[Samba] smbpasswd + ldap -- changing stuff it shouldn't

[Brian Nelson]

using samba with --enable-ldapsam...

When changing a user's password with sampasswd 'username', I get this error:

failed to modify user with uid = bnelson with: Insufficient access
        Insufficient 'write' privilege to the 'uid' attribute of entry 
'uid=bnelson,ou=People [...]'.
        
Looking at a snoop of the network, it seems like smbpasswd is trying to modify
ALL of these attributes:

  uid
  pwdLastSet
  logonTime
  logoffTime
  kickoffTime
  pwdCanChange
  pwdMustChange
  displayName
  cn
  rid
  primaryGroupID
  lmPassword
  ntPassword
  acctFlags
  
  Most of these I understand, but some (cn,uid,displayname,rid, and 
primarygroupID) should not be being changed just to update the password.
  
  I understand that sampasswd can be used to add users to ldap, which is ok, and 
that those attributes would be added/modified then, but I dont plan to do that, 
and i only want the sambaadmin account to be able to modify the samba-related 
stuff (not uid or cn,etc).
  
  My thought is this: those five attributes should be modified only in the -a 
(add user) mode, and even then, ONLY if they do not allready exist (ie a 
completely new/blank user). Running a -a against an allready existing posixuser 
(or otherwise) should only add the samba bits and the sambaaccount objectclass, 
and still not touch uid or cn, as these are often authoritatively controlled 
elseware.
  
  Also, attribs that arent different shouldnt really be re-modified. IE only 
change them if the new value is different. It looks like smbpasswd pushes most 
of this stuff unconditionally.
  
  This seems to be the case with objectclass, as it only seems to attempt to add 
the sambauser class if it is NOT allready there.
  
  This is just my opinion :) Please tell me if there is some reasoning I am 
missing..
  
  -Brian