chap-samba.xml revision 51607ea01068c9047391e4c8b46bc9dbd0edb7fd
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER END
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Copyright 2011-2013 ForgeRock AS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para><link xlink:href="http://www.samba.org/" xlink:show="new">Samba</link>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the Windows interoperability suite for Linux and UNIX, stores accounts because
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark UNIX and Windows password storage management is not interoperable. The default
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark account storage mechanism is designed to work well with relatively small
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark numbers of accounts and configurations with one domain controller. For larger
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark installations, you can configure Samba to use OpenDJ for storing Samba
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark accounts. See the Samba documentation for your platform for instructions on
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark how to configure an LDAP directory server such as OpenDJ as a Samba passdb
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark backend.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The rest of this chapter focuses on how you keep passwords in sync when
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark using OpenDJ for Samba account storage.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When you store Samba accounts in OpenDJ, Samba stores its own attributes
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark as defined in the Samba schema. Samba does not use the LDAP standard
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>userPassword</literal> attribute to store users' Samba passwords.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark You can configure Samba to apply changes to Samba passwords to LDAP passwords
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark as well, too. Yet, if a user modifies her LDAP password directly without
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark updating the Samba password, the LDAP and Samba passwords get out of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark sync.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The OpenDJ Samba Password plugin resolves this problem for you. The
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark plugin intercepts password changes to Samba user profiles, synchronizing Samba
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password and LDAP password values. For an incoming Password Modify Extended
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Request or modify request changing the user password, the OpenDJ Samba Password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark plugin detects whether the user's entry reflects a Samba user profile (entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark has object class <literal>sambaSAMAccount</literal>), hashes the incoming
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password value, and applies the password change to the appropriate password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute, keeping the password values in sync. The OpenDJ Samba Password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark plugin can perform synchronization as long as new passwords values are
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark provided in clear text in the modification request. If you configure Samba
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to synchronize LDAP passwords when it changes Samba passwords, then the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark plugin can ignore changes by the Samba user to avoid duplicate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark synchronization.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The Samba Administrator synchronizes LDAP passwords after changing
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Samba passwords by issuing a Password Modify Extended Request. In Samba's
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <filename>smb.conf</filename> configuration file, the value of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ldap admin dn</literal> is set to the DN of this account. When
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the Samba Administrator changes a user password, the plugin ignores
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the changes, so choose a distinct account different from Directory Manager
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and other administrators.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create or choose an account for the Samba Administrator.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=samba-admin,ou=Special Users,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Samba Administrator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgivenName: Samba
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmail: samba@example.com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: person
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: inetOrgPerson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: organizationalPerson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksn: Administrator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuid: samba-admin
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --defaultAdd
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing ADD request for uid=samba-admin,ou=Special Users,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation successful for DN uid=samba-admin,ou=Special Users,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark dc=example,dc=com</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Ensure the Samba Administrator can reset user passwords.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=samba-admin,ou=Special Users,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: ds-privilege-name
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-privilege-name: password-reset
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaci: (target="ldap:///dc=example,dc=com") (targetattr ="*")(version 3.0; acl "
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Samba Admin user rights"; allow(all) groupdn ="ldap:///uid=samba-user,ou=
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Special Users,dc=example,dc=com";)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing MODIFY request for uid=samba-admin,ou=Special Users,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation successful for DN
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=samba-admin,ou=Special Users,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing MODIFY request for dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation successful for DN dc=example,dc=com</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Determine whether the plugin must store passwords hashed like
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark LanManager (<literal>sync-lm-password</literal>) or like Windows NT
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark (<literal>sync-nt-password</literal>), based on how you set up Samba
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in your environment.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark create-plugin
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --plugin-name "Samba Password Synchronisation"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --type samba-password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set pwd-sync-policy:sync-nt-password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark samba-administrator-dn:"uid=samba-admin,ou=Special Users,dc=example,dc=com"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>At this point the Samba Password plugin is active.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When troubleshooting Samba Password plugin issues, you can turn on
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark debug logging as follows.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark create-debug-target
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --publisher-name "File-Based Debug Logger"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --target-name org.opends.server.plugins.SambaPasswordPlugin
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set debug-level:all
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-log-publisher-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --publisher-name "File-Based Debug Logger"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>