba Admin user rights"; allow(all) groupdn ="ldap:///uid=samba-user,ou=
7097N/A Special Users,dc=example,dc=com";)</
computeroutput>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A<
computeroutput>Processing MODIFY request for uid=samba-admin,ou=Special Users,dc=example,dc=com
6443N/AMODIFY operation successful for DN
6443N/A uid=samba-admin,ou=Special Users,dc=example,dc=com
6443N/AProcessing MODIFY request for dc=example,dc=com
7097N/AMODIFY operation successful for DN dc=example,dc=com</
computeroutput>
6443N/A <
procedure xml:
id="setup-samba-pwd-plugin">
6443N/A <
title>To Set Up the Samba Password Plugin</
title>
6443N/A <
para>Determine whether the plugin must store passwords hashed like
6443N/A LanManager (<
literal>sync-lm-password</
literal>) or like Windows NT
6443N/A (<
literal>sync-nt-password</
literal>), based on how you set up Samba
6443N/A in your environment.</
para>
6443N/A <
para>Enable the plugin.</
para>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A --plugin-name "Samba Password Synchronisation" \
7097N/A --set pwd-sync-policy:sync-nt-password \
7097N/A samba-administrator-dn:"uid=samba-admin,ou=Special Users,dc=example,dc=com" \
6443N/A <
para>At this point the Samba Password plugin is active.</
para>
6443N/A <
step performance="optional">
6443N/A <
para>When troubleshooting Samba Password plugin issues, you can turn on
6443N/A debug logging as follows.</
para>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A --publisher-name "File-Based Debug Logger" \
7097N/A --bindDN "cn=Directory Manager" \
7097N/A --publisher-name "File-Based Debug Logger" \