Samba has changed its LDAP usage between Etch and Lenny. Some new attributes where added. For the users updating from Etch to Lenny we need to provide an script which adds the needed attributes automatically.
Odd: Wrote some comments, click on comments in edit bar to toggle
visibility.
New attributes
A diff between a LDAP tree of an Etch (terra) install of Debian Edu and a Lenny system where Samba modified the LDAP tree freely. The modifications where done on a convert from dbsam to ldap by pdbedit -i tdbsam -e ldapsam.
Only the attributes not found on Edu Etch are listed:
Key (attribute) |
Value on the Lenny system |
Description of the key |
Proposed value for convert |
sambaLogonTime |
0 |
Timestamp of the last time the user loged into the domain |
0 |
sambaLogoffTime |
2147483647 |
Timestamp of the last time the user loged out of the domain (or a computer in the domain) |
0 |
sambaKickoffTime |
2147483647 |
Timestamp of the (next) automatic logoff |
0 |
sambaPwdCanChange |
1130714645 |
Timestamp of when the user is first allowed to change his/her password |
0 |
sambaPwdMustChange |
2147483647 |
Timestmap of when the password will expire |
0 |
sambaPasswordHistory |
64 zeros |
Hashes of old passwords, not updated on default |
64 zeros |
sambaPwdLastSet |
1130714645 |
Timestamp of when the password was last changed |
4294967295 (do not expire password) |
sambaLogonHours |
42 capital Fes |
Times when the user is allowed to login in GMT timezone |
42 F |
sambaBadPasswordCount |
0 |
How often a wrong password was tried |
0 |
sambaBadPasswordTime |
0 |
Timestamp of when the last attempt was |
0 |
Update script of Etch -> Lenny updates
This is about a proposed update script, which needs to be written.
- The update script connects to the running LDAP daemon and walks through the tree.
Needs to ask for admin password.
- On every user node found it adds the missing attributes.
- Prints a short statistic on how many changes where done.
One way to add the ' sambaPwdLastSet ' attribute to all Samba users is:
ldapsearch -xZLLLWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \ -b 'ou=People,dc=skole,dc=skolelinux,dc=no' \ -s one '(&(objectClass=sambaSamAccount)(!(sambaPwdLastSet=*)))' dn \ | sed '/.\+/a\changetype: modify\nadd:sambaPwdLastSet\nsambaPwdLastSet: 2\n-' \ > /etc/ldap/fixamba.ldif ldapmodify -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \ -f /etc/ldap/fixamba.ldif
Official docs
This section lists issues and solutions appearing in the samba official documents.
Samba HOWTO: Chapter 9. Important and Critical Change Notes for the Samba 3.x Series
addition of index sambaSID sub to the slapd.conf configuration file.
Mappings for Windows domain groups Domain Admins, Domain Users, Domain Guests need to be created by the Samba administrator.
Samba HOWTO: Chapter 35. Updating and Upgrading Samba
If there is no time to update the LDAP database, then make sure that passdb backend = ldapsam_compat is specified in the smb.conf file.
- It is possible to migrate the old LDAP database to the new one through use of the pdbedit.
New Parameters
Some of many newly introduced smb.conf options that maybe of interest.- ldap password sync
- hide special files
- hide unwriteable files
- map read only
Modified Parameters (Changes in Behavior)
Some of the changed parameters that may affect our system.- mangling method (set to hash2 by default)
- passwd program
Changes in Behavior
When adding machines to a Samba-2.2 controlled domain, the “add user script” was used to create the UNIX identity of the machine trust account. Samba-3 introduces a new “add machine script” that must be specified for this purpose. Samba-3 will not fall back to using the “add user script” in the absence of an “add machine script”.LDAP
This section outlines the new features effecting Samba/LDAP integration, it is relevant as a whole and is not reproduced here. It includes these topics New Schema and schema conversion, New Suffix for Searching (already implemented) and IdMap LDAP Support.
The reference guide cited above seems somewhat outdated I regard it as informative not authoritative. To supplement this information I searched the release notes of Samba for the attributes mentioned here. That returned results for sambaPwdLastSet and for sambaPasswordHistory and no results for the rest.
sambaPwdLastSet- Seems to be the only required change. Since Samba 3.0.2 a last change time (sambaPwdLastSet attribute in ldapsam) of zero (0) is regarded as uninitialized string, for some reason initialization (other than zero) of the last change time only became mandatory, and thus apparent, in Lenny with Samba 3.2.5, see bug#532859.
sambaPasswordHistory- A "new" password history feature was introduced in Samba 3.0.6 with the ldapsam sambaPasswordHistory attribute, as Debian Edu doesn't make use of the password history feature it is probably best to ignore this attribute and leave it's implementation to interested system admins. In any case the nessesary measures to secure this attribute in slapd.conf are in place.