[Samba] SAMBA / LDAP / Domain Password change problem - Repost, actually making some progress

John Schmerold john at katy.com
Sun Dec 5 17:19:39 GMT 2004 

I'm making some progress. We can now attach to the domain & authenticate 
to the domain. I believe the big problem was my failure to configure the 
wins server aspect of DHCP.

I'm still having the problem where we cannot add users, or change 
passwords from workstations, for example:
C:\Documents and Settings\Administrator.TOPC>net user testf 12341234 
/add /domain
The request will be processed at a domain controller for domain TOPC.
System error 5 has occurred.
Access is denied.
C:\Documents and Settings\Administrator.TOPC>

The same thing happens if you press <CAD> & try changing your own password.

Is this a bug with Samba version 3.0.9-1.fc3 ?
If so, I'll quit beating my head against the wall.

We are using smbldap-tools-0.8.5-3

I've listed smb.conf, slapd.conf, tail of the workstation log file & 
result of below

An interesting issue is that the command above does add user testf, but 
won't update it's password, the log (see below) states that the user 
already exists.

*Testparm reports:*
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[sys]"
Loaded services file OK.
# Global parameters
[global]
dos charset = 850
unix charset = ISO8859-1
workgroup = TOPC
server string = TOPC-FS1
interfaces = eth1, lo
min password length = 3
passdb backend = ldapsam:ldap://127.0.0.1/
passwd program = /usr/local/sbin/smbldap-passwd -u %u
username map = /etc/samba/smbusers
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" 
"%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
logon script = startup.bat
logon path = \\fs1\sys
logon drive = F:
logon home = \\fs1\sys
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=Manager,dc=twinoakschurch,dc=org
ldap delete dn = Yes
ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=twinoakschurch,dc=org
ldap user suffix = ou=Users
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
admin users = "@Domain Admins"
force user = root
hosts allow = 192.168.70., 192.168.35., 127.
cups options = raw
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
directory mask = 0775
[netlogon]
comment = Network Logon Service
path = /opt/samba/netlogon
[profiles]
path = /opt/samba/profiles
read only = No
create mask = 0644
guest ok = Yes
[sys]
path = /home/sys
read only = No
create mask = 0644

*SLAPD contains:*
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd.pid
database ldbm
suffix "dc=twinoakschurch,dc=org"
rootdn "cn=Manager,dc=twinoakschurch,dc=org"
rootpw xxxyyyy
directory /var/lib/ldap
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
*
cat /var/log/samba/log.ts1*
[root at fs1 samba]# cat log.ts1
[2004/12/05 11:06:42, 1] smbd/service.c:make_connection_snum(648)
ts1 (192.168.70.11) connect to service netlogon initially as user root 
(uid=0, gid=0) (pid 27353)
[2004/12/05 11:06:44, 1] smbd/service.c:make_connection_snum(648)
ts1 (192.168.70.11) connect to service sys initially as user root 
(uid=0, gid=0) (pid 27353)
[2004/12/05 11:06:49, 1] smbd/service.c:make_connection_snum(648)
ts1 (192.168.70.11) connect to service Administrator initially as user 
root (uid=0, gid=0) (pid 27353)
[2004/12/05 11:07:14, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1516)
ldapsam_modify_entry: Failed to add user dn= 
uid=testf,ou=Users,dc=twinoakschurch,dc=org with: Already exists
ˆðõ°9û
[2004/12/05 11:07:14, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1948)
ldapsam_add_sam_account: failed to modify/add user with uid = testf (dn 
= uid=testf,ou=Users,dc=twinoakschurch,dc=org)
[2004/12/05 11:07:14, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2277)
could not add user/computer testf to passdb. Check permissions?
[root at fs1 samba]#

*Results of smbldap-usershow before & after workstation add user command:*
Before:
[root at fs1 samba]# smbldap-usershow testf
/usr/local/sbin/smbldap-usershow: user testf doesn't exist
After:
[root at fs1 samba]# smbldap-usershow testf
dn: uid=testf,ou=Users,dc=twinoakschurch,dc=org
objectClass: top,inetOrgPerson,posixAccount,shadowAccount
cn: testf
sn: testf
uid: testf
uidNumber: 1088
gidNumber: 513
homeDirectory: /home/testf
loginShell: /bin/bash
gecos: System User
description: System User
userPassword: {crypt}x
[root at fs1 samba]#

*To successfully add testf:*
[root at fs1 samba]# smbldap-userdel testf ; smbldap-useradd -m -a testf ; 
smbldap-usershow testf
dn: uid=testf,ou=Users,dc=twinoakschurch,dc=org
objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: testf
sn: testf
uid: testf
uidNumber: 1089
gidNumber: 513
homeDirectory: /home/testf
loginShell: /bin/bash
gecos: System User
description: System User
userPassword: {crypt}x
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: System User
sambaAcctFlags: [UX]
sambaSID: S-1-5-21-4154844214-4102956091-3257168877-3178
sambaLMPassword: XXX
sambaPrimaryGroupSID: S-1-5-21-4154844214-4102956091-3257168877-513
sambaNTPassword: XXX
sambaLogonScript: startup.bat
sambaProfilePath: \\FS1\profiles\
sambaHomePath: \\FS1\homes
sambaHomeDrive: F:
[root at fs1 samba]#

*We can then update testf's password:*
[root at fs1 samba]# smbldap-passwd testf
Changing password for testf
New password :
Retype new password :
[root at fs1 samba]#

More information about the samba mailing list