B.5 Samba Passwords

Before creating or enabling eDirectory users for Samba access, it is important to understand certain requirements regarding Samba passwords.

The preferred method for Samba authentication in OES involves the use of a Universal Password (UP) policy in eDirectory. The primary reason for this is that it eliminates the need for password synchronization when users change their passwords in eDirectory.

The first time you install Samba on an OES Linux server in a given eDirectory tree, the install creates a Universal Password (UP) policy in the tree named Samba Default Password Policy. The policy is located in eDirectory > Security > Password Policies.

Alternatively, you can choose the Samba hash method of authentication, but this is not recommended. For more information, see Section B.5.4, About Samba Hash Passwords.

The following sections explain the issues associated with Universal Password and Samba hash passwords.

B.5.1 Be Sure to Use Samba-Qualified Universal Password Policies

For a Password Policy to qualify for use by Samba users, the following configuration options must be enabled on the iManager > Roles and Tasks > Passwords > Password Policies > the Universal Password tabbed page:

  • Enable Universal Password
  • Allow Admin to Retrieve Password

B.5.2 Creating New Samba-Qualified Password Policies

  1. Log in to iManager, then click Roles and Tasks > Passwords > Password Policies > New.

  2. Name the policy, then click Next.

  3. At the Would you like to enable Universal Password? prompt, click Yes.

  4. Click View Options.

  5. Select the Allow Admin to Retrieve Password option.

  6. Continue creating the policy and in Step 7 of 8 assign it as follows:

    If you are using the smbbulkadd utility to enable Samba users you must assign it to either

    • Each User object being enabled

      or

    • The Organizational Unit parents of your User objects

    If you are using iManager to enable Samba Users, assign the policy to either

    • Each User object being enabled
    • The Organization Unit Parents of your User objects

      or

    • The Organization object at the root of the tree above the User objects.

  7. Click Next.

  8. Click Finish.

  9. Click Close.

B.5.3 Modifying Existing Password Policies for Samba

  1. Log in to iManager, then click Roles and Tasks > Passwords > Password Policies

  2. Select a policy, then click Edit.

  3. Make whatever changes you need.

  4. In the drop-down list, click Configuration Options, or in Internet Explorer click the Universal Password tab, then click the Configuration Options link.

  5. Make sure the Enable Universal Password and the Allow Admin to Retrieve Password options are both selected.

  6. In the drop-down list, click Policy Assignment, or in Internet Explorer click the Policy Assignment tab.

  7. If you are using the smbbulkadd utility to enable Samba users you must assign it to either

    • Each User object being enabled

      or

    • The Organizational Unit parents of your User objects

    If you are using iManager to enable Samba Users, assign the policy to either

    • Each User object being enabled
    • The Organization Unit Parents of your User objects

      or

    • The Organization object at the root of the tree above the User objects.

  8. Click Apply.

  9. Click OK.

B.5.4 About Samba Hash Passwords

Passwords can be stored as a Samba hash in eDirectory, but this is not recommended because Samba hash passwords are less secure and users must remember to synchronize their password with each password change.

When you create a new Samba user or enable an existing user for Samba, if the user has a nonqualifying password policy associated with it, you get a message encouraging you to replace the policy with the default Samba policy. The alternative is to use the Samba hash password and the existing nonqualifying password policy.

NOTE:The choice to use a Samba hash is presented only when the user has a nonqualifying password policy assigned. And the recommended course of action when this occurs is to either modify the nonqualifying password policy to be Samba compliant, or assign a Samba-compliant policy rather than choosing to use the Samba hash.

If you choose to use the Samba hash password instead of a qualifying Samba password policy, and users change their eDirectory password, they must manually synchronize their eDirectory and Samba Hash (simple) passwords. For example, in Virtual Office, they must ensure that the Synchronize Samba Password option is selected (checked). Otherwise, their passwords are not synchronized and they cannot access Samba.