[Samba] Password Change Problem

Jim Summers jsummers at cs.ou.edu
Tue Aug 1 16:22:31 GMT 2006


I just finished troubleshooting a login problem with the user from the 
password change problem below.  He could not login today.  It eventually was 
discovered that he could login with the new password he was changing to when 
the messages below were being generated.

We did not think the password change was successful because on the windows 
machine he is using he was getting errors during the transaction yesterday.

So it appears that smbd is not handling the return code from the self-signed 
properly or it needs to be able to ignore the verification somehow similar to 
how the /etc/ldap.conf / openldap does.

Ideas / Suggestions?


Jim Summers wrote:
> Hello List,
> I am attempting to resolve a problem with my samba / ldap setup when a 
> user attempts to change their samba password.  I am running smbd 
> version: 3.0.22 on RHEL4.  When a user attempts to change their windows 
> password the following shows up in the smbd.log file:
> ldapsam_modify_entry: LDAP Password could not be changed for user sland: 
> Confidentiality required
>         Operation requires a secure connection.
> Since my ldap server is setup with ldaps using a self-signed certificate 
> I figured all I need to do is turn ssl on with:
> ldap ssl = on
> and the passdb backend set with "ldap://host"
> but that still returned the same error messages in the log.
> Next I tried changing the passdb backend to use "ldaps://host"
> but then I started getting the following message in the log:
>  LDAP error: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (Time
> limit exceeded)
> and using:  openssl s_client -connect server-cert:636 -showcerts -state
> ends with: Verify return code: 19 (self signed certificate in 
> certificate chain)
> Which works ok with /etc/ldap.conf by turning off certificate checking.
> So I am not sure which way to go at this point.  Since the ldap 
> authentication  for the operating system works through ldaps with no 
> problem, I have it set to not verify the certificate in ldap.conf, then 
> it seems I need to be able to tell samba to not verify the certificate? 
> I looked through the docs and did not see a parameter for that.  Is 
> there such a parameter.
> Any ideas or suggestions?

Jim Summers
School of Computer Science-University of Oklahoma

More information about the samba mailing list