[Samba] ldap passwd sync not working

Edmundo Valle Neto edmundo.valle at terra.com.br
Tue Feb 12 22:49:45 GMT 2008

Fabiano Caixeta Duarte escreveu:
>> Fabiano Caixeta Duarte wrote:
>>> Hi, there!
>>> When my XP users try to change passwords, they get a message saying 
>>> that
>>> password has been changed. That's not true!
>>> NT and LM passwords are changed but unixPassword isn't.
>>> Look at this openldap.log lines:
>>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
>>> dn="uid=teste,ou=Users,dc=domain"
>>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
>>> attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
>>> sambaPwdLastSet sambaPwdLastSet
>>> See?
>>> My smb.conf have this ldap related options:
>>> passdb backend = ldapsam:ldap://apolo.domain
>>> idmap backend = ldapsam:ldap://apolo.domain
>>> ldap suffix = dc=domain
>>> ldap admin dn = cn=root,dc=domain
>>> ldap ssl = start_tls
>>> ldap group suffix = ou=Groups
>>> ldap user suffix = ou=Users
>>> ldap machine suffix = ou=Computers
>>> ldap idmap suffix = ou=Users
>>> ldap passwd sync = yes
>>> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>>> ldap delete dn = Yes
>>> delete user script = /usr/local/sbin/smbldap-userdel "%u"
>>> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>>> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>>> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" 
>>> "%g"
>>> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
> > The question may not be related to LDAP since your domain passwords are
> > changed. You should be looking at why the Unix password isn't being
> > changed.
> > - Are you using LDAP for Unix authentication?
> > - Can you change the Unix password using passwd?
> > - is your password chat in smb.conf correct for your system?
> AFAIK when using ldapsam, we must use ldap attributes for storing unix 
> information. So passwd won't work.

passwd works partially. passwd uses PAM, and PAM can access LDAP but it 
only knows about posix attributes.

> If so, we cannot use "passwd chat" "passwd program" "unix password 
> sync", etc. Instead, we have to use "ldap passwd sync".

Well, you can, but yes, ldap passwd sync does the same thing without 
need to configure anything, so, it works but just doesnt make sense 
configure both.

idealx documentation explain that:


6.8  The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u 
is not called, or i got a error message when changing the password from 
The directive is called if you also set unix password sync = Yes. Notes:

* if you use OpenLDAP, none of those two options are needed. You just 
need ldap passwd sync = Yes.
* the script called here must only update the userPassword attribute. 
This is the reason of the -u option. Samba passwords will be updated by 
samba itself.
* the passwd chat directive must match what is prompted when using the 
smbldap-passwd command

So..., just -u to change only userPassword and a working passwd chat :)

And in: 8.1.3  The samba configuration file : /etc/samba/smb.conf

#unix password sync = Yes
#passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
#passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new 
password*" %n\n"
ldap passwd sync = Yes

One OR another. But both approaches works.

> Am I wrong?


> And yes, I'm using also unix authentication for some services.
> I assume that I missed something on smb.conf because samba doesn't ask 
> for modification on unixPassword ldap attribute as shown on openldap.log

Thats funny, I cannot point anything missing in your smb.conf, ldap 
passwd sync should work alone. but you can try smbldap-passwd as shown 
at the tree lines above. Make sure it works at the command line first.

> Thanks for your attention.


Edmundo Valle Neto

More information about the samba mailing list