[Samba] change ldap accounts to samba ldap accounts - Samba

This is a discussion on [Samba] change ldap accounts to samba ldap accounts - Samba ; Hi i've got a situation where i need to add samba support to every acccount in my ldap database. I already have an ldap database populated with a couple hundred users and need to be able to use the same ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: [Samba] change ldap accounts to samba ldap accounts

  1. [Samba] change ldap accounts to samba ldap accounts

    Hi i've got a situation where i need to add samba support to every
    acccount in my ldap database.
    I already have an ldap database populated with a couple hundred users
    and need to be able to use the same password they use for their login as
    for their samba accounts.
    Is there anyway to add all the samba attributes to their ldap accounts
    and also migrate their passwords from the standard md5 unix passwords to
    sambaLM and sambaNT password like via script or something?
    I looked at the smbldap-tools but i don't see any clear explanation of
    them. I might be confused as for if those are what i need or not.

    To make things short.
    I want all my existing ldap users to have a single password in ldap
    without having to do a "smbpasswd -a username" for every account

    Thanks.
    James
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. [Samba] Re: change ldap accounts to samba ldap accounts

    James Tran wrote:
    > Hi i've got a situation where i need to add samba support to every
    > acccount in my ldap database.
    > I already have an ldap database populated with a couple hundred users
    > and need to be able to use the same password they use for their login as
    > for their samba accounts.
    > Is there anyway to add all the samba attributes to their ldap accounts
    > and also migrate their passwords from the standard md5 unix passwords to
    > sambaLM and sambaNT password like via script or something?

    Yes and No. You can manually add the required attributes from
    samba.schema with ldapmodify or something similar. You cannot convert
    the md5 hash, hashes are one-way that's the point of having them.

    > To make things short.
    > I want all my existing ldap users to have a single password in ldap
    > without having to do a "smbpasswd -a username" for every account

    You need all three attributes (userPassword, sambaLM..., sambaNT...),
    samba can update the unix password if users change the password from
    windows clients (sync ldap password = yes, OTOH). If you don't want to
    have new passwords you'd need access to the cleartext passwords or
    require users to change their password and intercept this to get the pw...

    cheers
    Paul

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Re: change ldap accounts to samba ldap accounts

    paul kölle wrote:
    > James Tran wrote:
    >
    >> Hi i've got a situation where i need to add samba support to every
    >> acccount in my ldap database.
    >> I already have an ldap database populated with a couple hundred users
    >> and need to be able to use the same password they use for their login as
    >> for their samba accounts.
    >> Is there anyway to add all the samba attributes to their ldap accounts
    >> and also migrate their passwords from the standard md5 unix passwords to
    >> sambaLM and sambaNT password like via script or something?
    >>

    > Yes and No. You can manually add the required attributes from
    > samba.schema with ldapmodify or something similar. You cannot convert
    > the md5 hash, hashes are one-way that's the point of having them.
    >
    >
    >> To make things short.
    >> I want all my existing ldap users to have a single password in ldap
    >> without having to do a "smbpasswd -a username" for every account
    >>

    > You need all three attributes (userPassword, sambaLM..., sambaNT...),
    > samba can update the unix password if users change the password from
    > windows clients (sync ldap password = yes, OTOH). If you don't want to
    > have new passwords you'd need access to the cleartext passwords or
    > require users to change their password and intercept this to get the pw...
    >
    > cheers
    > Paul
    >
    >

    Ok since i can't do that stuff i have another idea.

    The passdb.tdb file has all the samba passwords right?
    Is there a way i can transfer the passwords from there into an ldap
    directory easily for users?
    I'm obviously trying to take the most lazy route for things but that's
    what being a sysadmin is about right?

    That and is there a way to just populate all the users in an ldap ou
    with the ldap schema without having to touch every entry?
    like for instance i have an ou=People that i want all the entries in
    there to automatically gain the attributes of a SambaSamAccount with the
    exception of a password cause obviously i need to do that some other
    way. Anything like that?

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] Re: change ldap accounts to samba ldap accounts

    cyrus wrote:
    > James Tran wrote:
    > [snipp]
    >
    >
    >
    >> Ok since i can't do that stuff i have another idea.
    >>
    >> The passdb.tdb file has all the samba passwords right?
    >> Is there a way i can transfer the passwords from there into an ldap
    >> directory easily for users?
    >>

    > if you already have users and password in some backend you might want to
    > look at pdbedit and its -e and -i switches. e.g. ldap properly
    > configured as a passdb backend:
    >
    > pdbedit -e tdbsam -i ldapsam (try this with a test ldap store first!!!)
    >
    > cheers
    > Paul
    >

    that worked like a bloody charm... thank you.
    Saved me hours of editing user accounts for ldap samba access.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. Re: [Samba] Re: change ldap accounts to samba ldap accounts

    James Tran wrote:
    [snipp]


    > Ok since i can't do that stuff i have another idea.
    >
    > The passdb.tdb file has all the samba passwords right?
    > Is there a way i can transfer the passwords from there into an ldap
    > directory easily for users?

    if you already have users and password in some backend you might want to
    look at pdbedit and its -e and -i switches. e.g. ldap properly
    configured as a passdb backend:

    pdbedit -e tdbsam -i ldapsam (try this with a test ldap store first!!!)

    cheers
    Paul

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread