[Samba] LDAP and password expiry

Paul Gienger pgienger at ae-solutions.com
Thu Aug 25 19:12:27 GMT 2005 

> We are using Samba 3.0.14a-6, slapd 2.2.26-4 and smbldap-tools 0.9.1-2 on
> Debian. My users are complaining about warnings that their password is
> about to
> expire and that the are told "You do not have permission to change your
> password" when they try to change it. sambaAcctFlags includes the X flag
> which
> I thought meant "don't expire passwords." The password changing thing has
> got
> me even more stumped. Can anyone offer any clues?

Do you also get the password actually being changed when they get that
error?  I see that and also various other errors, which are false errors
since all passwords ARE in fact changed.  


 
> /etc/pam_ldap.conf:
> host localhost
> base dc=trec,dc=us
> ldap_version 3
> rootbinddn cn=admin,dc=trec,dc=us
> pam_password exop
> 
> /etc/libnss-ldap.conf:
> host localhost
> base dc=trec,dc=us
> ldap_version 3
> rootbinddn cn=admin,dc=trec,dc=us
> pam_password exop
> 
> Example user entry:
> 
> dn: uid=sgoodrich,ou=Users,dc=trec,dc=us
> objectClass:
> top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMail
> Recipient
> cn: Suzanne Goodrich
> sn: Goodrich
> uid: sgoodrich
> uidNumber: 2046
> gidNumber: 100
> homeDirectory: /home/sgoodrich
> loginShell: /bin/false
> gecos: Suzanne Goodrich
> description: Suzanne Goodrich
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: Suzanne Goodrich
> sambaSID: S-1-5-21-193596418-479643985-2333711390-5092
> sambaPrimaryGroupSID: S-1-5-21-193596418-479643985-2333711390-513
> sambaLMPassword: redacted
> sambaNTPassword: redacted
> sambaPwdLastSet: 1117397780
> sambaPwdMustChange: 1125951380
> userPassword: {SSHA}redacted
> sambaAcctFlags: [NUX]
> 
> /etc/samba/smb.conf:
> [global]
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> domain logons = yes
> domain master = yes
> enable privileges = yes
> encrypt passwords = true
> guest account = nobody
> ldap admin dn = cn=admin,dc=trec,dc=us
> ldap delete dn = yes
> ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
> ldap group suffix = ou=Groups
> ldap machine suffix = ou=Computers
> ldap passwd sync = yes
> ldap ssl = no # start_tls
> ldap suffix = dc=trec,dc=us
> ldap user suffix = ou=Users
> load printers = no
> local master = yes
> log file = /var/log/samba/log
> log level = 1
> logon drive = Z:
> logon home = \\%L\%U
> logon path = \\%L\%U\Profile
> logon script = logon.cmd
> map archive = no
> map hidden = no
> map system = no
> max log size = 1000
> name resolve order = host
> null passwords = yes
> obey pam restrictions = yes
> os level = 65
> pam password change = yes
> panic action = /usr/share/samba/panic-action %d
> passdb backend = ldapsam:ldap://localhost/
> preferred master = yes
> preserve case = yes
> security = user
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> short preserve case = yes
> show add printer wizard = no
> socket options = IPTOS_THROUGHPUT TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
> syslog = 1
> syslog only = no
> time server = yes
> unix password sync = yes
> wins support = yes
> workgroup = TREC
> passwd chat debug = yes
> 
> [homes]
> comment = %u's private information.
> browseable = no
> writable = yes
> create mask = 0660
> directory mask = 0770
> inherit permissions = yes
> hide files = /Profile/Registry/Outlook.pst/outlook.pst/Maildir/
> guest ok = no
> admin users = @staff
> 
> [profile]
> path = %H/Profile
> browsable = no
> writable = yes
> create mask = 0660
> directory mask = 0770
> # nt acl support = no
> admin users = @staff
> 
> [netlogon]
> comment = Network Logon Service
> path = /export/netlogon
> guest ok = yes
> read only = yes
> share modes = no
> write list = root, at staff
> # nt acl support = no
> force group = staff
> browseable = no
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list