[Samba] with ldap - samba - password sync - domain group map - login message

[IOhannes zmoelnig]

NSC - NetworkServiceCenter wrote:
> hello list!

> the basic systems worked and all problems i'm going to describe occurred in
> both testenvironments!
> 
> 1. after login from w2k i get the message, that the password expires and
> asks me if i want to change. if i change or not, at next logon the
> situation is the same, but i can login over a few weeks without
> passwordchange.
>    - the only information i found about in the web is, that i can set the
> users pwdLastSet to -1, but, on the one hand, i doesn't work and on the
> other hand, if anyone changes his password this field would be overwritten
> automatically and the old problem starts again.

some report that the account flags have to be [UX      ] (with added X), 
which means that the password will not expire. however, i think this 
didn't work for men.
my solution (found in some ldap-samba-pdc-howto) was to set the 
pwdMustChange to 2147483647 (which is far in the future: 2030 or something)

> 
> 
> 2. the unix password sync doesn't work. but i think there are two different
> problems, but let me describe: if i activated the password sync, i got on
you have to set the password chat to something that reflects your 
systems password chat (no na)

on my system, when i try to change my password (with correct 
pam.d/passwd pam_ldap.conf etc) with "passwd" i get following dialog:
<snip>
New password:
Re-enter new password:
</snip>

so the password chat in [global] is as follows:

passwd program = /usr/bin/passwd %u
passwd chat = *New\spassword:* %n\n *Re-enter\snew\spassword:* %n\n .

> 3. the domain group map doesn't work! i found a lot of descriptions about
i have not tried this yet, but i think that 2.2.3a does not supprt 
domain-group-mapping (but 2.2.4 should ???)



mfg.cd.sadf
IOhannes