[Samba] sambaPwdCanChange and sambaPwdMustChange (WAS: ldap passwd sync only)

Thierry Lacoste lacoste at miage.univ-paris12.fr
Thu Aug 16 18:22:55 GMT 2007


On Wednesday 15 August 2007 01:59, Michal Bruncko wrote:
> Hello
>
> I have exactly the same trouble as described here:
> http://www.nabble.com/ldap-passwd-sync-on-3.0.25a-tf4261008.html on
> samba-3.0.25b-2.fc7.
> When i set "ldap passwd
> sync" to "only" and I change password on some ldap samba
> user, password in attribute userPassword is never changed by samba daemon
> (to update NT and LM password I use smbk5pwd overlay). If i set pwd
> sync to "On", both attributes (NT&LM and
> userPassword) was updated successfully.
I have not been able to make 3.0.25 change the sambaPwdCanChange and 
sambaPwdMustChange attributes when changing a password from windows.
This may explain the problem with ldap passwd sync = only as demonstrated
by a log level 10:

[2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1784)
  ldapsam_update_sam_account: user lacoste to be modified has dn: 
uid=lacoste,ou=Users,ou=Accounts,o=stars
[2007/08/14 23:45:26, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972)
  init_ldap_from_sam: Setting entry for user: lacoste
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2007/08/14 23:45:26, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(101) : conn_ctx_stack_ndx = 1
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:set_sec_ctx(243)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2007/08/14 23:45:26, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2007/08/14 23:45:26, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2007/08/14 23:45:26, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = ACCT_POL/maximum password age, value = 
4294967295
  , timeout = Tue Aug 14 23:46:25 2007
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:pop_sec_ctx(366)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1797)
  ldapsam_update_sam_account: mods is empty: nothing to update for user: 
lacoste

Here's a log level 10 on 3.0.22:
 [2007/08/14 23:17:31, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1846)
  ldapsam_update_sam_account: user lacoste to be modified has dn: 
uid=lacoste,ou=Users,ou=Accounts,o=stars
[2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1064)
  init_ldap_from_sam: Setting entry for user: lacoste
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454)
  smbldap_make_mod: deleting attribute |sambaPwdCanChange| values |1187126144|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463)
  smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1187126251|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454)
  smbldap_make_mod: deleting attribute |sambaPwdMustChange| values |
1218662144|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463)
  smbldap_make_mod: adding attribute |sambaPwdMustChange| value |2147483647|
[2007/08/14 23:17:31, 5] lib/smbldap.c:smbldap_modify(1254)
  smbldap_modify: dn => [uid=lacoste,ou=Users,ou=Accounts,o=stars]
[2007/08/14 23:17:31, 3] passdb/pdb_ldap.c:ldapsam_modify_entry(1732)
  ldapsam_modify_entry: LDAP Password changed for user lacoste
[2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:ldapsam_update_sam_account(1879)
  ldapsam_update_sam_account: successfully modified uid = lacoste in the LDAP 
database

I tried to play with account policies but with no success.
Did I miss something?
How can I trigger a change of sambaPwdCanChange and sambaPwdMustChange?

Regards,
Thierry.



More information about the samba mailing list