[Samba] sambaPwdCanChange and sambaPwdMustChange (WAS: ldap passwd
sync only)
Thierry Lacoste
lacoste at miage.univ-paris12.fr
Thu Aug 16 18:22:55 GMT 2007
On Wednesday 15 August 2007 01:59, Michal Bruncko wrote:
> Hello
>
> I have exactly the same trouble as described here:
> http://www.nabble.com/ldap-passwd-sync-on-3.0.25a-tf4261008.html on
> samba-3.0.25b-2.fc7.
> When i set "ldap passwd
> sync" to "only" and I change password on some ldap samba
> user, password in attribute userPassword is never changed by samba daemon
> (to update NT and LM password I use smbk5pwd overlay). If i set pwd
> sync to "On", both attributes (NT&LM and
> userPassword) was updated successfully.
I have not been able to make 3.0.25 change the sambaPwdCanChange and
sambaPwdMustChange attributes when changing a password from windows.
This may explain the problem with ldap passwd sync = only as demonstrated
by a log level 10:
[2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1784)
ldapsam_update_sam_account: user lacoste to be modified has dn:
uid=lacoste,ou=Users,ou=Accounts,o=stars
[2007/08/14 23:45:26, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972)
init_ldap_from_sam: Setting entry for user: lacoste
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2007/08/14 23:45:26, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(101) : conn_ctx_stack_ndx = 1
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:set_sec_ctx(243)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2007/08/14 23:45:26, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2007/08/14 23:45:26, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2007/08/14 23:45:26, 10] lib/gencache.c:gencache_get(226)
Returning valid cache entry: key = ACCT_POL/maximum password age, value =
4294967295
, timeout = Tue Aug 14 23:46:25 2007
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:pop_sec_ctx(366)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1797)
ldapsam_update_sam_account: mods is empty: nothing to update for user:
lacoste
Here's a log level 10 on 3.0.22:
[2007/08/14 23:17:31, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1846)
ldapsam_update_sam_account: user lacoste to be modified has dn:
uid=lacoste,ou=Users,ou=Accounts,o=stars
[2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1064)
init_ldap_from_sam: Setting entry for user: lacoste
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454)
smbldap_make_mod: deleting attribute |sambaPwdCanChange| values |1187126144|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463)
smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1187126251|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454)
smbldap_make_mod: deleting attribute |sambaPwdMustChange| values |
1218662144|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463)
smbldap_make_mod: adding attribute |sambaPwdMustChange| value |2147483647|
[2007/08/14 23:17:31, 5] lib/smbldap.c:smbldap_modify(1254)
smbldap_modify: dn => [uid=lacoste,ou=Users,ou=Accounts,o=stars]
[2007/08/14 23:17:31, 3] passdb/pdb_ldap.c:ldapsam_modify_entry(1732)
ldapsam_modify_entry: LDAP Password changed for user lacoste
[2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:ldapsam_update_sam_account(1879)
ldapsam_update_sam_account: successfully modified uid = lacoste in the LDAP
database
I tried to play with account policies but with no success.
Did I miss something?
How can I trigger a change of sambaPwdCanChange and sambaPwdMustChange?
Regards,
Thierry.
More information about the samba
mailing list