[Samba] changing password on samba bdc

Lukasz Stelmach lukasz.stelmach at telmark.waw.pl
Wed Mar 8 19:36:46 GMT 2006 

Greetings All.

First let me introduce my situation

Machine1: Pdc Samba + OpenLDAP(master)

Machine2: Bdc Samba + OpenLDAP(slave)

LDAP stores Samba and POSIX information for each user.

Case1: I login to Machine1 and invoke smbpasswd. I change
my passwords (samba and posix without any problem). In next
few seconds they get propagated to Machin2 wher I can login
with new credentials.

ldap log says

conn=327 fd=26 ACCEPT from PATH=/var//run/ldapi (PATH=/var//run/ldapi) 
conn=327 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" method=128 
conn=327 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" mech=SIMPLE ssf=0 
conn=327 op=0 RESULT tag=97 err=0 text= 
conn=327 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" 
conn=327 op=1 SRCH attr=supportedControl 
conn=327 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 
conn=327 op=2 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(uid=jdoe)(objectClass=sambaSamAccount))" 
conn=327 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp 
conn=327 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 
#
#conn=328 is made via nss_ldap
#
conn=328 fd=27 ACCEPT from PATH=/var//run/ldapi (PATH=/var//run/ldapi) 
conn=328 op=0 BIND dn="cn=Authenticate,o=example,c=xx" method=128 
conn=328 op=0 BIND dn="cn=Authenticate,o=example,c=xx" mech=SIMPLE ssf=0 
conn=328 op=0 RESULT tag=97 err=0 text= 
conn=328 op=1 SRCH base="ou=People,o=example,c=xx" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=jdoe))" 
conn=328 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass 
conn=328 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 
conn=328 op=2 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=jdoe))" 
conn=328 op=2 SRCH attr=gidNumber 
conn=328 op=2 SEARCH RESULT tag=101 err=0 nentries=2 text= 
conn=328 op=3 ABANDON msg=3 

conn=327 op=3 SRCH base="ou=Groups,o=example,c=xx" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=1000))" 
conn=327 op=3 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass 
conn=327 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= 
conn=327 op=5 SRCH base="ou=Groups,o=example,c=xx" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=1001))" 
conn=327 op=5 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass 
conn=327 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text= 
conn=327 op=6 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(uid=jdoe)(objectClass=sambaSamAccount))" 
conn=327 op=6 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp 
conn=327 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text= 
conn=328 op=4 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=jdoe))" 
conn=328 op=4 SRCH attr=gidNumber 
conn=328 op=4 SEARCH RESULT tag=101 err=0 nentries=2 text= 
conn=328 op=5 ABANDON msg=5 
conn=327 op=7 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(uid=jdoe)(objectClass=sambaSamAccount))" 
conn=327 op=7 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp 
conn=327 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text= 
#
#it seems to be here where the modifications start
#
conn=327 op=8 MOD dn="cn=John Doe,ou=People,o=example,c=xx" 
conn=327 op=8 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet 
conn=327 op=8 RESULT tag=103 err=0 text= 
conn=327 op=9 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" 
conn=327 op=9 SRCH attr=supportedExtension 
conn=327 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text= 
conn=327 op=10 PASSMOD id="cn=John Doe,ou=People,o=example,c=xx" new 
conn=327 op=10 RESULT oid= err=0 text= 
conn=327 fd=26 closed (connection lost) 
conn=328 fd=27 closed (connection lost) 

Case2: I login to Machine2 and invoke smbpasswd. However I get
"Password changed for user jdoe", but quite havy problems emerge.
 From now on I can't login to Machine1 and Machine2 neither with
smbclient nor with ssh (which uses POSIX data).

Case2, the answer: Ldap debug logs claim that samba gives invalid
credentials while trying to bind. Everything calms down when
I "refresh" Sambaroot's (that is the user I put as "ldap admin dn"
in smb.conf) password with ldappasswd using the value sotred in
/etc/samba/private/secrets.tdb. It looks like instead of changing
my password samba changes its own :-( When I fix it I can login to
Machines with smbclient but...  I discover that my POSIX password
(userPassword) hasn't changed.  I have to use the old one.

ldap log says:
conn=313 fd=26 ACCEPT from IP=10.1.2.7:2263 (IP=10.1.2.4:389)
conn=313 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" method=128
conn=313 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" mech=SIMPLE ssf=0
conn=313 op=0 RESULT tag=97 err=0 text=
conn=313 op=1 MOD dn="cn=John Doe,ou=People,o=example,c=xx"
conn=313 op=1 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet
conn=313 op=1 RESULT tag=103 err=0 text=
conn=313 op=2 UNBIND
conn=313 fd=26 closed
conn=314 fd=26 ACCEPT from IP=10.1.2.7:2264 (IP=10.1.2.4:389)
conn=314 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" method=128
conn=314 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" mech=SIMPLE ssf=0
conn=314 op=0 RESULT tag=97 err=0 text=
#
# why it happens so that there is no id=... like above
#
conn=314 op=1 PASSMOD
#
conn=314 op=1 RESULT oid= err=0 text=
conn=314 op=2 UNBIND
conn=314 fd=26 closed

Case3: I login to Machine2 and invoke smbpasswd -r Machine1.
Everything is OK like in the first case. Logs ofcourse look
also the same.

Please CC, I am not a subscriber.
-- 
Miłego dnia
>Łukasz<

More information about the samba mailing list