[Samba] Password Change Problem

Jim Summers jsummers at cs.ou.edu
Tue Aug 1 14:52:31 GMT 2006

Hello List,

I am attempting to resolve a problem with my samba / ldap setup when a user 
attempts to change their samba password.  I am running smbd version: 3.0.22 on 
RHEL4.  When a user attempts to change their windows password the following 
shows up in the smbd.log file:

ldapsam_modify_entry: LDAP Password could not be changed for user sland: 
Confidentiality required
         Operation requires a secure connection.

Since my ldap server is setup with ldaps using a self-signed certificate I 
figured all I need to do is turn ssl on with:

ldap ssl = on

and the passdb backend set with "ldap://host"

but that still returned the same error messages in the log.

Next I tried changing the passdb backend to use "ldaps://host"

but then I started getting the following message in the log:
  LDAP error: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (Time
limit exceeded)

and using:  openssl s_client -connect server-cert:636 -showcerts -state

ends with: Verify return code: 19 (self signed certificate in certificate chain)

Which works ok with /etc/ldap.conf by turning off certificate checking.

So I am not sure which way to go at this point.  Since the ldap authentication 
  for the operating system works through ldaps with no problem, I have it set 
to not verify the certificate in ldap.conf, then it seems I need to be able to 
tell samba to not verify the certificate? I looked through the docs and did 
not see a parameter for that.  Is there such a parameter.

Any ideas or suggestions?

Jim Summers
School of Computer Science-University of Oklahoma

More information about the samba mailing list