[Samba] Changing LDAP userPassword fails: Internal (implementation specific) error

Adam Tauno Williams awilliam at whitemice.org
Mon Feb 23 11:04:41 GMT 2009


On Mon, 2009-02-23 at 09:21 +0100, François Legal wrote:
> Well, you usually have some specific acl in ldap for the userPassword
> attribute, that restrict access to only the owner of the entry and an
> administrator. You should make sure that the dn used by samba to bind the
> directory (ldap admin dn) has access to the userPassword attribute.

This is exactly what the second example below proves.

> Also, you should check that ldap is not setup with smbpasswd overlay, in
> which case you should change the ldap sync parameter to only.

The module is commented out: #moduleload smbk5pwd

> On Sun, 22 Feb 2009 14:02:15 -0500, Adam Tauno Williams
> <adamtaunowilliams at gmail.com> wrote:
> > openldap-2.3.27-8.el5_2.4,samba3-3.2.8-38
> > An smbpasswd by root to change a user's password fails with:
> > [root at littleboy samba]# smbpasswd adam
> > New SMB password:
> > Retype new SMB password:
> > ldapsam_modify_entry: LDAP Password could not be changed for user adam:
> > Internal (implementation specific) error
> > 	password hash failed
> > Failed to modify entry for user adam.
> > Failed to modify password entry for user adam
> > This changes the Samba password but fails to change the user's
> > userPassword (LDAP sync) password.  But I can "manually" change the
> > password using the DC's bind DN and password:
> > # ldappasswd -S -H ldapi://%2fvar%2frun%2fldap2.4%2fldapi -vvvvvvvvv -x
> > -W   -D "uid=CIFSDC,ou=System,ou=Entities,ou=SAM,o=Morrison
> > Industries,c=US"   "cn=Adam
> > Williams,ou=People,ou=Entities,ou=SAM,o=Morrison Industries,c=US"
> > New password: 
> > Re-enter new password: 
> > Enter LDAP Password: 
> > ldap_initialize( ldapi://%2fvar%2frun%2fldap2.4%2fldapi )
> > Result: Success (0)
> > Samba LDAP configuration:
> > passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldap2.4%2fldapi
> > ldap ssl = no
> > ldap admin dn = uid=CIFSDC,ou=System,ou=Entities,ou=SAM,o=Morrison
> > Industries,c=US
> > ldap suffix = o=Morrison Industries,c=US
> > ldapsam:trusted = yes
> > ldap passwd sync = Yes
> > Oddly, attempting to change the password AS THE USER fails with a
> > different error message, either via smbpasswd or via the password change
> > dialog on a Win32 workstation:
> > bash-3.2$ smbpasswd -U adam
> > Old SMB password:
> > New SMB password:
> > Retype new SMB password:
> > machine 127.0.0.1 rejected the (anonymous) password change: Error was :
> > Wrong Password.
> > Failed to change password for adam
> > It always just says the user's password is wrong,  although the user can
> > login, navigate, etc...
> > Is this https://bugzilla.samba.org/show_bug.cgi?id=5886 ?
-- 
OpenGroupware developer: awilliam at whitemice.org
<http://whitemiceconsulting.blogspot.com/>



More information about the samba mailing list