[Samba] pdbedit password policy - not updating ldapsam
Stefan Schmitz
stevie-s at gmx.de
Fri Feb 16 14:41:00 GMT 2007
Hi Jamurph,
I think replikation of password policies to ldap startet of Samba
3.0.23d. Before this version you have to export them from the PDC to the
LDAP-Server by
pdbedit -y -i tdbsam -e ldapsam
and import them on all BDCs with
pdbedit -y -i ldapsam -e tdbsam
Regards Stefan
.
jamurph schrieb:
> I have Samba and LDAP up and running, but I'm having problems editing the
> password policy using pdbedit.
>
> (I'm running 3.0.22)
>
> I've had a look at the man page for pdbedit but I don't really fully
> understand what it does in relation to passwd backends. Does pdbedit update
> just one backend and expect a user to export the updates to other backends?
>
> I think I've set up ldap as my default backend - but pdbedit doesn't update
> it. It looks like its updating some other backend. I guess my smb.conf
> (attached) isn't configured correctly? How do I find out which one it's
> updating?. I can also see a reference to pdbedit backend guest in the logs,
> but I don't understand why pdbedit is looking for this.
>
> I tried the following command:
> pdbedit -P "min password length" -C 7 -d 10
>
> This is a snippet of the logs:
> The LDAP server is succesfully connected
> pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init
> Attempting to find an passdb backend to match guest (guest)
> Found pdb backend guest
> pdb backend guest has a valid init
> account_policy_get: min password length:7
> account policy value for min password length was 7
> account_policy_set: min password length:7
> account policy value for min password length is now 7
>
> I'm guessing it's taking these values from
> /var/lib/samba/account_policy.tdb, it's not taking them from ldap - because
> it doesn't change sambaMinPwdLength
>
> I can see a search happening in the ldap logs, but I don't see any updates -
> is this expected behaviour?
>
> I believe I need to run the following command to update LDAP?
> pdbedit -y -i tdbsam -e ldapsam -d 10
>
> However, when I do this, I get the following error message (more of log
> attached - but this is part I think is failing)
>
> Attempting to find an passdb backend to match guest (guest)
> Found pdb backend guest
> pdb backend guest has a valid init
> called with username="(null)"
> tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No
> such file or directory
> Unable to open/create TDB passwd
> Can't sampwent!
>
>
> When configuring Samba initially, I had some problems, so I followed some
> instructions and deleted the following
>
> rm /etc/samba/*tdb
> rm /var/lib/samba/*tdb
> rm /var/lib/samba/*dat
> rm /var/log/samba/*
>
> as a result passdb.tdb is no longer, and didn't get re-created. Is there any
> way I can recreate this file? Is this the cause of my problems?
>
> Any help much appreciated, I've attached more details in case they are
> needed
>
>
> -------------- LDAP Entry ------------------------------------
>
> dn: sambaDomainName=BLAHDEV,dc=example,dc=org
> sambaDomainName: BLAHDEV
> sambaMinPwdAge: 0
> objectClass: top
> objectClass: sambaDomain
> objectClass: sambaUnixIdPool
> sambaPwdHistoryLength: 0
> sambaNextGroupRid: 67109863
> uidNumber: 1005
> sambaLogonToChgPwd: 0
> sambaLockoutDuration: 30
> sambaMaxPwdAge: -1
> sambaForceLogoff: -1
> sambaLockoutThreshold: 0
> gidNumber: 1000
> sambaSID: S-1-5-21-317703500-4181503002-770181164
> sambaNextUserRid: 67109862
> sambaMinPwdLength: 5
> sambaRefuseMachinePwdChange: 0
> sambaAlgorithmicRidBase: 1000
> sambaLockoutObservationWindow: 30
>
>
>
> ---------------- SMB.CONF -----------------------------------
> [global]
> workgroup = BLAHDEV
> netbios name = BLAHDEV-PDC
> security = user
> server string = Samba Server
> log level = 2
> syslog = 0
> log file = /var/log/samba/%m.log
> max log size = 100000
> time server = Yes
> logon home = ""
> logon path = ""
> domain logons = Yes
> domain master = Yes
> os level = 65
> preferred master = Yes
> wins support = yes
> encrypt passwords = Yes
> # unix password sync = Yes
