How to have samba password changed from linux ldap client?

You can achieve this by using OpenLDAP's smbk5pwd overlay.

This overlay needs to be added to your slapd configuration. Then, any password changes via the exop "Change password" operation will also update Samba (and optionally Kerberos) passwords.

You can simply configure your Ubuntu desktops to use the exop password change operation through /etc/ldap.conf.

The way to enable this has changed over the last ten years, so I've written up a post that explains how to enable smbk5pwd in simple terms here.

Short version:

Install ldap contrib modules, eg for debian-based systems:

sudo apt install slapd-contrib

Tell OpenLDAP to load the module

Create smbk5pwd-module.ldif

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}smbk5pwd.la

and apply:

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smbk5pwd-module.ldif

Configure the module

Create smbk5pwd-overlay.ldif

dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSmbK5PwdConfig
olcOverlay: {0}smbk5pwd
olcSmbK5PwdEnable: samba
olcSmbK5PwdMustChange: 0

and apply

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smbk5pwd-overlay.ldif

olcSmbK5PwdMustChange is the password expiry time in seconds, like 5184000 for two months, or 31968000 for annual changes with a five day grace period. 0 means no expiry.

How to have samba password changed from linux ldap client?

Related

Recent Posts