[Samba] Re: Samba does not change UNIX password after OpenLDAP
server upgraded
John Du
jjohndu at gmail.com
Mon May 4 21:32:05 GMT 2009
David Markey wrote:
> 2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
> ldap password change requested, but LDAP server does not support it --
> ignoring
>
>
> 1st, are the ldap libraries samba is compiled with the same as the ldap
> server?
>
>
>
The LDAP libraries on the Samba server are OpenLDAP 2.2 while the LDAP
server is OpenLDAP 2.4 Are the 2.2 libraries supposed to work with
the 2.4 server?
> 2nd, possibly change
> password-hash {CRYPT}
>
> to
>
> password-hash {SSHA}
>
> im not sure if password-crypt-salt-format $1$%.2s is needed with {SSHA}
>
>
>
I will setup a test environment to further investigate the problem. I
do not want to mess up the production system. I'll update you with my
findings.
Thanks!
>
>
>
>
>
> John Du wrote:
>
>
>> David Markey wrote:
>>
>>> John Du wrote:
>>>
>>>
>>>> David Markey wrote:
>>>>
>>>>
>>>>> John Du wrote:
>>>>>
>>>>>
>>>>>
>>>>>> David Markey wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> I would imagine that you'll need to re-jig your ACLs in slapd.conf,
>>>>>>>
>>>>>>> Please supply logs.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Thank you very much.
>>>>>>
>>>>>> I can use /opt/IDEALX/sbin/smbldap-passwd to change both the Windows
>>>>>> and UNIX password. If the problem is ACL related, wouldn't I have the
>>>>>> same problem with this tool?
>>>>>>
>>>>>> When samba changes passwords, does the process run as root or as the
>>>>>> user making the passwords change?
>>>>>>
>>>>>>
>>>>>>
>>>>> If you're using smbldap-passwd and unix password sync, it's done as
>>>>> root. ldap passwd sync is done as the LDAP dn that you've configured in
>>>>> smb.conf. It's much preferable to use ldap passwd sync.
>>>>>
>>>>>
>>>>>
>>>>>
>>>> I did not make myself clear. When I say I can use smbldap-passwd to
>>>> change password, I mean I can run the tool from the command line as
>>>> root. If I use smbldap-passwd and unix passwd sync in smb.conf, I
>>>> get a "you do not have permission to change password" message when
>>>> attempting to change password.
>>>>
>>>> So at this time I am still using ldap passwd sync in smb.conf and that
>>>> is when it only changes the Windows password.
>>>>
>>>> Does the userPassword attribute require different ACL than
>>>> sambaNTPassword? Also the dn I put in smb.conf is the root DN of the
>>>> LDAP database.
>>>>
>>>>
>>>>
>>> That is strange, LDAP password updates are done via EXOP, have you
>>> defined a password hash in slapd.conf?
>>>
>>> Re: smbldap-passwd, you need to have a proper passwd chat in smb.conf,
>>> Let us see some logs, smb.conf and maybe slapd.conf and perhaps slapd logs.
>>>
>>>
>>>
>>>
>>>
>> My thanks to David and all who have responded to my questions. I have
>> identified where and what the problem is but I am not sure it is a
>> Samba problem or OpenLDAP problem.
>>
>> I am trying to give you a clear picture.
>>
>> 1. unix passwd sync works perfectly.
>>
>> I replaced "ldap passwd sync = Yes" with:
>>
>> unix password sync = Yes
>> passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
>> passwd chat = "Changing UNIX password for*\nNew password*" %n\n
>> "*Retype new password*" %n\n"
>>
>> No changes on the OpenLDAP side. Users can change their Windows and
>> LDAP password correctly all the time.
>>
>> 2. ldap passwd sync = Yes does not change the LDAP password but it
>> changes the Windows password OK.
>>
>> 2.1 OpenLDAP with some ACLs defined.
>>
>> When the OpenLDAP server has some ACLs defined, the samba server
>> logs the following:
>>
>> 2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
>> ldap password change requested, but LDAP server does not support it
>> -- ignoring
>>
>> The LDAP password is not changed.
>>
>> 2.2 When no ACLs are defined in slapd.conf.
>>
>> [2009/04/30 23:43:03, 10]
>> lib/smbldap.c:smbldap_extended_operation(1525)
>> Extended operation failed with error: 80 (Internal (implementation
>> specific) error) (password hash failed)
>> [2009/04/30 23:43:03, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
>> ldapsam_modify_entry: LDAP Password could not be changed for user
>> johndu: Internal (implementation specific) error
>> password hash failed
>>
>> Hash is defined in slapd.conf as follows:
>>
>> password-hash {CRYPT}
>> password-crypt-salt-format $1$%.2s
>>
>> The Windows user will get a "the user name or old password is
>> incorrect" message in this case.
>>
>> The LDAP root DN is used all the time everywhere.
>>
>> I can mail the complete log files to you if they can help you to
>> determine the cause of the problem. There seems to be some
>> compatibility issues between the LDAP server and the Samba server.
>> Logically I think if the IDEALX tool works the samba server's internal
>> LDAP functions should work as well.
>>
>> Let me know if you any further information from me.
>>
>> Wish you all to have a good weekend!
>>
>> John
>>
>>
>>>
>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Thanks again.
>>>>>>
>>>>>>
>>>>>>
>>>>>>> John Du wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> John Du wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I have been running Samba with OpenLDAP for a few years. We
>>>>>>>>> recently
>>>>>>>>> upgrade the OpenLDAP server from 2.2.13 to 2.4.11.
>>>>>>>>>
>>>>>>>>> When users change their passwords now, only the Windows password is
>>>>>>>>> changed the UNIX password is not changed anymore. Samba server does
>>>>>>>>> not log any errors The samba configuration file did not change
>>>>>>>>> when
>>>>>>>>> the LDAP server was upgraded.
>>>>>>>>>
>>>>>>>>> I do have "ldap passwd sync =Yes" in smb.conf and it used to work
>>>>>>>>> fine.
>>>>>>>>>
>>>>>>>>> Has anyone seen this?
>>>>>>>>>
>>>>>>>>> If I use
>>>>>>>>>
>>>>>>>>> unix password sync = Yes
>>>>>>>>> passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
>>>>>>>>> passwd chat = "Changing password for*\nNew password*" %n\n "*Retype
>>>>>>>>> new password*" %n\n"
>>>>>>>>>
>>>>>>>>> instead of "ldappasswd sync", what access control do I have to
>>>>>>>>> add to
>>>>>>>>> the slapd.conf file?
>>>>>>>>>
>>>>>>>>> Thank you very much for your help!
>>>>>>>>>
>>>>>>>>> John
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel
>>>>>>>> 2.6.9-42.0.2.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>
>
>
More information about the samba
mailing list