[midPoint] How to create Samba password for LDAP users on Linux server

Brad Firestone bhotrock at gmail.com
Thu Sep 21 19:32:43 CEST 2023 

I am trying to configure midPoint provisioned user accounts for access 
to Samba shares on a Linux server.  The goal is to allow users to access 
the Samba shares with their midPoint credentials that are used for 
various other systems.  I have successfully configured SSSD on the Linux 
server to get users/groups from an openLDAP server that is connected to 
midPoint.  I can successfully login to the Linux server shell using 
midPoint user/password.

But what I haven't yet figured out is how to set the Samba password to 
the midPoint user's password.  Manually setting the Samba password is 
done by running the following command, locally on the server:

smbpasswd -a username

(where "username" is an LDAP user account/midPoint user "name" 
provisioned on the Linux server through SSSD), and then entering the 
desired password, pressing "enter", repeating the password, and pressing 
"enter" again.

I'm thinking that I could possibly use the Unix connector, or the SSH 
connector to accomplish this, but haven't found examples for this.  I'm 
pretty sure I can figure out a bash script that will automate the 
process, but I'm not sure how to trigger the script, and pass the 
attributes for username and password.  I'm also wondering how timing 
might work for this.  I'm not sure that SSSD will pick up new LDAP users 
immediately or not.  And since the user must exist on the Linux server 
to successfully use the smbpasswd command, I'm wondering if there will 
need to be a reconciliation to handle the script.

Just for clarity, there's not any sort of ActiveDirectory-domain 
controller-kerberos involved or available for this.  There are only 
about 12 user accounts that need to be provisioned, so it could be 
handled manually, but since midPoint is already deployed as part of a 
much larger organization, I'd like to be able to automate and link this 
small workgroup fileserver in.

I realize that most organizations handle this through AD/domain 
controllers, so there's probably not much need for something like this. 
And there may be a much better way to do this.  So if anyone has any 
examples or ideas of how to do this, I would love to see them.  Thanks 
in advance!!

More information about the midPoint mailing list