[Samba] ldap passwd sync not working
jtournier at gmail.com
Thu Feb 14 08:33:49 GMT 2008
Le Wed, Feb 13, 2008 at 11:25:41PM -0200, Fabiano Caixeta Duarte a ecrit:
> I assume that your ldap sync passwd is enough (like I wanted to) because
> smb.conf tells us that passwd chat is not used if unix password sync is set
> to no.
> passwd chat (G)
> Note that this parameter only is only used if the unix password sync
> parameter is set to yes.
You must effectively be right. I'll try this evening to be sure.
> and it sort of worked. Both samba and unix passwords were changed, but
> users get a message telling they don't have permission to change passwords.
> In addition, it takes too long since user try the operation until system
Isn't it related to the workstation ? Have you tried with another ?
Have you informations in Samba log ?
Have you try 'access to * by * write' in slapd.conf (don't think it come
from here as passwords are changed, but maybe users don't have write access
to attributes such as shadowLastChange) ?
> Could you post (or send me in PVT) your smb.conf. I think this will help a
> lot. Please inform either the version of OS, samba and openldap.
I tried on CentOS release 4.6 (Final)
smbldap-tools-0.9.5-pre4 (but changing password work with latest
> I'm using FreeBSD 6.3 in both samba and openldap servers, Samba 3.0.26a and
> openldap 2.3.38. Not using PAM.
Don't think PAM matter here.
# Global parameters
workgroup = DOMSMB
netbios name = PDC-SRV
security = user
enable privileges = yes
server string = Samba Server %v
encrypt passwords = Yes
unix password sync = No
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
#passwd chat debug = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script = logon.bat
logon drive = H:
logon home =
logon path =
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=company,dc=com
#ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
ldap suffix = dc=company,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
#ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m "%u"
#ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
# printers configuration
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
#force create mode = 0640
#force directory mode = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
template shell = /bin/false
winbind use default domain = no
path = /home/netlogon/
browseable = No
read only = yes
GPG key ID (pgp.mit.edu): 75FE0A51
More information about the samba