[Samba] User Manger for Domains can not reset user password.

Michael Gasch gasch at eva.mpg.de
Sun Apr 30 11:31:58 GMT 2006


the first thing i did when having trouble with usrmgr
1) reset any client connection (the client from which you connect) to
the DC after increasing debug level in smb.conf (10)
2) open usrmgr from client
3) clear log echo "" >log.client
4) try to reset pw
5) view log

which result do you get?

greez

Glenn Arnold wrote:
> I am running RHES 3.0 with Samba 3.0.22 and Open Ldap 2.1.22 ldapsam and
> when I use User Manager for Domains and try to change a user password as
> root or any other Domain Admin account I get the following error: "The
> following error occurred changing the properties of the user jcampbell.
> The group name could not be found."  When you look at groups under user
> manager Domain Users is set default group.  Any ideas?
> 
> 
> Thanks
> -Glenn
> 
> smb.conf
> [global]
> interfaces = eth*
> netbios name = SERVER
> workgroup = EXAMPLE
> server string =
> security = user
> os level = 64
> domain master = yes
> local master = yes
> preferred master = yes
> time server = yes
> #passdb backend = tdbsam
> ldappasswd sync =yes
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap admin dn = cn=samba,ou=DSA,dc=example,dc=net
> #ldap admin dn = cn=Manager,dc=example,dc=net
> ldap suffix = dc=example,dc=net
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap ssl = no
> unix extensions = yes
> encrypt passwords = yes
> domain logons = yes
> logon script = logon.bat
> logon drive = H:
> logon home = \\%L\%U
> logon path =
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
>         add user script = /usr/local/sbin/smbldap-useradd -m '%u'
>         delete user script = /usr/local/sbin/smbldap-userdel '%u'
>         add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
>         delete group script = /usr/local/sbin/smbldap-groupdel '%g'
>         add user to group script = /usr/local/sbin/smbldap-groupmod -m
> '%u' '%g'
>         delete user from group script = /usr/local/sbin/smbldap-usermod
> -g '%g' '%u'
>         set primary group script = /usr/local/sbin/smbldap-usermod -g
> '%g' '%u'
>         add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
>         logon script = logon.bat
>         logon path =
>         logon drive = H:
>         logon home = \\%L\%U
>         domain logons = Yes
>         os level = 64
>         preferred master = Yes
>         domain master = Yes
>         wins server = 10.100.0.10
>         ldap admin dn = cn=samba,ou=DSA,dc=example,dc=net
>         ldap delete dn = Yes
>         ldap group suffix = ou=Groups
>         ldap machine suffix = ou=Computers
>         ldap passwd sync = Yes
>         ldap suffix = dc=example,dc=net
>         ldap ssl = no
>         ldap user suffix = ou=Users
>         idmap uid = 15000-20000
>         idmap gid = 15000-20000
>         winbind separator = -
>         force printername = Yes
> 
> [netlogon]
>         path = /smbsrvr/netlogon/scripts
>         write list = Domain, Admins
>         guest ok = Yes
>         browseable = No
> 
> [homes]
>         comment = Home Directories
>         force group = "Domain Admins"
>         read only = No
>         create mask = 0770
>         force create mode = 0770
>         directory mask = 0770
>         force directory mode = 0770
>         veto files =
> /*.mp3/*.exe/*.com/*.js/*.bat/*.cmd/*.wsh/*.scr/*.zip/.*/testfile/
>         browseable = No
> 
> [C$]
>         path = /smbsrvr
>         valid users = "@Domain Admins"
>         force group = "Domain Admins"
>         read only = No
>         create mask = 0770
>         directory mask = 0770
>         force directory mode = 0770
>         veto files = /fnksvc32.exe/testfile/
> 
> [tftpboot$]
>         path = /tftpboot
>         valid users = "@Domain Admins"
>         force group = "root"
>         read only = No
>         create mask = 0775
>         directory mask = 0775
>         force directory mode = 0775
> 
> [Apps]
>         path = /smbsrvr/Apps
>         read only = No
>         create mask = 0770
>         force create mode = 0770
>         directory mask = 0770
>         force directory mode = 0770
>         inherit permissions = Yes
>         veto files = /fnksvc32.exe/testfile/
> 
> [Students]
>         path = /smbsrvr/Students
>         force group = hsstudents
>         read only = No
>         create mask = 0770
>         force create mode = 0770
>         directory mask = 0770
>         force directory mode = 0770
>         veto files = /fnksvc32.exe/testfile/
> 
> [AdminTools$]
>         path = /smbsrvr/AdminTools
