[Samba] Error setting initial password for a user when using LDAP as backend and trying to set Samba and Unix password to the same value

Jörg Spilker js at jetsys.de
Sun Jul 20 17:06:13 GMT 2008 

Hello,

i´ve some problems setting the initial password for Windows and Unix 
User with Samba configured to use LDAP as backend.

I´ve attached the configuration files and the errors.

Creating a new user with net rpc user add "xyz" is working without 
problem. Using for example GQ as LDAP browser, i can see the account and 
also getent passwd is showing the entry. I´ve activated  ldap passwd 
sync = yes which should update NT Password and unix password. I´ve set 
the password for the ldap admin dn with smbpasswd -W. However when 
issuing the command smbpasswd "xyz" i got the attached error message.

I´m not sure why, because i´ve difficulties to read the ldap debug 
information. I know that error 50 means insufficient privileges. But 
when i remove the passwd sync = yes commandline, smbpasswd updates the 
NT Password without problems. What is wrong?

Greetings, Joerg

-------------- next part --------------
# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access to user password
#               Allow anonymous users to authenticate
#               Allow read access to everything else
#       Directives needed to implement policy:

access to dn.base=""
	by dn="cn=samba,dc=jetsys,dc=de" write
	by * read

access to dn.base="cn=Subschema"
	by * read

access to attrs=userPassword,userPKCS12
	by self write
	by * auth

access to attrs=shadowLastChange
	by self write
	by * read

access to *
	by dn="cn=samba,dc=jetsys,dc=de" write
	by * read
-------------- next part --------------
[global]
        log level = all:10
	workgroup = JETSYS
        security = user
	domain logons = yes
	domain master = yes
	
	wins support = yes

	passdb backend = ldapsam
	ldap admin dn = cn=samba,dc=jetsys,dc=de
	ldap suffix = dc=jetsys,dc=de
	ldap user suffix = ou=users
	ldap group suffix = ou=groups
	ldap machine suffix = ou=computers 
	ldap idmap suffix = ou=idmaps
        ldap passwd sync = yes
	ldapsam:trusted = yes
	ldapsam:editposix = yes 

	idmap domains = JETSYS
	idmap alloc backend = ldap
	idmap alloc config:ldap_base_dn = ou=idmap,dc=jetsys,dc=de
	idmap alloc config:ldap_user_dn = cn=samba,dc=jetsys,dc=de
	idmap alloc config:ldap_url = ldap://localhost
	idmap alloc config:range = 50000-500000
-------------- next part --------------

Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=3 SRCH base="dc=jetsys,dc=de" scope=2 deref=0 filter="(&(uid=js)(objectClass=sambaSamAccount))"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=3 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber
Jul 20 18:35:56 src at xdaolin slapd[3134]: <= bdb_equality_candidates: (uid) not indexed
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=4 SRCH base="sambaDomainName=JETSYS,dc=jetsys,dc=de" scope=0 deref=0 filter="(objectClass=*)"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=4 SRCH attr=sambaPwdHistoryLength
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=5 SRCH base="sambaDomainName=JETSYS,dc=jetsys,dc=de" scope=0 deref=0 filter="(objectClass=*)"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=5 SRCH attr=sambaMaxPwdAge
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=6 SRCH base="ou=groups,dc=jetsys,dc=de" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=50000))"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=6 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=7 SRCH base="ou=users,dc=jetsys,dc=de" scope=2 deref=0 filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-861600097-4184633116-946623014-513)))"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=7 SRCH attr=uid sambaSid
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=8 SRCH base="ou=groups,dc=jetsys,dc=de" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-861600097-4184633116-946623014-513)))"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=8 SRCH attr=cn displayName sambaSid sambaGroupType
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=9 MOD dn="uid=js,ou=users,dc=jetsys,dc=de"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=9 MOD attr=sambaPwdLastSet sambaPwdLastSet
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=9 RESULT tag=103 err=0 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=10 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=10 SRCH attr=supportedExtension
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=11 EXT oid=1.3.6.1.4.1.4203.1.11.1
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=11 PASSMOD id="uid=js,ou=users,dc=jetsys,dc=de" new
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=11 RESULT oid= err=50 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 fd=20 closed (connection lost)
-------------- next part --------------
xdaolin:~ # smbpasswd js
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: LDAP Password could not be changed for user js: Insufficient access
        unknown
Failed to modify entry for user js.
Failed to modify password entry for user js

More information about the samba mailing list