[Samba] Samba as PDC, and password cached??

Diego Rivera lrivera at racsa.co.cr
Wed Nov 27 19:33:04 GMT 2002 

Hi all,

I've run into what I believe to be a funky bug in Samba 2.2.7.  Here's
the scenario description (all Linux, all Samba 2.2.7, all same versions
of LDAP software, etc.):

Environment:  
    1 Samba PDC w/LDAP backend
    2 Samba Clients joined to the PDC w/valid mach. accounts, etc.

Clients are configured as follows:

    - PAM auth and password changes are done using winbind through PDC
      (thus affecting SSH, login, etc.)
    - account info is fetched through LDAP (getent goes through LDAP)
      (to avoid winbind non-deterministic uid assignments)

PDC Server is configured as follows:

    - PAM auth is done through LDAP
    - account info is fetched through LDAP (getent goes through LDAP)
    - Samba syncs passwords through PAM, which in turn updates LDAP
      and /etc/shadow if applicable (pam_ldap, pam_unix)
    - All non-Samba password changes change LDAP (pam_ldap), /etc/shadow
      if applicable (pam_unix) and Samba (pam_smbpass) (can't use
      pam_winbind from the same machine which is a PDC)

Here's the test Scenario:

    1) All machines are up, passwords are "reset" (to initial, known
       and controlled values)
    2) Log in to both clients as a regular user using PASSWORD-1
    3) use passwd to change the password on Client-1
	- Authenticate using the active password (PASSWORD-1) when
          asked to, and change to PASSWORD-2
    4) use passwd to change the password on Client-2
	- Authenticate using the active password (PASSWORD-2) when
          asked to, and change to PASSWORD-3 (this one takes a while,
          but is successful in the end)
    5) logon to either client with PASSWORD-3 fails (this is WRONG,
       as this is the last value set for the password in the PDC)
    6) logon to either client with PASSWORD-2 succeeds (this is WRONG,
       as the last password value set in the PDC is PASSWORD-3)

**** BUT ****
    
    7) Do one of:

        - Re-start WINBIND on both clients 
        - Re-start Samba on the PDC

    8) logon to either client now works with PASSWORD-3 (the correct
       behavior)

So, is WINBIND caching passwords? Maybe the Samba processed @ PDC? 
Maybe this is LDAP-related?

Anybody want to track this down?  Do you want me to produce logs?  What
settings should I use to produce logs that would be useful?

I realize this is a kind of extreme example (i.e., in the real world,
users will likely NOT be logged in to multiple machines AND changing
their passwords in this manner).

But still, we should kill bugs as they appear!

Best

Diego

PS/ The PDC/PDC-client related conf's I've come up with are pretty much
cookie-cutter by now, so I'm probably going to post them as an RPM
somewhere with instructions.  Using this, it's possible to achieve
transparent password sync between Unix (LDAP) and Samba passwords (thus
affecting Windows clients as well).  I'll keep interested parties posted
on this.

More information about the samba mailing list