[Samba] ldap passwd sync not working

Fabiano Caixeta Duarte fcd.listas at gmail.com
Tue Feb 12 13:09:34 GMT 2008 

> Fabiano Caixeta Duarte wrote:
>> Hi, there!
>>
>> When my XP users try to change passwords, they get a message saying that
>> password has been changed. That's not true!
>>
>> NT and LM passwords are changed but unixPassword isn't.
>>
>> Look at this openldap.log lines:
>>
>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
>> dn="uid=teste,ou=Users,dc=domain"
>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
>> attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
>> sambaPwdLastSet sambaPwdLastSet
>>
>> See?
>>
>> My smb.conf have this ldap related options:
>>
>> passdb backend = ldapsam:ldap://apolo.domain
>> idmap backend = ldapsam:ldap://apolo.domain
>> ldap suffix = dc=domain
>> ldap admin dn = cn=root,dc=domain
>> ldap ssl = start_tls
>> ldap group suffix = ou=Groups
>> ldap user suffix = ou=Users
>> ldap machine suffix = ou=Computers
>> ldap idmap suffix = ou=Users
>> ldap passwd sync = yes
>> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>> ldap delete dn = Yes
>> delete user script = /usr/local/sbin/smbldap-userdel "%u"
>> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
>> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
>>
> 
 > The question may not be related to LDAP since your domain passwords are
 > changed. You should be looking at why the Unix password isn't being
 > changed.
 > - Are you using LDAP for Unix authentication?
 > - Can you change the Unix password using passwd?
 > - is your password chat in smb.conf correct for your system?

AFAIK when using ldapsam, we must use ldap attributes for storing unix 
information. So passwd won't work.

If so, we cannot use "passwd chat" "passwd program" "unix password 
sync", etc. Instead, we have to use "ldap passwd sync".

Am I wrong?

And yes, I'm using also unix authentication for some services.

I assume that I missed something on smb.conf because samba doesn't ask 
for modification on unixPassword ldap attribute as shown on openldap.log

Thanks for your attention.

-- 
Fabiano Caixeta Duarte
Especialista em Redes de Computadores
Linux User #195299
Ribeirão Preto - SP

More information about the samba mailing list