[Samba] ldap passwd sync not working

Jerome Tournier jtournier at gmail.com
Thu Feb 14 08:33:49 GMT 2008

Le Wed, Feb 13, 2008 at 11:25:41PM -0200, Fabiano Caixeta Duarte a ecrit:
> I assume that your ldap sync passwd is enough (like I wanted to) because 
> smb.conf tells us that passwd chat is not used if unix password sync is set 
> to no.
> passwd chat (G)
>     Note that this parameter only is only used if the unix password sync 
> parameter is set to yes.

You must effectively be right. I'll try this evening to be sure.

> and it sort of worked. Both samba and unix passwords were changed, but 
> users get a message telling they don't have permission to change passwords. 
> In addition, it takes too long since user try the operation until system 
> respond.

Isn't it related to the workstation ? Have you tried with another ?
Have you informations in Samba log ?
Have you try 'access to * by * write' in slapd.conf (don't think it come
from here as passwords are changed, but maybe users don't have write access
to attributes such as shadowLastChange) ?

> Could you post (or send me in PVT) your smb.conf. I think this will help a 
> lot. Please inform either the version of OS, samba and openldap.

I tried on CentOS release 4.6 (Final)
smbldap-tools-0.9.5-pre4 (but changing password work with latest

> I'm using FreeBSD 6.3 in both samba and openldap servers, Samba 3.0.26a and 
> openldap 2.3.38. Not using PAM.

Don't think PAM matter here.

My smb.conf:
# Global parameters
  workgroup = DOMSMB
  netbios name = PDC-SRV
  security = user
  enable privileges = yes
  server string = Samba Server %v
  encrypt passwords = Yes
  unix password sync = No
  ldap passwd sync = Yes
  passwd program = /usr/sbin/smbldap-passwd -u %u
  passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
  #passwd chat debug = Yes
  log level = 0
  syslog = 0
  log file = /var/log/samba/log.%U
  max log size = 100000
  time server = Yes
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  mangling method = hash2
  Dos charset = 850
  Unix charset = ISO8859-1

  logon script = logon.bat
  logon drive = H:
  logon home =
  logon path =

  domain logons = Yes
  domain master = Yes
  os level = 65
  preferred master = Yes
  wins support = yes
  passdb backend = ldapsam:ldap://
  ldap admin dn = cn=Manager,dc=company,dc=com
  #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
  ldap suffix = dc=company,dc=com
  ldap group suffix = ou=Groups
  ldap user suffix = ou=Users
  ldap machine suffix = ou=Computers
  #ldap idmap suffix = ou=Idmap
  add user script = /usr/sbin/smbldap-useradd -m "%u"
  #ldap delete dn = Yes
  delete user script = /usr/sbin/smbldap-userdel "%u"
  add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
  add group script = /usr/sbin/smbldap-groupadd -p "%g"
  #delete group script = /usr/sbin/smbldap-groupdel "%g"
  add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
  delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
  set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

  # printers configuration
  printer admin = @"Print Operators"
  load printers = Yes
  create mask = 0640
  directory mask = 0750
  #force create mode = 0640
  #force directory mode = 0750
  nt acl support = No
  printing = cups
  printcap name = cups
  deadtime = 10
  guest account = nobody
  map to guest = Bad User
  dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
  show add printer wizard = yes
  ; to maintain capital letters in shortcuts in any of the profile folders:
  preserve case = yes
  short preserve case = yes
  case sensitive = no
  template shell = /bin/false
  winbind use default domain = no
  path = /home/netlogon/
  browseable = No
  read only = yes

Jerome Tournier              
GPG key ID (pgp.mit.edu): 75FE0A51

More information about the samba mailing list