[Samba] Error setting initial password for a user when using LDAP
as backend
and trying to set Samba and Unix password to the same value
Jörg Spilker
js at jetsys.de
Sun Jul 20 17:06:13 GMT 2008
Hello,
i´ve some problems setting the initial password for Windows and Unix
User with Samba configured to use LDAP as backend.
I´ve attached the configuration files and the errors.
Creating a new user with net rpc user add "xyz" is working without
problem. Using for example GQ as LDAP browser, i can see the account and
also getent passwd is showing the entry. I´ve activated ldap passwd
sync = yes which should update NT Password and unix password. I´ve set
the password for the ldap admin dn with smbpasswd -W. However when
issuing the command smbpasswd "xyz" i got the attached error message.
I´m not sure why, because i´ve difficulties to read the ldap debug
information. I know that error 50 means insufficient privileges. But
when i remove the passwd sync = yes commandline, smbpasswd updates the
NT Password without problems. What is wrong?
Greetings, Joerg
-------------- next part --------------
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:
access to dn.base=""
by dn="cn=samba,dc=jetsys,dc=de" write
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by dn="cn=samba,dc=jetsys,dc=de" write
by * read
-------------- next part --------------
[global]
log level = all:10
workgroup = JETSYS
security = user
domain logons = yes
domain master = yes
wins support = yes
passdb backend = ldapsam
ldap admin dn = cn=samba,dc=jetsys,dc=de
ldap suffix = dc=jetsys,dc=de
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap idmap suffix = ou=idmaps
ldap passwd sync = yes
ldapsam:trusted = yes
ldapsam:editposix = yes
idmap domains = JETSYS
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=idmap,dc=jetsys,dc=de
idmap alloc config:ldap_user_dn = cn=samba,dc=jetsys,dc=de
idmap alloc config:ldap_url = ldap://localhost
idmap alloc config:range = 50000-500000
-------------- next part --------------
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=3 SRCH base="dc=jetsys,dc=de" scope=2 deref=0 filter="(&(uid=js)(objectClass=sambaSamAccount))"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=3 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber
Jul 20 18:35:56 src at xdaolin slapd[3134]: <= bdb_equality_candidates: (uid) not indexed
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=4 SRCH base="sambaDomainName=JETSYS,dc=jetsys,dc=de" scope=0 deref=0 filter="(objectClass=*)"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=4 SRCH attr=sambaPwdHistoryLength
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=5 SRCH base="sambaDomainName=JETSYS,dc=jetsys,dc=de" scope=0 deref=0 filter="(objectClass=*)"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=5 SRCH attr=sambaMaxPwdAge
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=6 SRCH base="ou=groups,dc=jetsys,dc=de" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=50000))"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=6 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=7 SRCH base="ou=users,dc=jetsys,dc=de" scope=2 deref=0 filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-861600097-4184633116-946623014-513)))"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=7 SRCH attr=uid sambaSid
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=8 SRCH base="ou=groups,dc=jetsys,dc=de" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-861600097-4184633116-946623014-513)))"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=8 SRCH attr=cn displayName sambaSid sambaGroupType
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=9 MOD dn="uid=js,ou=users,dc=jetsys,dc=de"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=9 MOD attr=sambaPwdLastSet sambaPwdLastSet
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=9 RESULT tag=103 err=0 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=10 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=10 SRCH attr=supportedExtension
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=11 EXT oid=1.3.6.1.4.1.4203.1.11.1
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=11 PASSMOD id="uid=js,ou=users,dc=jetsys,dc=de" new
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 op=11 RESULT oid= err=50 text=
Jul 20 18:35:56 src at xdaolin slapd[3134]: conn=9 fd=20 closed (connection lost)
-------------- next part --------------
xdaolin:~ # smbpasswd js
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: LDAP Password could not be changed for user js: Insufficient access
unknown
Failed to modify entry for user js.
Failed to modify password entry for user js
More information about the samba
mailing list