samba ldap pam password syncing woes

bryan hunt bryan.hunt at ossidian.com
Thu Jan 2 20:20:00 GMT 2003


I am using an experimental configuration of samba with ldap. 
LDAP is used for linux login and imap authentication.
Samba is used for domain login and file sharing. 

I have got the following ldap|pam|samba stuff installed on the system

pam-0.75-25mdk
samba-client-2.2.6-1.1mdk
nss_ldap-202-1.1mdk
perl-Authen-PAM-0.13-3mdk
samba-common-ldap-2.2.6-1.1mdk
samba-server-ldap-2.2.6-1.1mdk
samba-winbind-ldap-2.2.6-1.1mdk
mod_auth_ldap-1.6.0-7mdk
openldap-2.0.25-7mdk
openldap-clients-2.0.25-7mdk
perl-ldap-0.26-2mdk
pam-devel-0.75-25mdk
libldap2-devel-static-2.0.25-7mdk
libldap2-2.0.25-7mdk
samba-swat-ldap-2.2.6-1.1mdk
openldap-servers-2.0.25-7mdk
openldap-back_ldap-2.0.25-7mdk
openldap-guide-2.0.25-7mdk
courier-imap-ldap-1.6.0-1mdk
libldap2-devel-2.0.25-7mdk
pam_ldap-148-3mdk


Everything is up and running with one exception

When I try to do a password change from a windows machine I 
get the following error ( repeated about 8 times ) 

[2003/01/02 18:51:48, 0] lib/util_sec.c:assert_gid(114)
  Failed to set gid privileges to (0,65534) now set to (0,-1) uid=(0,65534)
[2003/01/02 18:51:48, 0] lib/util.c:smb_panic(1094)
  PANIC: failed to set gid

If I get rid of the password syncing option in the smb.conf 
the password gets changed with no problems but with 
the
 pam password change = yes
option set in the file the user password change fails .

I want to get the password syncing working because it would be
cool for my users to have a single password for mail/unix stuff etc. 

Anyone encountered this before ? I've done a lot of googling and searched
the bugs database but nobody seems to have encountered this problem before. 

I can change a users unix ( ldap )  password straight from the command line
(using the passwd program) without any problems. 

This is the /etc/pam.d/passwd configuration that I have 
set up .... 

#%PAM-1.0
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so use_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
# I commented this out in case samba couldn't handle it ...
#password   required    /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so try_first_pass

This is the /etc/pam.d/samba config ....

#%PAM-1.0
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so

I also tried this config ..... 

#%PAM-1.0
auth       required     /lib/security/pam_nologin.so
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth

No errors with that one but the password remained unchanged ....

Any ideas guys ? I reckon I must have screwed up the pam configuration 
for /etc/pam.d/samba but I am no pam expert so I am currently thrashing
arround in the dark ....

Kind Regards

Bryan
















-- 
Bryan Hunt
Systems Enginering Manager 
Ossidian Technologies  Ltd  
Blackrock
Co Dublin
IRELAND 

Tel +353-1-2787111 Fax +353-1-2787136





More information about the samba-technical mailing list