[Samba] Samba PDC LDAP

[Wolfgang Pichler]

hi,

i am at time trying to setup up a samba pdc as replacement for a windows
nt pdc (thats the good message). I've already a running openldap
2.1.4-86 with ou's people, groups and computers. I've also already added
users to it (with a modifiied version of the migration tools). Also
working is pam_ldap and nss_ldap (i can login in into my unix machine
with the ldap users - and i can get the usernames for uid which belongs
to ldap users). Also possible is it already for users to log into the
PDC - but at the first login the get the message that the should change
their passwords (because of pwdMustChange is 0 at the first login) - if
they then are trying to change the password it won't work (server log:
PANIC: failed to set gid). If the log in without changing the password -
and then hit STRG-ALT-DEL - and alter the password then it works
(why??). My guest account is smbguest - smbguest is in the ldap
directory with no password (smbldap-passwd smbguest with null values).
When i look for the logs then i very often see that something is trying
to authenticate smbguest and fails because of an invalid password - why
is that ?

For changing the userpasswords i've taken the smbldap-passwd.pl script
and modifyied it so that pwdMustchange gets setted to now()+30days and
pwdLastSet gets now() (why isn't that in the standard script?). This
works perfectly when i change a password in the shell - but when a
password gets change with windows then the password gets changed but the
pwdMustChange and pwdLastChange values don't get modifyied (why?).

my samba version is: samba-2.2.5-177 with ldap support ;-)

os: SLES 8.0

and i have already read every howto which i found in google

for my general understanding - what exactly happens when a user on a
windows machine wants to alter his password ? is it:
samba gets the request - and only calls the programm specifyied in
passwd program ? or does it anything else ?

here a piece of my smb.conf
        workgroup = DIALOG-TELEKOM
        netbios name = ZION
        interfaces = eth0 172.16.0.27/24
        bind interfaces only = Yes
        security = user
        encrypt passwords = Yes
        null passwords = Yes
        username map = /etc/samba/usermap
        log level = 2
        syslog = 0
        time server = Yes
        unix extensions = Yes
        kernel oplocks = Yes
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
        printcap name = CUPS
        add user script = /usr/local/sbin/smbldap-useradd.pl -w %u
        logon path = \\%N\profiles\%u
        logon script = logon.bat
        unix password sync = Yes
        passwd program = /usr/sbin/smbldap-passwd.pl -o %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*successfully*
        logon drive = U:
        domain logons = Yes
        os level = 255
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        printing = cups
        veto files = /*.eml/*.nws/riched20.dll/*.{*}/
        browseable = No
        guest account = smbguest
        domain admin group = @sambaadmin
        admin users = @sambaadmin
        printer admin = @sambaadmin
        # ldap parameters
        ldap admin dn   = "cn=administrator,dc=dialog-telekom,dc=at"
        ldap server     = localhost
        ldap ssl        = off
        ldap port       = 389
        ldap suffix     = "ou=people,dc=dialog-telekom,dc=at"



and here the part i've added to smbldap-passwd

changetype: modify
replace: pwdMustChange
pwdMustChange: $pwdmustchange
-
changetype: modify
replace: pwdLastSet
pwdLastSet: $pwdlastset


i think i will go to the samba präsentation toomorrow in Linz/Vienna and
take a look for a samba expert ;-)

mfG
Wolfgang Pichler