[Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded

John Du jjohndu at gmail.com
Mon May 4 21:32:05 GMT 2009 

David Markey wrote:
>  2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
>  ldap password change requested, but LDAP server does not support it --
> ignoring
>
>
> 1st, are the ldap libraries samba is compiled with the same as the ldap
> server?
>
>
>   
The LDAP libraries on the Samba server are OpenLDAP 2.2 while the LDAP 
server is OpenLDAP 2.4   Are the  2.2 libraries supposed to work with 
the 2.4 server?

> 2nd, possibly change
> password-hash {CRYPT}
>
> to
>
> password-hash {SSHA}
>
> im not sure if password-crypt-salt-format $1$%.2s is needed with {SSHA}
>
>
>   
I will setup a test environment to further investigate the problem.  I 
do not want to mess up the production system. I'll update you with my 
findings.

Thanks!

>
>
>
>
>
> John Du wrote:
>
>   
>> David Markey wrote:
>>     
>>> John Du wrote:
>>>   
>>>       
>>>> David Markey wrote:
>>>>     
>>>>         
>>>>> John Du wrote:
>>>>>  
>>>>>       
>>>>>           
>>>>>> David Markey wrote:
>>>>>>    
>>>>>>         
>>>>>>             
>>>>>>> I would imagine that you'll need to re-jig your ACLs in slapd.conf,
>>>>>>>
>>>>>>> Please supply logs.
>>>>>>>
>>>>>>>         
>>>>>>>           
>>>>>>>               
>>>>>> Thank you very much.
>>>>>>
>>>>>> I can use /opt/IDEALX/sbin/smbldap-passwd to change both the Windows
>>>>>> and UNIX password.  If the problem is ACL related, wouldn't I have the
>>>>>> same problem with this tool?
>>>>>>
>>>>>> When samba changes passwords, does the process run as root or as the
>>>>>> user making the passwords change?
>>>>>>     
>>>>>>         
>>>>>>             
>>>>> If you're using smbldap-passwd and unix password sync, it's done as
>>>>> root. ldap passwd sync is done as the LDAP dn that you've configured in
>>>>> smb.conf. It's much preferable to use ldap passwd sync.
>>>>>
>>>>>   
>>>>>       
>>>>>           
>>>> I did not make myself clear. When I say I can use  smbldap-passwd to
>>>> change password, I mean I can run the tool from the command line as
>>>> root.  If I use smbldap-passwd  and unix passwd sync in smb.conf, I
>>>> get a "you do not have permission to change password" message when
>>>> attempting to change password.
>>>>
>>>> So at this time I am still using ldap passwd sync in smb.conf and that
>>>> is when it only changes the Windows password.
>>>>
>>>> Does the userPassword attribute require different ACL than
>>>> sambaNTPassword?  Also the dn I put in smb.conf is the root DN of the
>>>> LDAP database.
>>>>
>>>>     
>>>>         
>>> That is strange, LDAP password updates are done via EXOP, have you
>>> defined a password hash in slapd.conf?
>>>
>>> Re: smbldap-passwd, you need to have a proper passwd chat in smb.conf,
>>> Let us see some logs, smb.conf and maybe slapd.conf and perhaps slapd logs.
>>>
>>>
>>>
>>>   
>>>       
>> My thanks to David and all who have responded to my questions.  I have
>> identified where and what the problem is but I am not sure it is a
>> Samba problem or OpenLDAP problem.
>>
>> I am trying to give you a clear picture.
>>
>> 1. unix passwd sync works perfectly.
>>
>> I replaced "ldap passwd sync = Yes" with:
>>
>>    unix password sync = Yes
>>    passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
>>    passwd chat = "Changing UNIX password for*\nNew password*" %n\n
>> "*Retype new password*" %n\n"
>>
>> No changes on the OpenLDAP side.  Users can change their Windows and
>> LDAP password correctly all the time.
