[Samba] sambaPwdMustChange attribute didn't get updated (3.0.27a)

Markus Kahle markus.kahle at brueckmann-gmbh.de
Wed Feb 20 09:53:13 GMT 2008 

Hi there,

i got into some trouble after updating my samba installation to 3.0.27a. 
My installation uses Samba-3.0.27a,OpenLDAP-2.2.13,smbldap-tools-0.9.2 
as a PDC NT4-domain.Originally I used the installation-guide from 
smbldap-tools and everything worked fine. I also limited the access to 
LDAP as told in the installation-guide with no problems.
After updating to 3.0.27a i realized that when using the usrmgr.exe, the 
password preferences in policies -> accounts didn't got saved - only the 
password-length option got saved.
After doing some research, i managed to solve this by adding the 
following LDAP attributes to the access rules in slapd.conf:

sambaMinPwdLength
sambaPwdHistoryLength
sambaLogonToChgPwd
sambaMaxPwdAge
sambaMinPwdAge
sambaLockoutDuration
sambaLockoutObservationWindow
sambaLockoutThreshold
sambaForceLogoff
sambaRefuseMachinePwdChange

But one problem still exists:

If Windows-users change their password via the normal Windows dialog, 
the password got changed in LDAP , also the sambaLastChange attribute 
got updated , BUT sambaPwdCanChange and sambaPwdMustChange attributes 
didn't update and so all the Maximum Password Age stuff, including 
remind users of their password expiration and force user to change their 
  password if expire didn't work anymore.

I can't find any other maybe access right problems within ldap, so why 
the sambaPwdMustChange Attribute didn't update ??

The problem also exist when adding a new user. After the user change his 
password at first login, the sambaPwdMustChange Attribute didn't update.


slapd.conf digest
----------------------------------------------------------------------------------
access to 
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
	by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
	by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
	by dn="cn=nssldap,ou=DSA,dc=bel-gmbh,dc=lan" write
	by self write
	by anonymous auth
	by * none

access to 
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
	by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
	by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
	by * read

access to 
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
	by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
	by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
	by self write
	by * read

access to 
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,
sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,
sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,
sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,
sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,
sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption,sambaMinPwdLength,sambaPwdHistoryLength,
sambaLogonToChgPwd,sambaMaxPwdAge,sambaMinPwdAge,sambaLockoutDuration,sambaLockoutObservationWindow,sambaLockoutThreshold,
sambaForceLogoff,sambaRefuseMachinePwdChange
	by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
	by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
	by self read
	by * none

access to dn.base="dc=bel-gmbh,dc=lan"
	by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
	by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
	by * none

access to dn="ou=Users,dc=bel-gmbh,dc=lan"
	by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
	by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
	by * none

access to dn="ou=Groups,dc=bel-gmbh,dc=lan"
	by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
	by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
	by * none

access to dn="ou=Computers,dc=bel-gmbh,dc=lan"
	by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
	by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
	by * none

access to *
	by self read
	by * read
----------------------------------------------------------------------------------


Thanks in advance for all hints and suggestions..



Bye,

Markus Kahle

More information about the samba mailing list