[Samba] pdbedit password policy - not updating ldapsam
Michael Gasch
gasch at eva.mpg.de
Sat Feb 17 12:01:33 GMT 2007
hi stefan,
> I think replikation of password policies to ldap startet of Samba
where did you find this information?
couldn't find anything in the release notes...
micha
Stefan Schmitz wrote:
> Hi Jamurph,
>
> I think replikation of password policies to ldap startet of Samba
> 3.0.23d. Before this version you have to export them from the PDC to the
> LDAP-Server by
>
> pdbedit -y -i tdbsam -e ldapsam
>
> and import them on all BDCs with
>
> pdbedit -y -i ldapsam -e tdbsam
>
> Regards Stefan
>
> .
>
> jamurph schrieb:
>> I have Samba and LDAP up and running, but I'm having problems editing the
>> password policy using pdbedit.
>>
>> (I'm running 3.0.22)
>>
>> I've had a look at the man page for pdbedit but I don't really fully
>> understand what it does in relation to passwd backends. Does pdbedit update
>> just one backend and expect a user to export the updates to other backends?
>>
>> I think I've set up ldap as my default backend - but pdbedit doesn't update
>> it. It looks like its updating some other backend. I guess my smb.conf
>> (attached) isn't configured correctly? How do I find out which one it's
>> updating?. I can also see a reference to pdbedit backend guest in the logs,
>> but I don't understand why pdbedit is looking for this.
>>
>> I tried the following command:
>> pdbedit -P "min password length" -C 7 -d 10
>>
>> This is a snippet of the logs:
>> The LDAP server is succesfully connected
>> pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init
>> Attempting to find an passdb backend to match guest (guest)
>> Found pdb backend guest
>> pdb backend guest has a valid init
>> account_policy_get: min password length:7
>> account policy value for min password length was 7
>> account_policy_set: min password length:7
>> account policy value for min password length is now 7
>>
>> I'm guessing it's taking these values from
>> /var/lib/samba/account_policy.tdb, it's not taking them from ldap - because
>> it doesn't change sambaMinPwdLength
>>
>> I can see a search happening in the ldap logs, but I don't see any updates -
>> is this expected behaviour?
>>
>> I believe I need to run the following command to update LDAP?
>> pdbedit -y -i tdbsam -e ldapsam -d 10
>>
>> However, when I do this, I get the following error message (more of log
>> attached - but this is part I think is failing)
>>
>> Attempting to find an passdb backend to match guest (guest)
>> Found pdb backend guest
>> pdb backend guest has a valid init
>> called with username="(null)"
>> tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No
>> such file or directory
>> Unable to open/create TDB passwd
>> Can't sampwent!
>>
>>
>> When configuring Samba initially, I had some problems, so I followed some
>> instructions and deleted the following
>>
>> rm /etc/samba/*tdb
>> rm /var/lib/samba/*tdb
>> rm /var/lib/samba/*dat
>> rm /var/log/samba/*
>>
>> as a result passdb.tdb is no longer, and didn't get re-created. Is there any
>> way I can recreate this file? Is this the cause of my problems?
>>
>> Any help much appreciated, I've attached more details in case they are
>> needed
>>
>>
>> -------------- LDAP Entry ------------------------------------
>>
>> dn: sambaDomainName=BLAHDEV,dc=example,dc=org
>> sambaDomainName: BLAHDEV
>> sambaMinPwdAge: 0
>> objectClass: top
>> objectClass: sambaDomain
>> objectClass: sambaUnixIdPool
>> sambaPwdHistoryLength: 0
>> sambaNextGroupRid: 67109863
>> uidNumber: 1005
>> sambaLogonToChgPwd: 0
>> sambaLockoutDuration: 30
>> sambaMaxPwdAge: -1
>> sambaForceLogoff: -1
>> sambaLockoutThreshold: 0
>> gidNumber: 1000
>> sambaSID: S-1-5-21-317703500-4181503002-770181164
>> sambaNextUserRid: 67109862
>> sambaMinPwdLength: 5
>> sambaRefuseMachinePwdChange: 0
>> sambaAlgorithmicRidBase: 1000
>> sambaLockoutObservationWindow: 30
>>
>>
>>
>> ---------------- SMB.CONF -----------------------------------
>> [global]
>> workgroup = BLAHDEV
>> netbios name = BLAHDEV-PDC
>> security = user
>> server string = Samba Server
>> log level = 2
>> syslog = 0
>> log file = /var/log/samba/%m.log
>> max log size = 100000
>> time server = Yes
>> logon home = ""
>> logon path = ""
>> domain logons = Yes
>> domain master = Yes
>> os level = 65
>> preferred master = Yes
>> wins support = yes
>> encrypt passwords = Yes
