[Samba] Problems with userPassword when it's base64 encoded

Sævaldur Gunnarsson addi at kung.foo.is
Thu Jun 9 13:19:29 GMT 2005

>> I'm switching from OpenLDAP to the newly released Fedora Directory
>> Server (formely known as the Netscape Directory Server) as a LDAP
>> backend for my Samba domain.
>> I'm now faced with a problem regarding how Fedora DS handles the
>> userPassword field.
>> Unlike OpenLDAP it encodes it in base64 so instead of reading
>> userPassword: {SSHA}0lP+r3Z1NVan7Caf4CG9oSgnTbQRrv/p
>> it reads:
>> userPassword:: e1NTSEF9MGxQK3IzWjFOVmFuN0NhZjRDRzlvU2duVGJRUnJ2L3A=

As it turnes out that was not the problem.
The problem was that no one can change the password of a user (not ever
the Directory superuser) without passing the current password as well.

kung.foo.is ~$ ldappasswd -x -ZZ -D "cn=Directory Manager" -W
uid=gg,ou=People,dc=kung,dc=foo -s newpass
Enter LDAP Password:
Result: Unknown error (89)
Additional info: Current passwd must be supplied by the user.

>> However, if I use the smbldap-passwd utility everything works like a
>> charm.
>> Both the SambaLMPassword/SambaNTPassword and userPassword entries are
>> changed.

This puzzles me a bit though.
Can I somehow make Samba envoke the smbldap-passwd utility when users try
to change their password from Windows ?

Sævaldur Gunnarsson /> RHCE

More information about the samba mailing list