[Freeipa-users] Keep Samba password in sync with userpassword and kerberos password

[Simo Sorce]

On Mon, 2012-10-01 at 17:03 -0400, Qing Chang wrote:
> In a thread on Freeipa-devel titled "freeIPA as a samba backend" there
> is a statement as below:
> =====
> IPA will keep all of your passwords in sync - userPassword,
> sambaNTPassword, sambaLMPassword, and your kerberos passwords.  
> 389 cannot do this - the functionality that does this is provided by
> an IPA password plugin.  Openldap has a similar plugin, but I 
> think it is "contrib" and not "officially supported".
> ======
> 
> Can someone please point me to where I can find this plugin and
> configured it to keep all passwords listed above in sync?

The plugin is automatically enabled in IPA, it is the only way to change
passwords.

> I am unable to find detailed information on password plugin in IPA 2.2
> doc. 
> 
> My intention is to provide my Windows users (accounts on IPA server)
> IPA web interface only for changing their password. 

If you need to write a tool to change passwords keep in ming you can use
ldappasswd and pass it old/new user password.

> I am using Samba 3.0.23d as a standalone server because this is a last
> version that does not check for SIDs strictly...
> 
more recent versions of samba can also use the ldappasswd method.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York