Syncing LDAP passwords with Samba

Ok, this is just a quick post because I’ve managed to find an answer to a simple question that doesn’t have a clear single answer anywhere.

Say you have an OpenLDAP server, which you are using to authenticate Samba users (and no, you’re not using the Samba LDAP service, because you really don’t want to run an Active Domain). You’re also using your LDAP accounts to provide authentication to a few other services (website logins, Nextcloud, whatever), and so, according to good security practice, you want your users to be able to change their passwords.

Clearly, it’s best if they can just change their password in one place, and have that single password be used for all services, and lets say, because of user interface choices, and the fact that you’ve got some users who don’t use Windows at all, you are using one of the LDAP-connected services to enable password changes (it’s got some fairly good password checking rules).

There is a way to get OpenLDAP to automatically change the Samba password (and/or a Kereros password, if you have one of them) when users change their main LDAP account password. It’s called smbk5pwd (obviously), and it’s a contributed overlay (so not a part of the main OpenLDAP project). To install it on a Debian/Ubuntu based system, the command is  

sudo apt install slapd-contrib

It used to be slapd-smbk5pwd, but you can save yourself the hassle of installing a deprecated empty package if you just install the contrib one.

Now, installing that is not sufficient in and of itself. You then need to tell your OpenLDAP server how to use that module, which involves two simple processes. (This post has been updated to remove the unnecessary adding a schema part.)

Enable the module

next step is to tell your OpenLDAP server that the module exists. Again we need an ldif file created. Assuming you already have  your database backend installed as a module in the same directory where the smbk5pwd module has been installed to, and no other modules, you can get away with this very minimal ldif file


dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}

Lets break down what this file is saying. We’re going to use ldapmodify for this, so dn: cn=module{0},cn=config describes which part of the config will be changed. So under the /etc/ldap/slapd.d folder, it’s going to go to sub-folder cn=config, and then it’s opening a file called cn=module{0}.ldif. It adds the .ldif because there are no further levels in the hierarchy. The changetype is “modify”, so we are expecting to make changes to that existing ldif file, we are adding an element to the olcModuleLoad item. If your /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif file has more than one element listed for item olcModuleLoad, you’ll need to change the number from {1} to whatever the next number is. So we’re adding the second (index {1}) item to the olcModuleLoad list, and it’s going to add the module definition to OpenLDAP. What we’ve left out from this ldif file is the path to that module definition, because your /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif file most likely already has item in it like olcModulePath: /usr/lib/ldap. If for some reason you don’t have that, or your file is in a different directory, you’ll need to either include an add for that item, or make your olcModuleLoads include full paths. But generally, you should have at least one module, and they should all be in /usr/lib/ldap.

If this seems like a complex way to modify a config file that you can just see and edit with root, I agree, but there’s stuff going on in the background that ensures your LDAP configuration doesn’t get broken by a typo and prevent you from making any further changes because you’ve just stopped yourself being able to authenticate.

Apply that ldif file:

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smbk5pwd-module.ldif

We’re nearly there!

Configure the module

Ok, last step is to get that module actually configured, as per the man page. You’ll need a third ldif file:


dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSmbK5PwdConfig
olcOverlay: {0}smbk5pwd
olcSmbK5PwdEnable: samba
olcSmbK5PwdMustChange: 0

In this case, we are adding a new file /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb/olcOverlay={0}smbk5pwd.ldif (because the LDAP naming hierarchy is in reverse to file system hierarchy). If you want to force your users to change their passwords regularly due to nonensical security theatre notions, you can change that last 0 to a number of seconds, like 5184000 for two months, or 31968000 for annual changes with a five day grace period. But really, if you want to push your users towards better security, you should be implementing 2 factor authentication and pushing them towards that.

Apply this file just like the last:

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smbk5pwd-overlay.ldif

And you should now have  working password syncing, so when your user changes their LDAP password, their sambaLMPassword and SambaNTPassword will be changed to match.

Leave a comment

Your email address will not be published. Required fields are marked *