>         read only = No
>         veto files = /fnksvc32.exe/testfile/
> 
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         guest ok = Yes
>         printable = Yes
>         default devmode = Yes
>         veto files = /fnksvc32.exe/testfile/
>         browseable = No
> 
> [print$]
>         comment = Printer Drivers
>         path = /var/lib/samba/drivers
>         write list = root, "@@Domain Admins"
>         read only = No
>         veto files = /fnksvc32.exe/testfile/
> 
> [home$]
>         path = /home
>         valid users = "Domain Admins", +ntadmins, +root, "@MTHS-Domain
> Admins", @ntadmin, @root
>         write list = +ntadmin, "@MTHS-Domain Admins", @ntadmin, @root
>         force group = "Domain Admins"
>         read only = No
>         create mask = 0770
>         force create mode = 0770
>         directory mask = 0770
>         force directory mode = 0770
>         veto files = /fnksvc32.exe/testfile/
> 
> [ezaudit]
>         path = /smbsrvr/ezaudit
>         force group = "Domain Users"
>         read only = No
>         create mask = 0777
>         force create mode = 0777
>         directory mask = 0777
>         force directory mode = 0777
>         guest ok = Yes
>         browseable = No
> 
> [HSGUIDANCE]
>         path = /smbsrvr/Guidance
>         read only = No
>         veto files = /fnksvc32.exe/testfile/
> 
> [HS PRINCIPAL]
>         path = /smbsrvr/hsprincipal
>         read only = No
>         veto files = /fnksvc32.exe/testfile/
> 
> [CIP]
>         path = /smbsrvr/CIP
>         read only = No
>         veto files = /fnksvc32.exe/testfile/
> 
> [POISE ISSUES]
>         path = /smbsrvr/Poise Issues
>         read only = No
>         veto files = /fnksvc32.exe/testfile/
> 
> [HSDISCIPLINE]
>         path = /smbsrvr/Discipline
>         read only = No
>         veto files = /fnksvc32.exe/testfile/
> 
> [YEARBOOK]
>         path = /smbsrvr/yearbook
>         valid users = @hsyearbook
>         force group = hsyearbook
>         read only = No
>         create mask = 0770
>         force create mode = 0770
>         directory mask = 0770
>         force directory mode = 0770
>         veto files = /fnksvc32.exe/testfile/
> 
> [MTM]
>         path = /smbsrvr/Apps/Mtm
>         valid users = @hsbuilding, "@Domain Admins"
>         force group = hsbuilding
>         read only = No
>         create mask = 0770
>         force create mode = 0770
>         directory mask = 0770
>         force directory mode = 0770
> 
> [INSTALL]
>         comment = Mt. Healthy Software
>         path = /smbsrvr/Install
>         write list = root, "@Domain Admins"
>         force group = Domain Admins
>         read only = No
>         create mask = 0775
>         force create mode = 0775
>         directory mask = 0775
>         force directory mode = 0775
>         veto files = /fnksvc32.exe/testfile/
> 
> [hsstudents]
>         path = /home/hsstudents
>         read only = No
>         veto files = /fnksvc32.exe/testfile/
> 
> [hsstaff]
>         path = /home/hsstaff
>         read only = No
>         veto files = /fnksvc32.exe/testfile/
> 
> [hsbuilding]
>         path = /home/hsbuilding
>         read only = No
>         veto files = /fnksvc32.exe/testfile/
> 
> [staffback$]
>         path = /home/staffback
>         valid users = @hsstaff
>         force group = hsstaff
>         read only = No
>         create mask = 0770
>         force create mode = 0770
>         directory mask = 0770
>         force directory mode = 0770
>         veto files = /fnksvc32.exe/testfile/
> 
> ldap.conf
> HOST 127.0.0.1
> BASE dc=example,dc=net
> rootbinddn cn=nssldap,ou=DSA,dc=example,dc=net
> nss_base_passwd         dc=example,dc=net?sub
> nss_base_shadow         dc=example,dc=net?sub
> nss_base_group          ou=Groups,dc=example,dc=net?one
> 
> ssl no
> 
> pam_password md5
> 
> slapd.conf
> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
> 20:00:31 kurt Exp $
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/samba3.schema
> #include                /etc/openldap/schema/redhat/autofs.schema
> #include        /etc/openldap/schema/redhat/kerberosobject.schema
> 
> # Define global ACLs to disable default read access.
> 
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral       ldap://root.openldap.org
> 
> #pidfile        //var/run/slapd.pid
> #argsfile       //var/run/slapd.args
> # Create a replication log in /var/lib/ldap for use by slurpd.
> #replogfile     /var/lib/ldap/master-slapd.replog
> 
> # Load dynamic backend modules:
> # modulepath    /usr/sbin/openldap
> # moduleload    back_ldap.la
> # moduleload    back_ldbm.la
