[Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded

Thierry Lacoste lacoste at miage.univ-paris12.fr
Fri May 1 00:07:47 GMT 2009


On 1 mai 09, at 01:45, John Du wrote:

> David Markey wrote:
>> John Du wrote:
>>
>>> David Markey wrote:
>>>
>>>> I would imagine that you'll need to re-jig your ACLs in slapd.conf,
>>>>
>>>> Please supply logs.
>>>>
>>>>
>>> Thank you very much.
>>>
>>> I can use /opt/IDEALX/sbin/smbldap-passwd to change both the Windows
>>> and UNIX password.  If the problem is ACL related, wouldn't I have  
>>> the
>>> same problem with this tool?
>>>
>>> When samba changes passwords, does the process run as root or as the
>>> user making the passwords change?
>>>
>>
>> If you're using smbldap-passwd and unix password sync, it's done as
>> root. ldap passwd sync is done as the LDAP dn that you've  
>> configured in
>> smb.conf. It's much preferable to use ldap passwd sync.
>>
>>
> I did not make myself clear. When I say I can use  smbldap-passwd to  
> change password, I mean I can run the tool from the command line as  
> root.  If I use smbldap-passwd  and unix passwd sync in smb.conf, I  
> get a "you do not have permission to change password" message when  
> attempting to change password.
>
> So at this time I am still using ldap passwd sync in smb.conf and  
> that is when it only changes the Windows password.
>
> Does the userPassword attribute require different ACL than  
> sambaNTPassword?  Also the dn I put in smb.conf is the root DN of  
> the LDAP database.
That's weird. The root DN has complete access to the DB (ACLs do not  
apply to it).
However, maybe you can definitely rule out an ACL problem by puting  
'access to * by * write' as your first
backend specific ACL and test. If you have the same problem with this  
setting then it is not ACL related.

Regards,
Thierry
>
>
> Thanks!
>
>>
>>> Thanks again.
>>>
>>>> John Du wrote:
>>>>
>>>>> John Du wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have been running Samba with OpenLDAP for a few years.  We  
>>>>>> recently
>>>>>> upgrade the OpenLDAP server from 2.2.13 to 2.4.11.
>>>>>>
>>>>>> When users change their passwords now, only the Windows  
>>>>>> password is
>>>>>> changed the UNIX password is not changed anymore.  Samba server  
>>>>>> does
>>>>>> not log any errors   The samba configuration file did not  
>>>>>> change when
>>>>>> the LDAP server was upgraded.
>>>>>>
>>>>>> I do have "ldap passwd sync =Yes" in smb.conf and it used to work
>>>>>> fine.
>>>>>>
>>>>>> Has anyone seen this?
>>>>>>
>>>>>> If I use
>>>>>>
>>>>>> unix password sync = Yes
>>>>>> passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
>>>>>> passwd chat = "Changing password for*\nNew password*" %n\n  
>>>>>> "*Retype
>>>>>> new password*" %n\n"
>>>>>>
>>>>>> instead of "ldappasswd sync", what access control do I have to  
>>>>>> add to
>>>>>> the slapd.conf file?
>>>>>>
>>>>>> Thank you very much for your help!
>>>>>>
>>>>>> John
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> I forgot to mention that the Samba version is 3.0.28 on EHEL4  
>>>>> kernel
>>>>> 2.6.9-42.0.2.
>>>>>
>>>>
>>
>>
>>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>




More information about the samba mailing list