password syncing using pam when using ldap for system auth

Andrew Bartlett abartlet at samba.org
Sat Jan 4 02:44:01 GMT 2003


On Sat, 2003-01-04 at 00:56, bryan hunt wrote:
> 
>  I am using samba and ldap.
>  LDAP is used for linux login and imap authentication.
>  Samba is used for domain login and file sharing.
> 
>  Everything is up and running with one exception
> 
>  When I try to do a password change from a windows machine I
>  get the following error ( repeated about 8 times )
> 
>  [2003/01/02 18:51:48, 0] lib/util_sec.c:assert_gid(114)
>    Failed to set gid privileges to (0,65534) now set to (0,-1) uid=(0,65534)
>  [2003/01/02 18:51:48, 0] lib/util.c:smb_panic(1094)
>    PANIC: failed to set gid

I would look into if you have any groups with gid == -1, particularly
for the 'nobody' user.  This could be causing a problem here. 

>  If I get rid of the password syncing option in the smb.conf
>  the password gets changed with no problems but with
>  the
>   pam password change = yes
>  option set in the file the user password change fails .

I don't think this has any relation to the previous errors.  Instead,
it's due to the way Samba changes passwords.

>  I want to get the password syncing working because it would be
>  cool for my users to have a single password for mail/unix stuff etc.
> 
>  Anyone encountered this before ? I've done a lot of googling and searched
>  the bugs database but nobody seems to have encountered this problem before.
> 
>  I can change a users unix ( ldap )  password straight from the command line
>  (using the passwd program) without any problems.

Are you changing their password, or setting their password?  The
different matters, because Samba can only *set* the password, it does
not know the old password.  

On /etc/passwd based systems, samba can do this, because it becomes root
for the operation.  On LDAP, it's more difficult - it needs to convince
the LDAP server that it has the right to set the password.

>  This is the /etc/pam.d/passwd configuration that I have
>  set up ....
> 
>  #%PAM-1.0
>  auth       sufficient   /lib/security/pam_ldap.so
>  auth       required     /lib/security/pam_unix_auth.so use_first_pass
>  account    sufficient   /lib/security/pam_ldap.so
>  account    required     /lib/security/pam_unix_acct.so
>  # I commented this out in case samba couldn't handle it ...
>  #password   required    /lib/security/pam_cracklib.so retry=3
>  password   sufficient   /lib/security/pam_ldap.so
>  password   required     /lib/security/pam_pwdb.so try_first_pass
> 
>  This is the /etc/pam.d/samba config ....
> 
>  #%PAM-1.0
>  auth       sufficient   /lib/security/pam_ldap.so
>  auth       required     /lib/security/pam_unix_auth.so try_first_pass
>  account    sufficient   /lib/security/pam_ldap.so
>  account    required     /lib/security/pam_unix_acct.so
> 
>  I also tried this config .....
> 
>  #%PAM-1.0
>  auth       required     /lib/security/pam_nologin.so
>  auth       required     /lib/security/pam_stack.so service=system-auth
>  account    required     /lib/security/pam_stack.so service=system-auth
>  session    required     /lib/security/pam_stack.so service=system-auth
>  password   required     /lib/security/pam_stack.so service=system-auth
> 
>  No errors with that one but the password remained unchanged ....
> 
>  Any ideas guys ? I reckon I must have screwed up the pam configuration
>  for /etc/pam.d/samba but I am no pam expert so I am currently thrashing
>  arround in the dark ....

The big thing about syncing with PAM is that you must set the manager
password in some config file, so that pam_ldap can make an
administrative connection to the LDAP server.  See the pam_ldap
documentation for details.

However, we have made this a bit easier in Samba 3.0 - there is a new
option called 'ldap password sync' that works with Samba's existing
pdb_ldap to set the user's password, using Samba's administrative
rights.  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030104/d6b9bfa0/attachment.bin


More information about the samba-technical mailing list