> passwd program = /usr/sbin/ldap_userPassword_change %u
> passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
> *Result**Success****
> # Crackcheck settings to allow NT style password complexity checks
> check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict
> passdb backend = ldapsam:"ldap://ldap-1 ldap://ldap-2"
> ldap admin dn = cn=Manager,dc=example,dc=org
> ldap suffix = dc=dc=example,dc=org
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Idmap
> idmap backend = ldap:"ldap://ldap-1 ldap://ldap-2"
> add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
> delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
> add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%u"
> add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
> add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u"
> "%g"
> set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/false
> winbind use default domain = no
>
>
>
> ------------ FULL LOG FILE FOR PDBEDIT --------------------
>
> [root at devpc-tm1 samba]# pdbedit -y -i tdbsam -e ldapsam -d 10
> INFO: Current debug levels:
> all: True/10
> tdb: False/0
> printdrivers: False/0
> lanman: False/0
> smb: False/0
> rpc_parse: False/0
> rpc_srv: False/0
> rpc_cli: False/0
> passdb: False/0
> sam: False/0
> auth: False/0
> winbind: False/0
> vfs: False/0
> idmap: False/0
> quota: False/0
> acls: False/0
> lp_load: refreshing parameters
> Initialising global parameters
> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> Processing section "[global]"
> doing parameter workgroup = BLAHDEV
> doing parameter netbios name = BLAHDEV-PDC
> handle_netbios_name: set global_myname to: BLAHDEV-PDC
> doing parameter security = user
> doing parameter server string = Samba Server
> doing parameter log level = 2
> doing parameter syslog = 0
> doing parameter log file = /var/log/samba/%m.log
> doing parameter max log size = 100000
> doing parameter time server = Yes
> doing parameter logon home = ""
> doing parameter logon path = ""
> doing parameter domain logons = Yes
> doing parameter domain master = Yes
> doing parameter os level = 65
> doing parameter preferred master = Yes
> doing parameter wins support = yes
> doing parameter encrypt passwords = Yes
> doing parameter passwd program = /usr/sbin/ldap_userPassword_change %u
> doing parameter passwd chat = *New*password* %n\n *Re-enter*new*password*
> %n\n *Result**Success****
> doing parameter check password script = /sbin/crackcheck -c -d
> /usr/lib/cracklib_dict
> doing parameter passdb backend = ldapsam:"ldap://ldap-1 ldap://ldap-2"
> doing parameter ldap admin dn = cn=Manager,dc=example,dc=org
> doing parameter ldap suffix = dc=example,dc=org
> doing parameter ldap group suffix = ou=Groups
> doing parameter ldap user suffix = ou=Users
> doing parameter ldap machine suffix = ou=Computers
> doing parameter ldap idmap suffix = ou=Idmap
> doing parameter idmap backend = ldap:"ldap://ldap-1 ldap://ldap-2"
> doing parameter add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
> doing parameter delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
> doing parameter add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1
> -w "%u"
> doing parameter add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
> doing parameter add user to group script = /opt/IDEALX/sbin/smbldap-groupmod
> -m "%u" "%g"
> doing parameter delete user from group script =
> /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
> doing parameter set primary group script = /opt/IDEALX/sbin/smbldap-usermod
> -g '%g' '%u'
> doing parameter idmap uid = 16777216-33554431
> doing parameter idmap gid = 16777216-33554431
> doing parameter template shell = /bin/false
> doing parameter winbind use default domain = no
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> set_server_role: role = ROLE_DOMAIN_PDC
> Attempting to register new charset UCS-2LE
> Registered charset UCS-2LE
> Attempting to register new charset UTF-16LE
> Registered charset UTF-16LE
> Attempting to register new charset UCS-2BE
> Registered charset UCS-2BE
> Attempting to register new charset UTF-16BE