>> # unix password sync = Yes
>> passwd program = /usr/sbin/ldap_userPassword_change %u
>> passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
>> *Result**Success****
>> # Crackcheck settings to allow NT style password complexity checks
>> check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict
>> passdb backend = ldapsam:"ldap://ldap-1 ldap://ldap-2"
>> ldap admin dn = cn=Manager,dc=example,dc=org
>> ldap suffix = dc=dc=example,dc=org
>> ldap group suffix = ou=Groups
>> ldap user suffix = ou=Users
>> ldap machine suffix = ou=Computers
>> ldap idmap suffix = ou=Idmap
>> idmap backend = ldap:"ldap://ldap-1 ldap://ldap-2"
>> add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
>> delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
>> add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%u"
>> add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
>> add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
>> delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u"
>> "%g"
>> set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'
>> idmap uid = 16777216-33554431
>> idmap gid = 16777216-33554431
>> template shell = /bin/false
>> winbind use default domain = no
>>
>>
>>
>> ------------ FULL LOG FILE FOR PDBEDIT --------------------
>>
>> [root at devpc-tm1 samba]# pdbedit -y -i tdbsam -e ldapsam -d 10
>> INFO: Current debug levels:
>> all: True/10
>> tdb: False/0
>> printdrivers: False/0
>> lanman: False/0
>> smb: False/0
>> rpc_parse: False/0
>> rpc_srv: False/0
>> rpc_cli: False/0
>> passdb: False/0
>> sam: False/0
>> auth: False/0
>> winbind: False/0
>> vfs: False/0
>> idmap: False/0
>> quota: False/0
>> acls: False/0
>> lp_load: refreshing parameters
>> Initialising global parameters
>> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
>> Processing section "[global]"
>> doing parameter workgroup = BLAHDEV
>> doing parameter netbios name = BLAHDEV-PDC
>> handle_netbios_name: set global_myname to: BLAHDEV-PDC
>> doing parameter security = user
>> doing parameter server string = Samba Server
>> doing parameter log level = 2
>> doing parameter syslog = 0
>> doing parameter log file = /var/log/samba/%m.log
>> doing parameter max log size = 100000
>> doing parameter time server = Yes
>> doing parameter logon home = ""
>> doing parameter logon path = ""
>> doing parameter domain logons = Yes
>> doing parameter domain master = Yes
>> doing parameter os level = 65
>> doing parameter preferred master = Yes
>> doing parameter wins support = yes
>> doing parameter encrypt passwords = Yes
>> doing parameter passwd program = /usr/sbin/ldap_userPassword_change %u
>> doing parameter passwd chat = *New*password* %n\n *Re-enter*new*password*
>> %n\n *Result**Success****
>> doing parameter check password script = /sbin/crackcheck -c -d
>> /usr/lib/cracklib_dict
>> doing parameter passdb backend = ldapsam:"ldap://ldap-1 ldap://ldap-2"
>> doing parameter ldap admin dn = cn=Manager,dc=example,dc=org
>> doing parameter ldap suffix = dc=example,dc=org
>> doing parameter ldap group suffix = ou=Groups
>> doing parameter ldap user suffix = ou=Users
>> doing parameter ldap machine suffix = ou=Computers
>> doing parameter ldap idmap suffix = ou=Idmap
>> doing parameter idmap backend = ldap:"ldap://ldap-1 ldap://ldap-2"
>> doing parameter add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
>> doing parameter delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
>> doing parameter add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1
>> -w "%u"
>> doing parameter add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
>> doing parameter add user to group script = /opt/IDEALX/sbin/smbldap-groupmod
>> -m "%u" "%g"
>> doing parameter delete user from group script =
>> /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
>> doing parameter set primary group script = /opt/IDEALX/sbin/smbldap-usermod
>> -g '%g' '%u'
>> doing parameter idmap uid = 16777216-33554431
>> doing parameter idmap gid = 16777216-33554431
>> doing parameter template shell = /bin/false
>> doing parameter winbind use default domain = no
>> pm_process() returned Yes
>> lp_servicenumber: couldn't find homes
>> set_server_role: role = ROLE_DOMAIN_PDC
>> Attempting to register new charset UCS-2LE
>> Registered charset UCS-2LE
>> Attempting to register new charset UTF-16LE
>> Registered charset UTF-16LE
>> Attempting to register new charset UCS-2BE
