[Samba] Samba3 + smbldap-tools & smbpasswd - Figured out!

[Dan Slatford]

On Thu, 2004-09-16 at 12:46, rruegner wrote:
> >    load printers = yes
> >    printing = cups
> >    printcap name = cups
> is there a group ntadmin in ldap? usally it only in passwd
> >    printer admin = @ntadmin

I haven't gotten round to doing anything with printing yet. I think
that's the next challenge.

> see my parameters and compare

Well, I think I can actually spot something wrong with your config,
while discovering mine was never broken to the degree I thought!

You have the -a (add samba attributes) and -P (invoke smbldap-passwd)
switches to the adduser script, which seem unnecessary. The penny's
dropped and I've realised the scripts are only for taking care of
managing the posix account side of things - samba adds the samba
attributes to the LDAP record, so -a is not needed. Indeed, adding it
broke things for me as both script and samba try to add the same
attributes. -P doesn't seem needed either. I can add accounts perfectly
via usermgr.exe without these attributes.

I realised my sambaPwdMustChange value was being set two days ahead,
because that's set by default in the policy config part of usermgr.exe!
So, that was actually working fine, user error. Samba *doesn't* need to
run smbldap-passwd.pl for password changes at all. It will update the
samba related attributes itself, AND update the userPassword (posix)
field if you have "ldap passwd sync = Yes" set in smb.conf

So, basically, it was all working fine to begin with. Gah!

> >     ldap ssl = no
> makes no sense if you say ldap ssl no above
> >     ldap ssl = start tls

Well, TLS is different to using old SSL as I understand it. TLS works
over usual port 389 while SSL is over 636. This much does work.

The 'net time' thing I mentioned before isn't a problem, I realised the
wrong time was being plucked from a random windows box on the network,
not the samba server :) Hurrah for caffine.

-- 
Dan