[Samba] LDAP & Samba 3.0b1 & Password Sync Problem
Ryan S Oltman
roltman at uiuc.edu
Wed Jun 18 16:30:51 GMT 2003
I can not get password sync to work with ldap and samba 3.0 beta 1. I'm
not sure if I have screwed something up or if it is a bug.
I'm currently using:
openldap = 2.0.27
samba = 3.0 beta1
nss_ldap = 207
My setup is as follows sorry if it is too much info
my smb.conf file:
[global]
workgroup = AEROSPACE
server string = AE-ORVILLE
netbios name = AE-ORVILLE
name resolve order = lmhosts bcast host wins
hosts allow = xxx.xxx.xxx. xxx.xxx.xxx.
load printers = yes
idmap uid = 10000-15000
idmap gid = 10000-15000
passdb backend = ldapsam:ldap://xxx.xxx.xxx.xxx, guest
unix password sync = Yes
pam password change = yes
ldap delete dn = no
ldap suffix = dc=xxx,dc=xxx,dc=xxx
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap admin dn = cn=Manager,dc=xxx,dc=xxx,dc=xxx
ldap ssl = start tls
printcap name = cups
printing = cups
log file = /var/log/samba/log.%m
max log size = 50
log level = 8
security = user
encrypt passwords = yes
socket options = TCP_NODELAY
interfaces = xxx.xxx.xxx.xxx/23
local master = yes
os level = 255
domain master = yes
preferred master = yes
domain logons = yes
wins server = xxx.xxx.xxx.xxx
dns proxy = no
logon drive = H:
logon path = \\%N\%U\MSWinProfile
[homes]
comment = Home Directories
read only = No
browseable = No
writable = Yes
[netlogon] comment = Network Logon Service
path = /var/samba/lib/netlogon
read only = yes
write list = ntadmin
guest ok = yes
writable = no
share modes = no
[profiles]
path = \\%N\%U\MSWinProfile
read only = no
create mask = 0600
directory mask = 0700
[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
guest ok = yes
writable = no
printable = yes
Here is my slapd.conf file:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
loglevel 296
pidfile /var/state/openldap/slapd.pid
argsfile /var/state/openldap/slapd.args
TLSCipherSuite HIGH
TLSCertificateFile /etc/openldap/certs/slapd-cert.pem
TLSCertificateKeyFile /etc/openldap/certs/slapd-key.pem
password-hash {MD5}
access to attrs=userPassword
by self write
by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="uid=administrator, ou=System, ou=People,
dc=xxx,dc=xxx,dc=xxx" write
by self write
by * auth
access to dn.children="dc=xxx,dc=xxx,dc=xxx"
by self write
by * read
database ldbm
suffix "dc=xxx,dc=xxx,dc=xxx"
rootdn "cn=Manager,dc=xxx,dc=xxx,dc=xxx"
rootpw secret
directory /var/lib/openldap-ldbm
index objectClass eq
index uid pres,eq
index sambaSID eq
index uidNumber eq
index gidNumber eq
index cn eq
index memberUid eq
index sambaPrimaryGroupSID eq
index displayName pres,eq
index mail eq,subinitial
index surname eq,subinitial
index givenname eq,subinitial
ldap.conf file:
host xxx.xxx.xxx.xxx
base dc=xxx,dc=xxx,dc=xxx
nss_base_passwd dc=xxx,dc=xxx,dc=xxx?sub
nss_base_shadow dc=xxx,dc=xxx,dc=xxx?sub
nss_base_group ou=Groups,dc=xxx,dc=xxx,dc=xxx?one
ssl start_tls
pam_password exop
my pam.d samba file:
# pam_smbpass.so authenticates against the smbpasswd file
auth required pam_smbpass.so nodelay
account required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
password required pam_smbpass.so nodelay
smbconf=/etc/samba/smb.conf
my pam.d sys-auth file:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
nodelay
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok md5 shadow
use_authtok
password sufficient /lib/security/pam_ldap.so use_authok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session required /lib/security/pam_ldap.so
As an ldap authenticated user I can change the unix password with passwd
and the samba password with smbpasswd when sync is not enabled; however
when it is enabled I get:
Old SMB password:
New SMB password:
Retype new SMB password:
machine 127.0.0.1 rejected the password change: Error was : RAP86: The
specified password is invalid.
Failed to change password for roltman
If I run it in smbpasswd in debug mode it fails immediately after
entering the "old password". I currently have both (UNIX & Samba)
passwords set the same.
Does anyone have this working?
Does pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf need to be
included in my sys-auth file instead?
TIA,
Ryan S Oltman
More information about the samba
mailing list