[Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded

Harry Jede walk2sun at arcor.de
Sat May 2 12:06:54 GMT 2009 

Am Samstag, 2. Mai 2009 05:31 schrieb John Du:
> David Markey wrote:
...
> My thanks to David and all who have responded to my questions.  I
> have identified where and what the problem is but I am not sure it is
> a Samba problem or OpenLDAP problem.
>
> I am trying to give you a clear picture.
>
> 1. unix passwd sync works perfectly.
>
> I replaced "ldap passwd sync = Yes" with:
>
>    unix password sync = Yes
>    passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
>    passwd chat = "Changing UNIX password for*\nNew password*" %n\n
> "*Retype new password*" %n\n"
>
> No changes on the OpenLDAP side.  Users can change their Windows and
> LDAP password correctly all the time.
>
> 2. ldap passwd sync = Yes does not change the LDAP password but it
> changes the Windows password OK.
>
>    2.1  OpenLDAP with some ACLs defined.
>
>    When the OpenLDAP server has some ACLs defined,   the samba server
> logs the following:
>
>   2009/04/30 23:38:42, 2]
> passdb/pdb_ldap.c:ldapsam_modify_entry(1590) ldap password change
> requested, but LDAP server does not support it -- ignoring
>
>   The LDAP password is not changed.
>
>    2.2 When no ACLs  are defined in slapd.conf.
>
>    [2009/04/30 23:43:03, 10]
> lib/smbldap.c:smbldap_extended_operation(1525) Extended operation
> failed with error: 80 (Internal (implementation specific) error)
> (password hash failed)
>   [2009/04/30 23:43:03, 0]
> passdb/pdb_ldap.c:ldapsam_modify_entry(1651) ldapsam_modify_entry:
> LDAP Password could not be changed for user johndu: Internal
> (implementation specific) error
>         password hash failed
>
> Hash is defined in slapd.conf as follows:
>
> password-hash {CRYPT}
> password-crypt-salt-format $1$%.2s
# if crypt, then with MD5
password-crypt-salt-format '$1$%.8s'

> The Windows user will get a "the user name or old password is
> incorrect" message in this case.
>
> The LDAP root DN is used all the time everywhere.
>
> I can mail the complete log files to you if they can help you to
> determine the cause of the problem.  There seems to be some
> compatibility issues between the LDAP server and the Samba server.
> Logically I think if the IDEALX tool works the samba server's
> internal LDAP functions should work as well.
>
> Let me know if you any further information from me.
>
> Wish you all to have a good weekend!
>
> John

-- 

Gruss
	Harry Jede

More information about the samba mailing list