[Samba] LDAP and password expiry
Jacob Elder
jake.samba at trec.us
Thu Aug 25 19:38:48 GMT 2005
No, the passwords never actually get changed.
--
Jacob Elder
Quoting Paul Gienger <pgienger at ae-solutions.com>:
>> We are using Samba 3.0.14a-6, slapd 2.2.26-4 and smbldap-tools 0.9.1-2 on
>> Debian. My users are complaining about warnings that their password is
>> about to
>> expire and that the are told "You do not have permission to change your
>> password" when they try to change it. sambaAcctFlags includes the X flag
>> which
>> I thought meant "don't expire passwords." The password changing thing has
>> got
>> me even more stumped. Can anyone offer any clues?
>
> Do you also get the password actually being changed when they get that
> error? I see that and also various other errors, which are false errors
> since all passwords ARE in fact changed.
>
>
>
>> /etc/pam_ldap.conf:
>> host localhost
>> base dc=trec,dc=us
>> ldap_version 3
>> rootbinddn cn=admin,dc=trec,dc=us
>> pam_password exop
>>
>> /etc/libnss-ldap.conf:
>> host localhost
>> base dc=trec,dc=us
>> ldap_version 3
>> rootbinddn cn=admin,dc=trec,dc=us
>> pam_password exop
>>
>> Example user entry:
>>
>> dn: uid=sgoodrich,ou=Users,dc=trec,dc=us
>> objectClass:
>> top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMail
>> Recipient
>> cn: Suzanne Goodrich
>> sn: Goodrich
>> uid: sgoodrich
>> uidNumber: 2046
>> gidNumber: 100
>> homeDirectory: /home/sgoodrich
>> loginShell: /bin/false
>> gecos: Suzanne Goodrich
>> description: Suzanne Goodrich
>> sambaLogonTime: 0
>> sambaLogoffTime: 2147483647
>> sambaKickoffTime: 2147483647
>> sambaPwdCanChange: 0
>> displayName: Suzanne Goodrich
>> sambaSID: S-1-5-21-193596418-479643985-2333711390-5092
>> sambaPrimaryGroupSID: S-1-5-21-193596418-479643985-2333711390-513
>> sambaLMPassword: redacted
>> sambaNTPassword: redacted
>> sambaPwdLastSet: 1117397780
>> sambaPwdMustChange: 1125951380
>> userPassword: {SSHA}redacted
>> sambaAcctFlags: [NUX]
>>
>> /etc/samba/smb.conf:
>> [global]
>> add group script = /usr/sbin/smbldap-groupadd -p "%g"
>> add machine script = /usr/sbin/smbldap-useradd -w "%u"
>> add user script = /usr/sbin/smbldap-useradd -m "%u"
>> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>> delete group script = /usr/sbin/smbldap-groupdel "%g"
>> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
>> delete user script = /usr/sbin/smbldap-userdel "%u"
>> domain logons = yes
>> domain master = yes
>> enable privileges = yes
>> encrypt passwords = true
>> guest account = nobody
>> ldap admin dn = cn=admin,dc=trec,dc=us
>> ldap delete dn = yes
>> ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
>> ldap group suffix = ou=Groups
>> ldap machine suffix = ou=Computers
>> ldap passwd sync = yes
>> ldap ssl = no # start_tls
>> ldap suffix = dc=trec,dc=us
>> ldap user suffix = ou=Users
>> load printers = no
>> local master = yes
>> log file = /var/log/samba/log
>> log level = 1
>> logon drive = Z:
>> logon home = \\%L\%U
>> logon path = \\%L\%U\Profile
>> logon script = logon.cmd
>> map archive = no
>> map hidden = no
>> map system = no
>> max log size = 1000
>> name resolve order = host
>> null passwords = yes
>> obey pam restrictions = yes
>> os level = 65
>> pam password change = yes
>> panic action = /usr/share/samba/panic-action %d
>> passdb backend = ldapsam:ldap://localhost/
>> preferred master = yes
>> preserve case = yes
>> security = user
>> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>> short preserve case = yes
>> show add printer wizard = no
>> socket options = IPTOS_THROUGHPUT TCP_NODELAY SO_RCVBUF=8192
>> SO_SNDBUF=8192
>> syslog = 1
>> syslog only = no
>> time server = yes
>> unix password sync = yes
>> wins support = yes
>> workgroup = TREC
>> passwd chat debug = yes
>>
>> [homes]
>> comment = %u's private information.
>> browseable = no
>> writable = yes
>> create mask = 0660
>> directory mask = 0770
>> inherit permissions = yes
>> hide files = /Profile/Registry/Outlook.pst/outlook.pst/Maildir/
>> guest ok = no
>> admin users = @staff
>>
>> [profile]
>> path = %H/Profile
>> browsable = no
>> writable = yes
>> create mask = 0660
>> directory mask = 0770
>> # nt acl support = no
>> admin users = @staff
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /export/netlogon
>> guest ok = yes
>> read only = yes
>> share modes = no
>> write list = root, at staff
>> # nt acl support = no
>> force group = staff
>> browseable = no
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/listinfo/samba
>
>
More information about the samba
mailing list