Bug 444603

Summary: Make it possible to promote posixAccounts to sambaSamAccount in LDAP
Product: [openSUSE] openSUSE 11.1 Reporter: Stefan Brüns <stefan.bruens>
Component: YaST2Assignee: Jiří Suchomel <jsuchome>
Status: RESOLVED FEATURE QA Contact: Jiri Srain <jsrain>
Severity: Enhancement    
Priority: P5 - None CC: jmcdonough, ralf, samba-maintainers
Version: Factory   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Stefan Brüns 2008-11-13 12:30:05 UTC 
At the moment, it has to be decided if a user has an samba account can only be decided when the account is created.

If an samba account shall be added later for a user, this is not possible with the Yast UsersPluginSamba, as this requires changing the password (or setting the same password again).

IMHO, this restriction is to strict. The following should be possible:
- Activate the samba account for the user
  : this should add the sambaSamAccount objectClass to the user,
  : at least set the user sid, optionally the group sid
  : leave the password empty
- The user can then later on change/reset his password with "passwd"
  : The user has a valid posixAccount, which allows him to authenticate
  : himself against LDAP.
  : if there is an LDAP ACL "access to attrs=sambaNTPassword by self write",
  : the user is able to set his samba password even without an preexisting
  : samba password
Comment 1 Jiří Suchomel 2008-11-18 09:02:05 UTC 
Hm, the plugin should be able to add itself, without the change of the password. Ralf, could you comment?
Comment 2 Ralf Haferkamp 2008-11-18 09:26:46 UTC 
The above described scenario is just one corner case where having no sambaNTPassword/sambaLMPassword could workout. Unfortunately:

1. Or samba configuration as created by YaST by default disallows write access to the samba*Password attributes, IIRC.
2. The user might be a pure Windows User, so he can't set his initial samba password using his Linux/Unix Account

Maybe we should move this as a feature request to Fate, though. And discuss with the samba team how things can be improved in the future.
Comment 5 Jiří Suchomel 2008-12-04 07:11:02 UTC 
So it is finally a feature