[Samba] Re: LDAP violation ?

Andrew Bartlett abartlet at samba.org
Fri Apr 9 11:29:01 GMT 2004

On Fri, Apr 09, 2004 at 12:56:35PM +0200, M. Vancl wrote:
> "Jerome Pramondon" <jpramondon at alicante.fr> wrote:
> > The problem is when I start addind users using the 'smbpasswd' command.
> > I get an objectclass violation which says it cannot modify the
> > 'userPassword' attribute.
> > After some searching, I noticed the 'userPassword' attribute was only
> > defined in the 'PosixAccount' objectclass. If I use a LDAP browser to
> > look what's in my directory, I see the user account, but he only has the
> > 'SambaSamAccount' objectclass.
> > So it seems completly correct : if the 'PosixAccount' objectclass is not
> > added, then how could the 'userPassword' attribute be used in that
> > object ...
> > Then why the command does not add that objectclass ?
> I'm not sure, but I think smbpasswd is not useable for ldap backend and you
> must use some more sofisticated program for it (e.g. IDEALX smbldap-tools
> http://samba.idealx.org/).

No, smbpasswd will handle all of the Samba backends.  The issue here
is that the 'ldap password sync' option is being used (hint - always
post your smb.conf), and the user entries do not permit the setting of
an LDAP password.

(The exact requirements differ between directory servers, but for
OpenLDAP, your uses must have a posixAccount or simpleSecurityObject
objectclass, to allow userPassword to be set).

Andrew Bartlett

More information about the samba mailing list