10.2 Samba Passwords

Before creating or enabling eDirectory users for Samba access, it is important to understand certain requirements regarding Samba passwords.

The preferred method for Samba authentication in OES involves the use of a Universal Password (UP) policy in eDirectory. The primary reason for this is that it eliminates the need for password synchronization when users change their passwords in eDirectory.

The first time you install Samba on an OES Linux server in a given eDirectory tree, the install creates a Universal Password (UP) policy in the tree named Samba Default Password Policy. The policy is located in eDirectory > Security > Password Policies.

The following sections explain the issues associated with Universal Password and Samba.

10.2.1 Setting a Universal Password for an Existing User

You can set a Universal Password for an existing eDirectory user by using iManager > Passwords > Set Universal Password. However, if you do this, you have changed the user’s password and you must notify the user of the change.

Some organizations have set up portals for users to change their passwords. After a password policy is set, send the users to the portal to reset the password so both the NDS and Universal Password are set.

10.2.2 Be Sure to Use Samba-Qualified Universal Password Policies

For a Password Policy to qualify for use by Samba users, the following configuration options must be enabled on the iManager > Passwords > Password Policies > the Universal Password tabbed page:

  • Enable Universal Password

  • Allow Admin to Retrieve Password

10.2.3 Creating a New Samba-Qualified Password Policy

  1. Log in to iManager, then click Passwords > Password Policies > New.

  2. Name the policy, then click Next.

  3. At the Would you like to enable Universal Password? prompt, click Yes.

  4. Click View Options.

  5. Select the Allow Admin to Retrieve Password option.

  6. Continue creating the policy and in Step 7 of 8 assign it as follows:

    If you are using the smbbulkadd utility to enable Samba users you must assign it to either

    • Each User object being enabled

      or

    • The Organizational Unit of your User objects

    If you are using iManager to enable Samba Users, assign the policy to either

    • Each User object being enabled

    • The Organization Unit of your User objects

      or

    • The Organization object at the root of the tree above the User objects.

  7. Click Next.

  8. Click Finish.

  9. Click Close.

10.2.4 Modifying an Existing Password Policy for Samba

  1. Log in to iManager, then click Passwords > Password Policies

  2. Select a policy, then click Edit.

  3. Make whatever changes you need.

  4. In the drop-down list, click Configuration Options, or in Internet Explorer click the Universal Password tab, then click the Configuration Options link.

  5. Make sure the Enable Universal Password and the Allow Admin to Retrieve Password options are both selected.

  6. In the drop-down list, click Policy Assignment, or in Internet Explorer click the Policy Assignment tab.

  7. If you are using the smbbulkadd utility to enable Samba users you must assign it to either

    • Each User object being enabled

      or

    • The Organizational Unit of your User objects

    If you are using iManager to enable Samba Users, assign the policy to either

    • Each User object being enabled

    • The Organization Unit of your User objects

      or

    • The Organization object at the root of the tree above the User objects.

  8. Click Apply.

  9. Click OK.