[Samba] strange behaviour of the "ldap passwd sync" option
roudoudou
roudoud0u at free.fr
Sat Jul 14 22:36:23 GMT 2007
Hi,
i'm trying to set up a samba (samba 3.0.25a) PDC with the ldapsam
backend on FreeBSD (FreeBSD 6.2) and i have some trouble with the "ldap
passwd sync" option.
I must say here that my goal is to use the ldap smbk5pwd overlay in
order to keep in sync the unix and samba password when the user change
his password from a unix workstation either via ldappaswd or passwd
(configuration file below)
Here is what i've observed so far:
* if i set in smb.conf, "ldap passwd sync = Only": when a user try
to modify his password with smbpasswd, then despite the message success
of the operation, one can see that the userPassword field of this user
in the ldap server wasn't modified (the sambaLMPassword and
sambaNTPassword wasn't modified neither but that's consistent with the
man page). In fact wireshark didn't show any trace of a LDAP Password
Modify extended operation sent to the ldap server
* If i set in smb.conf, "ldap passwd sync = Yes": everything works.
Wireshark shows an "Password Modify Request and
Response" (oid=1.3.6.1.4.1.4203.1.11.1) exchanged between the client
and the ldap server but oddly no ldapModifyRequest. The slapd logs
("loglevel 4" was set in slapd.conf) shows the functions calls below:
-----
Jul 14 22:36:32 dell076 slapd[76792]: bdb_modify_internal: replace
userPassword
Jul 14 22:36:32 dell076 slapd[76792]: bdb_modify_internal: replace
sambaPwdLastSet
Jul 14 22:36:32 dell076 slapd[76792]: bdb_modify_internal: replace
sambaLMPassword
Jul 14 22:36:32 dell076 slapd[76792]: bdb_modify_internal: replace
sambaNTPassword
Jul 14 22:36:32 dell076 slapd[76792]: bdb_modify_internal: replace
entryCSN
Jul 14 22:36:32 dell076 slapd[76792]: bdb_modify_internal: replace
modifiersName
Jul 14 22:36:32 dell076 slapd[76792]: bdb_modify_internal: replace
modifyTimestamp
-----
* if i set in smb.conf, "ldap passwd sync = No": then the
samba*Password attribute are modified when calling smbpasswd whereas
the userPassword attribute is left unchanged. Wireshark shows an
exchange of LDAP modifyRequest/Response between the client and the
ldap server. The slapd logs recorded the function calls below:
----
Jul 15 00:07:32 dell076 slapd[76865]: bdb_modify_internal: delete
sambaLMPassword
Jul 15 00:07:32 dell076 slapd[76865]: bdb_modify_internal: add
sambaLMPassword
Jul 15 00:07:32 dell076 slapd[76865]: bdb_modify_internal: delete
sambaNTPassword
Jul 15 00:07:32 dell076 slapd[76865]: bdb_modify_internal: add
sambaNTPassword
Jul 15 00:07:32 dell076 slapd[76865]: bdb_modify_internal: delete
sambaPwdLastSet
Jul 15 00:07:32 dell076 slapd[76865]: bdb_modify_internal: add
sambaPwdLastSet
Jul 15 00:07:32 dell076 slapd[76865]: bdb_modify_internal: replace
entryCSN
Jul 15 00:07:32 dell076 slapd[76865]: bdb_modify_internal: replace
modifiersName
Jul 15 00:07:32 dell076 slapd[76865]: bdb_modify_internal: replace
modifyTimestamp
-----
So i was just wondering if:
* "ldap passwd sync = Only" option is deprecated ?
* it was harmless to specify "ldap passwd sync = Yes" in smb.conf when
one use the ldap smbk5pwd overlay to keep in sync the unix/windows
password ?
Thanks :-)
More information about the samba
mailing list