> Registered charset UTF-16BE
> Attempting to register new charset UTF8
> Registered charset UTF8
> Attempting to register new charset UTF-8
> Registered charset UTF-8
> Attempting to register new charset ASCII
> Registered charset ASCII
> Attempting to register new charset 646
> Registered charset 646
> Attempting to register new charset ISO-8859-1
> Registered charset ISO-8859-1
> Attempting to register new charset UCS2-HEX
> Registered charset UCS2-HEX
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Substituting charset 'UTF-8' for LOCALE
> Trying to load: ldapsam:ldap://ldap-1 ldap://ldap-2
> Attempting to register passdb backend ldapsam
> Successfully added passdb backend 'ldapsam'
> Attempting to register passdb backend ldapsam_compat
> Successfully added passdb backend 'ldapsam_compat'
> Attempting to register passdb backend smbpasswd
> Successfully added passdb backend 'smbpasswd'
> Attempting to register passdb backend tdbsam
> Successfully added passdb backend 'tdbsam'
> Attempting to register passdb backend guest
> Successfully added passdb backend 'guest'
> Attempting to find an passdb backend to match ldapsam:ldap://ldap-1
> ldap://ldap-2 (ldapsam)
> Found pdb backend ldapsam
> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))]
> smbldap_search: base => [dc=example,dc=org], filter =>
> [(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))], scope => [2]
> smbldap_open_connection: ldap://ldap-1 ldap://ldap-2
> smbldap_open_connection: connection opened
> ldap_connect_system: Binding to ldap server ldap://ldap-1 ldap://ldap-2 as
> "cn=Manager,dc=example,dc=org"
> ldap_connect_system: succesful connection to the LDAP server
> The LDAP server is succesfully connected
> pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init
> Attempting to find an passdb backend to match guest (guest)
> Found pdb backend guest
> pdb backend guest has a valid init
> Netbios name list:-
> my_netbios_names[0]="BLAHDEV-PDC"
> Trying to load: ldapsam:ldap://ldap-1 ldap://ldap-2
> Attempting to find an passdb backend to match ldapsam:ldap://ldap-1
> ldap://ldap-2 (ldapsam)
> Found pdb backend ldapsam
> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))]
> smbldap_search: base => [dc=example,dc=org], filter =>
> [(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))], scope => [2]
> smbldap_open_connection: ldap://ldap-1 ldap://ldap-2
> smbldap_open_connection: connection opened
> ldap_connect_system: Binding to ldap server ldap://ldap-1 ldap://ldap-2 as
> "cn=Manager,dc=example,dc=org"
> ldap_connect_system: succesful connection to the LDAP server
> The LDAP server is succesfully connected
> pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init
> Attempting to find an passdb backend to match guest (guest)
> Found pdb backend guest
> pdb backend guest has a valid init
> Trying to load: tdbsam
> Attempting to find an passdb backend to match tdbsam (tdbsam)
> Found pdb backend tdbsam
> pdb backend tdbsam has a valid init
> Attempting to find an passdb backend to match guest (guest)
> Found pdb backend guest
> pdb backend guest has a valid init
> Trying to load: ldapsam
> Attempting to find an passdb backend to match ldapsam (ldapsam)
> Found pdb backend ldapsam
> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))]
> smbldap_search: base => [dc=example,dc=org], filter =>
> [(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))], scope => [2]
> smbldap_open_connection: ldap://localhost
> smbldap_open_connection: connection opened
> ldap_connect_system: Binding to ldap server ldap://localhost as
> "cn=Manager,dc=example,dc=org"
> ldap_connect_system: succesful connection to the LDAP server
> The LDAP server is succesfully connected
> pdb backend ldapsam has a valid init
> Attempting to find an passdb backend to match guest (guest)
> Found pdb backend guest
> pdb backend guest has a valid init
> called with username="(null)"
> tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No
> such file or directory
> Unable to open/create TDB passwd
> Can't sampwent!
>
More information about the samba
mailing list