[Samba] Re: Samba does not change UNIX password after OpenLDAP
server upgraded
David Markey
dmarkey at dodds.dmarkey.com
Sat May 2 10:01:33 GMT 2009
2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
ldap password change requested, but LDAP server does not support it --
ignoring
1st, are the ldap libraries samba is compiled with the same as the ldap
server?
2nd, possibly change
password-hash {CRYPT}
to
password-hash {SSHA}
im not sure if password-crypt-salt-format $1$%.2s is needed with {SSHA}
John Du wrote:
> David Markey wrote:
>> John Du wrote:
>>
>>> David Markey wrote:
>>>
>>>> John Du wrote:
>>>>
>>>>
>>>>> David Markey wrote:
>>>>>
>>>>>
>>>>>> I would imagine that you'll need to re-jig your ACLs in slapd.conf,
>>>>>>
>>>>>> Please supply logs.
>>>>>>
>>>>>>
>>>>>>
>>>>> Thank you very much.
>>>>>
>>>>> I can use /opt/IDEALX/sbin/smbldap-passwd to change both the Windows
>>>>> and UNIX password. If the problem is ACL related, wouldn't I have the
>>>>> same problem with this tool?
>>>>>
>>>>> When samba changes passwords, does the process run as root or as the
>>>>> user making the passwords change?
>>>>>
>>>>>
>>>> If you're using smbldap-passwd and unix password sync, it's done as
>>>> root. ldap passwd sync is done as the LDAP dn that you've configured in
>>>> smb.conf. It's much preferable to use ldap passwd sync.
>>>>
>>>>
>>>>
>>> I did not make myself clear. When I say I can use smbldap-passwd to
>>> change password, I mean I can run the tool from the command line as
>>> root. If I use smbldap-passwd and unix passwd sync in smb.conf, I
>>> get a "you do not have permission to change password" message when
>>> attempting to change password.
>>>
>>> So at this time I am still using ldap passwd sync in smb.conf and that
>>> is when it only changes the Windows password.
>>>
>>> Does the userPassword attribute require different ACL than
>>> sambaNTPassword? Also the dn I put in smb.conf is the root DN of the
>>> LDAP database.
>>>
>>>
>>
>> That is strange, LDAP password updates are done via EXOP, have you
>> defined a password hash in slapd.conf?
>>
>> Re: smbldap-passwd, you need to have a proper passwd chat in smb.conf,
>> Let us see some logs, smb.conf and maybe slapd.conf and perhaps slapd logs.
>>
>>
>>
>>
> My thanks to David and all who have responded to my questions. I have
> identified where and what the problem is but I am not sure it is a
> Samba problem or OpenLDAP problem.
>
> I am trying to give you a clear picture.
>
> 1. unix passwd sync works perfectly.
>
> I replaced "ldap passwd sync = Yes" with:
>
> unix password sync = Yes
> passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
> passwd chat = "Changing UNIX password for*\nNew password*" %n\n
> "*Retype new password*" %n\n"
>
> No changes on the OpenLDAP side. Users can change their Windows and
> LDAP password correctly all the time.
>
> 2. ldap passwd sync = Yes does not change the LDAP password but it
> changes the Windows password OK.
>
> 2.1 OpenLDAP with some ACLs defined.
>
> When the OpenLDAP server has some ACLs defined, the samba server
> logs the following:
>
> 2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
> ldap password change requested, but LDAP server does not support it
> -- ignoring
>
> The LDAP password is not changed.
>
> 2.2 When no ACLs are defined in slapd.conf.
>
> [2009/04/30 23:43:03, 10]
> lib/smbldap.c:smbldap_extended_operation(1525)
> Extended operation failed with error: 80 (Internal (implementation
> specific) error) (password hash failed)
> [2009/04/30 23:43:03, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
> ldapsam_modify_entry: LDAP Password could not be changed for user
> johndu: Internal (implementation specific) error
> password hash failed
>
> Hash is defined in slapd.conf as follows:
>
> password-hash {CRYPT}
> password-crypt-salt-format $1$%.2s
>
> The Windows user will get a "the user name or old password is
> incorrect" message in this case.
>
> The LDAP root DN is used all the time everywhere.
>
> I can mail the complete log files to you if they can help you to
> determine the cause of the problem. There seems to be some
> compatibility issues between the LDAP server and the Samba server.
> Logically I think if the IDEALX tool works the samba server's internal
> LDAP functions should work as well.
>
> Let me know if you any further information from me.
>
> Wish you all to have a good weekend!
>
> John
>
>>
>>
>>> Thanks!
>>>
>>>
>>>>
>>>>
>>>>
>>>>> Thanks again.
>>>>>
>>>>>
>>>>>> John Du wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> John Du wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I have been running Samba with OpenLDAP for a few years. We
>>>>>>>> recently
>>>>>>>> upgrade the OpenLDAP server from 2.2.13 to 2.4.11.
>>>>>>>>
>>>>>>>> When users change their passwords now, only the Windows password is
>>>>>>>> changed the UNIX password is not changed anymore. Samba server does
>>>>>>>> not log any errors The samba configuration file did not change
>>>>>>>> when
>>>>>>>> the LDAP server was upgraded.
>>>>>>>>
>>>>>>>> I do have "ldap passwd sync =Yes" in smb.conf and it used to work
>>>>>>>> fine.
>>>>>>>>
>>>>>>>> Has anyone seen this?
>>>>>>>>
>>>>>>>> If I use
>>>>>>>>
>>>>>>>> unix password sync = Yes
>>>>>>>> passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
>>>>>>>> passwd chat = "Changing password for*\nNew password*" %n\n "*Retype
>>>>>>>> new password*" %n\n"
>>>>>>>>
>>>>>>>> instead of "ldappasswd sync", what access control do I have to
>>>>>>>> add to
>>>>>>>> the slapd.conf file?
>>>>>>>>
>>>>>>>> Thank you very much for your help!
>>>>>>>>
>>>>>>>> John
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel
>>>>>>> 2.6.9-42.0.2.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>
>>
>>
>
More information about the samba
mailing list