[Samba] changing password on samba bdc

Pavan p.krishna at diversityarrays.com
Thu Mar 9 03:34:09 GMT 2006 

I am not a Samba Guru, But I have done a similar purpose for testing 
before, as the problem is caused when you are changing the password on 
the Machine 2, which is a slave, it is READ ONLY and the changes what 
you do will not be updated or reflected on the original copy. And the 
ldap credentials of the slave will not be written to the  database.All 
the changes have to be  passed on  from the Master database.

Lukasz Stelmach wrote:
> Greetings All.
>
> First let me introduce my situation
>
> Machine1: Pdc Samba + OpenLDAP(master)
>
> Machine2: Bdc Samba + OpenLDAP(slave)
>
> LDAP stores Samba and POSIX information for each user.
>
> Case1: I login to Machine1 and invoke smbpasswd. I change
> my passwords (samba and posix without any problem). In next
> few seconds they get propagated to Machin2 wher I can login
> with new credentials.
>
> ldap log says
>
> conn=327 fd=26 ACCEPT from PATH=/var//run/ldapi (PATH=/var//run/ldapi) 
> conn=327 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" method=128 
> conn=327 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" mech=SIMPLE ssf=0 
> conn=327 op=0 RESULT tag=97 err=0 text= 
> conn=327 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" 
> conn=327 op=1 SRCH attr=supportedControl 
> conn=327 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 
> conn=327 op=2 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(uid=jdoe)(objectClass=sambaSamAccount))" 
> conn=327 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp 
> conn=327 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 
> #
> #conn=328 is made via nss_ldap
> #
> conn=328 fd=27 ACCEPT from PATH=/var//run/ldapi (PATH=/var//run/ldapi) 
> conn=328 op=0 BIND dn="cn=Authenticate,o=example,c=xx" method=128 
> conn=328 op=0 BIND dn="cn=Authenticate,o=example,c=xx" mech=SIMPLE ssf=0 
> conn=328 op=0 RESULT tag=97 err=0 text= 
> conn=328 op=1 SRCH base="ou=People,o=example,c=xx" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=jdoe))" 
> conn=328 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass 
> conn=328 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 
> conn=328 op=2 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=jdoe))" 
> conn=328 op=2 SRCH attr=gidNumber 
> conn=328 op=2 SEARCH RESULT tag=101 err=0 nentries=2 text= 
> conn=328 op=3 ABANDON msg=3 
>
> conn=327 op=3 SRCH base="ou=Groups,o=example,c=xx" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=1000))" 
> conn=327 op=3 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass 
> conn=327 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= 
> conn=327 op=5 SRCH base="ou=Groups,o=example,c=xx" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=1001))" 
> conn=327 op=5 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass 
> conn=327 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text= 
> conn=327 op=6 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(uid=jdoe)(objectClass=sambaSamAccount))" 
> conn=327 op=6 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp 
> conn=327 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text= 
> conn=328 op=4 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=jdoe))" 
> conn=328 op=4 SRCH attr=gidNumber 
> conn=328 op=4 SEARCH RESULT tag=101 err=0 nentries=2 text= 
> conn=328 op=5 ABANDON msg=5 
> conn=327 op=7 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(uid=jdoe)(objectClass=sambaSamAccount))" 
> conn=327 op=7 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp 
> conn=327 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text= 
> #
> #it seems to be here where the modifications start
> #
> conn=327 op=8 MOD dn="cn=John Doe,ou=People,o=example,c=xx" 
> conn=327 op=8 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet 
> conn=327 op=8 RESULT tag=103 err=0 text= 
> conn=327 op=9 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" 
> conn=327 op=9 SRCH attr=supportedExtension 
> conn=327 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text= 
> conn=327 op=10 PASSMOD id="cn=John Doe,ou=People,o=example,c=xx" new 
> conn=327 op=10 RESULT oid= err=0 text= 
> conn=327 fd=26 closed (connection lost) 
> conn=328 fd=27 closed (connection lost) 
>
> Case2: I login to Machine2 and invoke smbpasswd. However I get
> "Password changed for user jdoe", but quite havy problems emerge.
>  From now on I can't login to Machine1 and Machine2 neither with
> smbclient nor with ssh (which uses POSIX data).
>
> Case2, the answer: Ldap debug logs claim that samba gives invalid
> credentials while trying to bind. Everything calms down when
> I "refresh" Sambaroot's (that is the user I put as "ldap admin dn"
> in smb.conf) password with ldappasswd using the value sotred in
> /etc/samba/private/secrets.tdb. It looks like instead of changing
> my password samba changes its own :-( When I fix it I can login to
> Machines with smbclient but...  I discover that my POSIX password
> (userPassword) hasn't changed.  I have to use the old one.
>
> ldap log says:
> conn=313 fd=26 ACCEPT from IP=10.1.2.7:2263 (IP=10.1.2.4:389)
> conn=313 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" method=128
> conn=313 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" mech=SIMPLE ssf=0
> conn=313 op=0 RESULT tag=97 err=0 text=
> conn=313 op=1 MOD dn="cn=John Doe,ou=People,o=example,c=xx"
> conn=313 op=1 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet
> conn=313 op=1 RESULT tag=103 err=0 text=
> conn=313 op=2 UNBIND
> conn=313 fd=26 closed
> conn=314 fd=26 ACCEPT from IP=10.1.2.7:2264 (IP=10.1.2.4:389)
> conn=314 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" method=128
> conn=314 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" mech=SIMPLE ssf=0
> conn=314 op=0 RESULT tag=97 err=0 text=
> #
> # why it happens so that there is no id=... like above
> #
> conn=314 op=1 PASSMOD
> #
> conn=314 op=1 RESULT oid= err=0 text=
> conn=314 op=2 UNBIND
> conn=314 fd=26 closed
>
> Case3: I login to Machine2 and invoke smbpasswd -r Machine1.
> Everything is OK like in the first case. Logs ofcourse look
> also the same.
>
> Please CC, I am not a subscriber.
>   


-- 
Pavan Krishna L
Systems Administrator
Diversity Arrays Technology Pty Ltd
Ph:  +61 2 6281 8512
Fax: +61 2 6281 8533
Mob: +61 423 411 281

More information about the samba mailing list