[Samba] ldap passwd sync not working

Fabiano Caixeta Duarte fcd.listas at gmail.com
Wed Feb 13 12:24:54 GMT 2008 

Edmundo Valle Neto escreveu:
> Fabiano Caixeta Duarte escreveu:
>>> Fabiano Caixeta Duarte wrote:
>>>> Hi, there!
>>>>
>>>> When my XP users try to change passwords, they get a message saying 
>>>> that
>>>> password has been changed. That's not true!
>>>>
>>>> NT and LM passwords are changed but unixPassword isn't.
>>>>
>>>> Look at this openldap.log lines:
>>>>
>>>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
>>>> dn="uid=teste,ou=Users,dc=domain"
>>>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
>>>> attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
>>>> sambaPwdLastSet sambaPwdLastSet
>>>>
>>>> See?
>>>>
>>>> My smb.conf have this ldap related options:
>>>>
>>>> passdb backend = ldapsam:ldap://apolo.domain
>>>> idmap backend = ldapsam:ldap://apolo.domain
>>>> ldap suffix = dc=domain
>>>> ldap admin dn = cn=root,dc=domain
>>>> ldap ssl = start_tls
>>>> ldap group suffix = ou=Groups
>>>> ldap user suffix = ou=Users
>>>> ldap machine suffix = ou=Computers
>>>> ldap idmap suffix = ou=Users
>>>> ldap passwd sync = yes
>>>> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>>>> ldap delete dn = Yes
>>>> delete user script = /usr/local/sbin/smbldap-userdel "%u"
>>>> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>>>> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>>>> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" 
>>>> "%g"
>>>> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
>>>>
>>>
>> > The question may not be related to LDAP since your domain passwords are
>> > changed. You should be looking at why the Unix password isn't being
>> > changed.
>> > - Are you using LDAP for Unix authentication?
>> > - Can you change the Unix password using passwd?
>> > - is your password chat in smb.conf correct for your system?
>>
>> AFAIK when using ldapsam, we must use ldap attributes for storing unix 
>> information. So passwd won't work.
> 
> passwd works partially. passwd uses PAM, and PAM can access LDAP but it 
> only knows about posix attributes.
> 
>> If so, we cannot use "passwd chat" "passwd program" "unix password 
>> sync", etc. Instead, we have to use "ldap passwd sync".
> 
> Well, you can, but yes, ldap passwd sync does the same thing without 
> need to configure anything, so, it works but just doesnt make sense 
> configure both.
> 
> 
> idealx documentation explain that:
> 
> http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108
> 
> 6.8  The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u 
> is not called, or i got a error message when changing the password from 
> windows
> The directive is called if you also set unix password sync = Yes. Notes:
> 
> * if you use OpenLDAP, none of those two options are needed. You just 
> need ldap passwd sync = Yes.
> * the script called here must only update the userPassword attribute. 
> This is the reason of the -u option. Samba passwords will be updated by 
> samba itself.
> * the passwd chat directive must match what is prompted when using the 
> smbldap-passwd command
> 
> So..., just -u to change only userPassword and a working passwd chat :)
> 
> And in: 8.1.3  The samba configuration file : /etc/samba/smb.conf
> 
> #unix password sync = Yes
> #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
> #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new 
> password*" %n\n"
> ldap passwd sync = Yes
> 
> One OR another. But both approaches works.
> 
>> Am I wrong?
> 
> Yes.
> 
>> And yes, I'm using also unix authentication for some services.
>>
>> I assume that I missed something on smb.conf because samba doesn't ask 
>> for modification on unixPassword ldap attribute as shown on openldap.log
> 
> Thats funny, I cannot point anything missing in your smb.conf, ldap 
> passwd sync should work alone. but you can try smbldap-passwd as shown 
> at the tree lines above. Make sure it works at the command line first.
> 
>> Thanks for your attention.
> 
> 
> Regards.
> 
> Edmundo Valle Neto

Sure enough smbldap-passwd works. I have tried this once ldap passwd 
sync was not working. Though, there are two problems: 1) it's too slow 
and 2) it shows a message to the user telling he has no permissions to 
change password. So it's confusing. I don't feel comfortable using such 
a thing.

Actually, I was hoping for some answer from whom has ldap passwd sync 
working. Hints on how to debug and so on.

Thanks again!

-- 
Fabiano Caixeta Duarte
Especialista em Redes de Computadores
Linux User #195299
Ribeirão Preto - SP

More information about the samba mailing list