[Samba] LDAP & Samba 3.0b1 & Password Sync Problem

Ryan S Oltman roltman at uiuc.edu
Wed Jun 18 16:30:51 GMT 2003

I can not get password sync to work with ldap and samba 3.0 beta 1.  I'm
not sure if I have screwed something up or if it is a bug.

I'm currently using:
openldap = 2.0.27
samba = 3.0 beta1
nss_ldap = 207

My setup is as follows sorry if it is too much info

my smb.conf file:

   workgroup = AEROSPACE
   server string = AE-ORVILLE
   netbios name = AE-ORVILLE
   name resolve order = lmhosts bcast host wins
   hosts allow = xxx.xxx.xxx. xxx.xxx.xxx.
   load printers = yes
   idmap uid  = 10000-15000
   idmap gid  = 10000-15000
   passdb backend = ldapsam:ldap://xxx.xxx.xxx.xxx, guest
   unix password sync = Yes
   pam password change = yes
  ldap delete dn = no
  ldap suffix = dc=xxx,dc=xxx,dc=xxx
  ldap user suffix = ou=People
  ldap machine suffix = ou=Computers
  ldap admin dn = cn=Manager,dc=xxx,dc=xxx,dc=xxx
  ldap ssl = start tls
   printcap name = cups
   printing = cups
   log file = /var/log/samba/log.%m
   max log size = 50
   log level = 8
   security = user
  encrypt passwords = yes
   socket options = TCP_NODELAY
   interfaces = xxx.xxx.xxx.xxx/23
   local master = yes
   os level = 255
   domain master = yes
   preferred master = yes
   domain logons = yes
   wins server = xxx.xxx.xxx.xxx
   dns proxy = no
   logon drive = H:
   logon path = \\%N\%U\MSWinProfile
   comment = Home Directories
   read only = No
   browseable = No
   writable = Yes
[netlogon]   comment = Network Logon Service
   path = /var/samba/lib/netlogon
   read only = yes
   write list = ntadmin
   guest ok = yes
   writable = no
   share modes = no
    path = \\%N\%U\MSWinProfile
    read only = no
    create mask = 0600
    directory mask = 0700
   comment = All Printers
   path = /usr/spool/samba
   browseable = no
   guest ok = yes
   writable = no
   printable = yes

Here is my slapd.conf file:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/krb5-kdc.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
loglevel        296
pidfile         /var/state/openldap/slapd.pid
argsfile        /var/state/openldap/slapd.args
TLSCipherSuite          HIGH
TLSCertificateFile      /etc/openldap/certs/slapd-cert.pem
TLSCertificateKeyFile   /etc/openldap/certs/slapd-key.pem
password-hash   {MD5}
access to attrs=userPassword
        by self         write
        by *            auth
access to attrs=sambaLMPassword,sambaNTPassword
        by dn="uid=administrator, ou=System, ou=People,
dc=xxx,dc=xxx,dc=xxx" write
        by self         write
        by *            auth

access to dn.children="dc=xxx,dc=xxx,dc=xxx"
        by self         write
        by *            read
database        ldbm
suffix          "dc=xxx,dc=xxx,dc=xxx"
rootdn          "cn=Manager,dc=xxx,dc=xxx,dc=xxx"
rootpw          secret
directory       /var/lib/openldap-ldbm
index   objectClass             eq
index   uid                     pres,eq
index   sambaSID                eq
index   uidNumber               eq
index   gidNumber               eq
index   cn                      eq
index   memberUid               eq
index   sambaPrimaryGroupSID    eq
index   displayName             pres,eq
index   mail                    eq,subinitial
index   surname                 eq,subinitial
index   givenname               eq,subinitial

ldap.conf file:

host xxx.xxx.xxx.xxx
base dc=xxx,dc=xxx,dc=xxx
nss_base_passwd         dc=xxx,dc=xxx,dc=xxx?sub
nss_base_shadow         dc=xxx,dc=xxx,dc=xxx?sub
nss_base_group          ou=Groups,dc=xxx,dc=xxx,dc=xxx?one
ssl start_tls
pam_password exop

my pam.d samba file:
# pam_smbpass.so authenticates against the smbpasswd file
auth       required     pam_smbpass.so nodelay
account    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
password   required     pam_smbpass.so nodelay

my pam.d sys-auth file:
auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok
auth       sufficient   /lib/security/pam_ldap.so use_first_pass
auth       required     /lib/security/pam_deny.so
account    required     /lib/security/pam_unix.so
account    sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow
password   sufficient   /lib/security/pam_ldap.so use_authok
password   required     /lib/security/pam_deny.so
session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
session    required     /lib/security/pam_ldap.so

As an ldap authenticated user I can change the unix password with passwd
and the samba password with smbpasswd when sync is not enabled; however
when it is enabled I get:

Old SMB password:
New SMB password:
Retype new SMB password:
machine rejected the password change: Error was : RAP86: The
specified password is invalid.
Failed to change password for roltman

If I run it in smbpasswd in debug mode it fails immediately after
entering the "old password".  I currently have both (UNIX & Samba)
passwords set the same.

Does anyone have this working?
Does pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf need to be
included in my sys-auth file instead?


Ryan S Oltman

More information about the samba mailing list