[Samba] Problems with userPassword when it's base64 encoded

Tue Jun 7 21:02:55 GMT 2005

I'm switching from OpenLDAP to the newly released Fedora Directory 
Server (formely known as the Netscape Directory Server) as a LDAP 
backend for my Samba domain.

I'm now faced with a problem regarding how Fedora DS handles the 
userPassword field.
Unlike OpenLDAP it encodes it in base64 so instead of reading
userPassword: {SSHA}0lP+r3Z1NVan7Caf4CG9oSgnTbQRrv/p
it reads:
userPassword:: e1NTSEF9MGxQK3IzWjFOVmFuN0NhZjRDRzlvU2duVGJRUnJ2L3A=

Samba apparently does not like this because when I try to change the 
password using the "ctrl+alt+del -> Change Password" method I get the 
following error in samba.log (with log level = passdb:5)

-- cut here --
[2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
   init_sam_from_ldap: Entry found for user: gg
[2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
   init_sam_from_ldap: Entry found for user: gg
[2005/06/07 19:27:45, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1704)
   ldapsam_update_sam_account: user gg to be modified has dn: 
uid=gg,ou=People,dc=kung,dc=foo
[2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_ldap_from_sam(893)
   init_ldap_from_sam: Setting entry for user: gg
[2005/06/07 19:27:45, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1587)
   ldapsam_modify_entry: LDAP Password could not be changed for user gg: 
Unknown error
         Current passwd must be supplied by the user.

[2005/06/07 19:27:45, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1731)
   ldapsam_update_sam_account: failed to modify user with uid = gg, 
error: Current passwd must be supplied by the user.
    (Success)
[2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
   init_sam_from_ldap: Entry found for user: gg
[2005/06/07 19:27:45, 0] libsmb/smbencrypt.c:decode_pw_buffer(539)
   decode_pw_buffer: incorrect password length (-988553355).
[2005/06/07 19:27:45, 0] libsmb/smbencrypt.c:decode_pw_buffer(540)
   decode_pw_buffer: check that 'encrypt passwords = yes'
-- cut here --

And a dialog from Windows that says:
"The User name or old password is incorrect. Letters in passwords must 
be typed using the correct case."

The SambaNTPassword and SambaLMPassword entries change, but the 
userPassword entry does not.
I'm using the ldap passwd sync = Yes option in my smb.conf since the 
LDAP server is used for Linux authentication as well as Samba 
authentication.

However, if I use the smbldap-passwd utility everything works like a charm.
Both the SambaLMPassword/SambaNTPassword and userPassword entries are 
changed.

If the ldap passwd sync option is set to No in the smb.conf then Windows 
does not complain when I use ctrl+alt+del method, but then of course the 
userPassword entry is not modified.

The samba server is a RHEL4 machine with samba-3.0.10-1.4E and 
fedora-ds-7.1-2.RHEL4.
Output from ldapsearch of the user gg:

--cut here --
kung.foo.is /opt/fedora-ds/slapd-palladium/config/schema# ldapsearch -x 
-ZZ -D "uid=gg,ou=People,dc=kung,dc=foo" -W uid=gg userPassword 
SambaLMPassword SambaNTPassword
Enter LDAP Password:

# gg, People, kung.foo
dn: uid=gg,ou=People,dc=kung,dc=foo
userPassword:: e1NTSEF9OEZaWTRMZFlpMWYxb0E1WWdEdy8raC9SbXkwbUVleU8=
SambaLMPassword: 7B9FBD79429286DBAAD3B435B51404EE
SambaNTPassword: 2352D5C13878770724EA84A32EFCD485
--cut here--

Advise of how to correct this are greatly appreciated.

-- 
< Sævaldur Gunnarsson _ RHCE />