> # moduleload    back_passwd.la
> # moduleload    back_shell.la
> 
> #
> # The next three lines allow use of TLS for connections using a dummy
> test
> # certificate, but you should generate a proper certificate by changing
> to
> # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions
> on
> # slapd.pem so that the ldap user or group can read it.
> # TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
> #
> # Sample Access Control
> #       Allow read access of root DSE
> #       Allow self write access
> #       Allow authenticated users read access
> # rootdn can always write!
> access to
> attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,samba
> PwdMustChange
>       by dn="cn=samba,ou=DSA,dc=example,dc=net" write
>       by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
>       by dn="cn=nssldap,ou=DSA,dc=example,dc=net" write
>       by self write
>       by anonymous auth
>       by * none
> # some attributes need to be readable anonymously so that 'id user' can
> answer correctly
> access to
> attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,m
> emberUid,loginshell
>       by dn="cn=samba,ou=DSA,dc=example,dc=net" write
>       by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
>       by * read
> # somme attributes can be writable by users themselves
> access to attrs=description,telephoneNumber
>       by dn="cn=samba,ou=DSA,dc=example,dc=net" write
>       by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
>       by self write
>       by * read
> # some attributes need to be writable for samba
> access to
> attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,
> sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sa
> mbaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,s
> ambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,s
> ambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sa
> mbaNextUserRid,sambaAlgorithmicRidBase
>       by dn="cn=samba,ou=DSA,dc=example,dc=net" write
>       by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
>       by self read
>       by * none
> # samba need to be able to create the samba domain account
> access to dn.base="dc=example,dc=net"
>       by dn="cn=samba,ou=DSA,dc=example,dc=net" write
>       by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
>       by * none
> # samba need to be able to create new users account
> access to dn="ou=Users,dc=example,dc=net"
>       by dn="cn=samba,ou=DSA,dc=example,dc=net" write
>       by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
>       by * none
> # samba need to be able to create new groups account
> access to dn="ou=Groups,dc=example,dc=net"
>       by dn="cn=samba,ou=DSA,dc=example,dc=net" write
>       by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
>       by * none
> # samba need to be able to create new computers account
> access to dn="ou=Computers,dc=example,dc=net"
>       by dn="cn=samba,ou=DSA,dc=example,dc=net" write
>       by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
>       by * none
> # this can be omitted but we leave it: there could be other branch
> # in the directory
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
>       by self write
>       by anonymous auth
>       by * none
> access to *
>       by * read
> #######################################################################
> # ldbm database definitions
> #######################################################################
> 
> database        ldbm
> suffix          "dc=example,dc=net"
> #suffix         "o=My Organization Name,c=US"
> rootdn          "cn=Manager,dc=example,dc=net"
> rootdn          "cn=Manager,dc=example,dc=net"
> rootpw          {SSHA}rCWryJIyAP66u64ALA6gRREQ7j2bJH0T
> #rootdn         "cn=Manager,o=My Organization Name,c=US"
> # Cleartext passwords, especially for the rootdn, should
> # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> # rootpw                secret
> # rootpw                {crypt}ijFYNcSNctBYg
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd/tools. Mode 700 recommended.
> directory       /var/lib/ldap
> 
> #performance mods
> loglevel 256
> sizelimit 100000
> cachesize 100000
> dbcachesize 30000000
> 
> # Indices to maintain
> index   objectClass,uidNumber,gidNumber                 eq
> index   cn,sn,uid,displayName                           pres,sub,eq
> index   memberUid,mail,givenname                eq,subinitial
> index   sambaSID,sambaPrimaryGroupSID,sambaDomainName   eq
> 

-- 
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137
       49 (0)341 - 3550 374

Fax:   49 (0)341 - 3550 399


More information about the samba mailing list