[Samba] Re: Samba as PDC, and password cached??

Diego Rivera lrivera at racsa.co.cr
Thu Nov 28 04:58:01 GMT 2002 

Sorry to self reply, but I ommitted an important detail: winbind cache
time is configured to be 0.  Thus, I think the caching must likely be
happening in the smbd side.  BTW: If you're interested, you can visit
http://briefcase.yahoo.com/ldrivera in the "My Documents" folder you
should find two files whose names are kinda-self explanatory: one for RH
7.2, one for Mandrake 8.2.

These files contain all the configs I use to achieve password sync.  An
explanatory document is there as well (README), so give that a read as
well.

Best

Diego


On Wed, 2002-11-27 at 13:31, Diego Rivera wrote:
> Hi all,
> 
> I've run into what I believe to be a funky bug in Samba 2.2.7.  Here's
> the scenario description (all Linux, all Samba 2.2.7, all same versions
> of LDAP software, etc.):
> 
> Environment:  
>     1 Samba PDC w/LDAP backend
>     2 Samba Clients joined to the PDC w/valid mach. accounts, etc.
> 
> Clients are configured as follows:
> 
>     - PAM auth and password changes are done using winbind through PDC
>       (thus affecting SSH, login, etc.)
>     - account info is fetched through LDAP (getent goes through LDAP)
>       (to avoid winbind non-deterministic uid assignments)
> 
> PDC Server is configured as follows:
> 
>     - PAM auth is done through LDAP
>     - account info is fetched through LDAP (getent goes through LDAP)
>     - Samba syncs passwords through PAM, which in turn updates LDAP
>       and /etc/shadow if applicable (pam_ldap, pam_unix)
>     - All non-Samba password changes change LDAP (pam_ldap), /etc/shadow
>       if applicable (pam_unix) and Samba (pam_smbpass) (can't use
>       pam_winbind from the same machine which is a PDC)
> 
> Here's the test Scenario:
> 
>     1) All machines are up, passwords are "reset" (to initial, known
>        and controlled values)
>     2) Log in to both clients as a regular user using PASSWORD-1
>     3) use passwd to change the password on Client-1
> 	- Authenticate using the active password (PASSWORD-1) when
>           asked to, and change to PASSWORD-2
>     4) use passwd to change the password on Client-2
> 	- Authenticate using the active password (PASSWORD-2) when
>           asked to, and change to PASSWORD-3 (this one takes a while,
>           but is successful in the end)
>     5) logon to either client with PASSWORD-3 fails (this is WRONG,
>        as this is the last value set for the password in the PDC)
>     6) logon to either client with PASSWORD-2 succeeds (this is WRONG,
>        as the last password value set in the PDC is PASSWORD-3)
> 
> **** BUT ****
>     
>     7) Do one of:
> 
>         - Re-start WINBIND on both clients 
>         - Re-start Samba on the PDC
> 
>     8) logon to either client now works with PASSWORD-3 (the correct
>        behavior)
> 
> So, is WINBIND caching passwords? Maybe the Samba processed @ PDC? 
> Maybe this is LDAP-related?
> 
> Anybody want to track this down?  Do you want me to produce logs?  What
> settings should I use to produce logs that would be useful?
> 
> I realize this is a kind of extreme example (i.e., in the real world,
> users will likely NOT be logged in to multiple machines AND changing
> their passwords in this manner).
> 
> But still, we should kill bugs as they appear!
> 
> Best
> 
> Diego
> 
> PS/ The PDC/PDC-client related conf's I've come up with are pretty much
> cookie-cutter by now, so I'm probably going to post them as an RPM
> somewhere with instructions.  Using this, it's possible to achieve
> transparent password sync between Unix (LDAP) and Samba passwords (thus
> affecting Windows clients as well).  I'll keep interested parties posted
> on this.

More information about the samba mailing list