[Samba] Changing Password on LDAP PDC with external script returns 'username or old password is incorrect'

Nicholas Baldridge nbaldridge at commund.com
Mon Feb 15 11:51:11 MST 2010

Greetings list!  My issue:

Samba version : 3.4.5

OS : Ubuntu Karmic

I have Samba configured as a PDC with an LDAP (OpenLDAP with smbldap 
tools) backend.

We have our PDC set up (with smbldap-tools) to expire passwords every 45 
days.  For quite some time this worked very well.  Recently though, two 
things have happened that have changed our situation.

1) Using the setting ldap passwd sync = yes would no longer change the 
sambaLMPassword - in fact, it would remove the entry from LDAP altogether!
2) I wrote a python wrapper script that would change LDAP and Kerberos 
(MIT) passwords at the same time.

     I turned ldap passwd sync = no and change unix password sync = yes.

     I ensured that the proper passwd chat was set.

     This had the (other) peculiar effect of changing the LDAP and 
Kerberos passwords properly, but gives the users (Windows XP) and error 
that the Username or Old Password is Incorrect.
     If a user presses OK to that error message, then cancel:
         1) 1/2 the time it will allow the user into the system, 
apparently under cached credentials, because the user becomes locked out 
once network drives are mapped.
         2) The other 1/2, they are brought back to the 'Press 
Ctrl+Alt+Del to begin' screen.

I have tried:
1) changing encrypt passwords to false, which causes everything to die.
2) Changing ldap passwd sync to no, and unix passwd sync to yes, which 
causes the weird behavior above
3) Changing ldap passwd sync to no, and unix passwd sync to no, and 
setting pam passwd sync to yes - this gives the users the error that 
they don't have permission to change their passwords (no custom PAM 
configuration outside of enabling Kerberos and LDAP.  All Unix password 
changes happen on the main auth server currently through the 
aforementioned python script.
4) Cranking up the debug level and adding passwd chat debug statements - 
this showed me that the chat was getting called, but not much else that 
I could see.

     I've been having this problem for some months now, going back to 
3.2.something.  Trying to turn on passwd chat debug in 3.4.5 does not 
give me the output it used to.

For now, my workaround is to let my users know that it is a problem, 
then unlock and reset their passwords manually every time their password 

I can post whatever information is necessary - just let me know what you 

Thank you in advance,

More information about the samba mailing list