[Samba] LDAP and password expiry

jake at capecodhomefinder.com jake at capecodhomefinder.com
Thu Aug 25 18:53:00 GMT 2005


Hello,

We are using Samba 3.0.14a-6, slapd 2.2.26-4 and smbldap-tools 0.9.1-2 on
Debian. My users are complaining about warnings that their password is about to
expire and that the are told "You do not have permission to change your
password" when they try to change it. sambaAcctFlags includes the X flag which
I thought meant "don't expire passwords." The password changing thing has got
me even more stumped. Can anyone offer any clues?

/etc/pam_ldap.conf:
host localhost
base dc=trec,dc=us
ldap_version 3
rootbinddn cn=admin,dc=trec,dc=us
pam_password exop

/etc/libnss-ldap.conf:
host localhost
base dc=trec,dc=us
ldap_version 3
rootbinddn cn=admin,dc=trec,dc=us
pam_password exop

Example user entry:

dn: uid=sgoodrich,ou=Users,dc=trec,dc=us
objectClass:
top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMailRecipient
cn: Suzanne Goodrich
sn: Goodrich
uid: sgoodrich
uidNumber: 2046
gidNumber: 100
homeDirectory: /home/sgoodrich
loginShell: /bin/false
gecos: Suzanne Goodrich
description: Suzanne Goodrich
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: Suzanne Goodrich
sambaSID: S-1-5-21-193596418-479643985-2333711390-5092
sambaPrimaryGroupSID: S-1-5-21-193596418-479643985-2333711390-513
sambaLMPassword: redacted
sambaNTPassword: redacted
sambaPwdLastSet: 1117397780
sambaPwdMustChange: 1125951380
userPassword: {SSHA}redacted
sambaAcctFlags: [NUX]

/etc/samba/smb.conf:
[global]
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
delete user script = /usr/sbin/smbldap-userdel "%u"
domain logons = yes
domain master = yes
enable privileges = yes
encrypt passwords = true
guest account = nobody
ldap admin dn = cn=admin,dc=trec,dc=us
ldap delete dn = yes
ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap ssl = no # start_tls
ldap suffix = dc=trec,dc=us
ldap user suffix = ou=Users
load printers = no
local master = yes
log file = /var/log/samba/log
log level = 1
logon drive = Z:
logon home = \\%L\%U
logon path = \\%L\%U\Profile
logon script = logon.cmd
map archive = no
map hidden = no
map system = no
max log size = 1000
name resolve order = host
null passwords = yes
obey pam restrictions = yes
os level = 65
pam password change = yes
panic action = /usr/share/samba/panic-action %d
passdb backend = ldapsam:ldap://localhost/
preferred master = yes
preserve case = yes
security = user
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
short preserve case = yes
show add printer wizard = no
socket options = IPTOS_THROUGHPUT TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
syslog = 1
syslog only = no
time server = yes
unix password sync = yes
wins support = yes
workgroup = TREC
passwd chat debug = yes

[homes]
comment = %u's private information.
browseable = no
writable = yes
create mask = 0660
directory mask = 0770
inherit permissions = yes
hide files = /Profile/Registry/Outlook.pst/outlook.pst/Maildir/
guest ok = no
admin users = @staff

[profile]
path = %H/Profile
browsable = no
writable = yes
create mask = 0660
directory mask = 0770
# nt acl support = no
admin users = @staff

[netlogon]
comment = Network Logon Service
path = /export/netlogon
guest ok = yes
read only = yes
share modes = no
write list = root, at staff
# nt acl support = no
force group = staff
browseable = no




More information about the samba mailing list