>>
>> 2. ldap passwd sync = Yes does not change the LDAP password but it
>> changes the Windows password OK. 
>>
>>    2.1  OpenLDAP with some ACLs defined.
>>    
>>    When the OpenLDAP server has some ACLs defined,   the samba server
>> logs the following:
>>
>>   2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
>>   ldap password change requested, but LDAP server does not support it
>> -- ignoring
>>  
>>   The LDAP password is not changed.
>>
>>    2.2 When no ACLs  are defined in slapd.conf.
>>
>>    [2009/04/30 23:43:03, 10]
>> lib/smbldap.c:smbldap_extended_operation(1525)
>>    Extended operation failed with error: 80 (Internal (implementation
>> specific) error) (password hash failed)
>>   [2009/04/30 23:43:03, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
>>   ldapsam_modify_entry: LDAP Password could not be changed for user
>> johndu: Internal (implementation specific) error
>>         password hash failed
>>
>> Hash is defined in slapd.conf as follows:
>>
>> password-hash {CRYPT}
>> password-crypt-salt-format $1$%.2s
>>
>> The Windows user will get a "the user name or old password is
>> incorrect" message in this case.
>>    
>> The LDAP root DN is used all the time everywhere.
>>
>> I can mail the complete log files to you if they can help you to
>> determine the cause of the problem.  There seems to be some
>> compatibility issues between the LDAP server and the Samba server. 
>> Logically I think if the IDEALX tool works the samba server's internal
>> LDAP functions should work as well.
>>
>> Let me know if you any further information from me.
>>
>> Wish you all to have a good weekend!
>>
>> John
>>
>>     
>>>   
>>>       
>>>> Thanks!
>>>>
>>>>     
>>>>         
>>>>>  
>>>>>  
>>>>>       
>>>>>           
>>>>>> Thanks again.
>>>>>>    
>>>>>>         
>>>>>>             
>>>>>>> John Du wrote:
>>>>>>>  
>>>>>>>      
>>>>>>>           
>>>>>>>               
>>>>>>>> John Du wrote:
>>>>>>>>           
>>>>>>>>             
>>>>>>>>                 
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I have been running Samba with OpenLDAP for a few years.  We
>>>>>>>>> recently
>>>>>>>>> upgrade the OpenLDAP server from 2.2.13 to 2.4.11.
>>>>>>>>>
>>>>>>>>> When users change their passwords now, only the Windows password is
>>>>>>>>> changed the UNIX password is not changed anymore.  Samba server does
>>>>>>>>> not log any errors   The samba configuration file did not change
>>>>>>>>> when
>>>>>>>>> the LDAP server was upgraded.
>>>>>>>>>
>>>>>>>>> I do have "ldap passwd sync =Yes" in smb.conf and it used to work
>>>>>>>>> fine.
>>>>>>>>>
>>>>>>>>> Has anyone seen this?
>>>>>>>>>
>>>>>>>>> If I use
>>>>>>>>>
>>>>>>>>> unix password sync = Yes
>>>>>>>>> passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
>>>>>>>>> passwd chat = "Changing password for*\nNew password*" %n\n "*Retype
>>>>>>>>> new password*" %n\n"
>>>>>>>>>
>>>>>>>>> instead of "ldappasswd sync", what access control do I have to
>>>>>>>>> add to
>>>>>>>>> the slapd.conf file?
>>>>>>>>>
>>>>>>>>> Thank you very much for your help!
>>>>>>>>>
>>>>>>>>> John
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                 
>>>>>>>>>               
>>>>>>>>>                   
>>>>>>>> I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel
>>>>>>>> 2.6.9-42.0.2.
>>>>>>>>             
>>>>>>>>             
>>>>>>>>                 
>>>>>>>         
>>>>>>>           
>>>>>>>               
>>>>>   
>>>>>       
>>>>>           
>>>   
>>>       
>
>
>

More information about the samba mailing list