>> Registered charset UCS-2BE
>> Attempting to register new charset UTF-16BE
>> Registered charset UTF-16BE
>> Attempting to register new charset UTF8
>> Registered charset UTF8
>> Attempting to register new charset UTF-8
>> Registered charset UTF-8
>> Attempting to register new charset ASCII
>> Registered charset ASCII
>> Attempting to register new charset 646
>> Registered charset 646
>> Attempting to register new charset ISO-8859-1
>> Registered charset ISO-8859-1
>> Attempting to register new charset UCS2-HEX
>> Registered charset UCS2-HEX
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Trying to load: ldapsam:ldap://ldap-1 ldap://ldap-2
>> Attempting to register passdb backend ldapsam
>> Successfully added passdb backend 'ldapsam'
>> Attempting to register passdb backend ldapsam_compat
>> Successfully added passdb backend 'ldapsam_compat'
>> Attempting to register passdb backend smbpasswd
>> Successfully added passdb backend 'smbpasswd'
>> Attempting to register passdb backend tdbsam
>> Successfully added passdb backend 'tdbsam'
>> Attempting to register passdb backend guest
>> Successfully added passdb backend 'guest'
>> Attempting to find an passdb backend to match ldapsam:ldap://ldap-1
>> ldap://ldap-2 (ldapsam)
>> Found pdb backend ldapsam
>> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))]
>> smbldap_search: base => [dc=example,dc=org], filter =>
>> [(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))], scope => [2]
>> smbldap_open_connection: ldap://ldap-1 ldap://ldap-2
>> smbldap_open_connection: connection opened
>> ldap_connect_system: Binding to ldap server ldap://ldap-1 ldap://ldap-2 as
>> "cn=Manager,dc=example,dc=org"
>> ldap_connect_system: succesful connection to the LDAP server
>> The LDAP server is succesfully connected
>> pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init
>> Attempting to find an passdb backend to match guest (guest)
>> Found pdb backend guest
>> pdb backend guest has a valid init
>> Netbios name list:-
>> my_netbios_names[0]="BLAHDEV-PDC"
>> Trying to load: ldapsam:ldap://ldap-1 ldap://ldap-2
>> Attempting to find an passdb backend to match ldapsam:ldap://ldap-1
>> ldap://ldap-2 (ldapsam)
>> Found pdb backend ldapsam
>> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))]
>> smbldap_search: base => [dc=example,dc=org], filter =>
>> [(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))], scope => [2]
>> smbldap_open_connection: ldap://ldap-1 ldap://ldap-2
>> smbldap_open_connection: connection opened
>> ldap_connect_system: Binding to ldap server ldap://ldap-1 ldap://ldap-2 as
>> "cn=Manager,dc=example,dc=org"
>> ldap_connect_system: succesful connection to the LDAP server
>> The LDAP server is succesfully connected
>> pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init
>> Attempting to find an passdb backend to match guest (guest)
>> Found pdb backend guest
>> pdb backend guest has a valid init
>> Trying to load: tdbsam
>> Attempting to find an passdb backend to match tdbsam (tdbsam)
>> Found pdb backend tdbsam
>> pdb backend tdbsam has a valid init
>> Attempting to find an passdb backend to match guest (guest)
>> Found pdb backend guest
>> pdb backend guest has a valid init
>> Trying to load: ldapsam
>> Attempting to find an passdb backend to match ldapsam (ldapsam)
>> Found pdb backend ldapsam
>> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))]
>> smbldap_search: base => [dc=example,dc=org], filter =>
>> [(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))], scope => [2]
>> smbldap_open_connection: ldap://localhost
>> smbldap_open_connection: connection opened
>> ldap_connect_system: Binding to ldap server ldap://localhost as
>> "cn=Manager,dc=example,dc=org"
>> ldap_connect_system: succesful connection to the LDAP server
>> The LDAP server is succesfully connected
>> pdb backend ldapsam has a valid init
>> Attempting to find an passdb backend to match guest (guest)
>> Found pdb backend guest
>> pdb backend guest has a valid init
>> called with username="(null)"
>> tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No
>> such file or directory
>> Unable to open/create TDB passwd
>> Can't sampwent!
>>
>
--
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany
Phone: 49 (0)341 - 3550 137
49 (0)341 - 3550 374
Fax: 49 (0)341 - 3550 399
http://www.eva.mpg.de/evolution/
More information about the samba
mailing list