[Samba] Changing Password on LDAP PDC with external script returns 'username or old password is incorrect'
Nicholas Baldridge
nbaldridge at commund.com
Mon Feb 15 11:51:11 MST 2010
Greetings list! My issue:
Samba version : 3.4.5
OS : Ubuntu Karmic
I have Samba configured as a PDC with an LDAP (OpenLDAP with smbldap
tools) backend.
We have our PDC set up (with smbldap-tools) to expire passwords every 45
days. For quite some time this worked very well. Recently though, two
things have happened that have changed our situation.
1) Using the setting ldap passwd sync = yes would no longer change the
sambaLMPassword - in fact, it would remove the entry from LDAP altogether!
2) I wrote a python wrapper script that would change LDAP and Kerberos
(MIT) passwords at the same time.
I turned ldap passwd sync = no and change unix password sync = yes.
I ensured that the proper passwd chat was set.
This had the (other) peculiar effect of changing the LDAP and
Kerberos passwords properly, but gives the users (Windows XP) and error
that the Username or Old Password is Incorrect.
If a user presses OK to that error message, then cancel:
1) 1/2 the time it will allow the user into the system,
apparently under cached credentials, because the user becomes locked out
once network drives are mapped.
2) The other 1/2, they are brought back to the 'Press
Ctrl+Alt+Del to begin' screen.
I have tried:
1) changing encrypt passwords to false, which causes everything to die.
2) Changing ldap passwd sync to no, and unix passwd sync to yes, which
causes the weird behavior above
3) Changing ldap passwd sync to no, and unix passwd sync to no, and
setting pam passwd sync to yes - this gives the users the error that
they don't have permission to change their passwords (no custom PAM
configuration outside of enabling Kerberos and LDAP. All Unix password
changes happen on the main auth server currently through the
aforementioned python script.
4) Cranking up the debug level and adding passwd chat debug statements -
this showed me that the chat was getting called, but not much else that
I could see.
I've been having this problem for some months now, going back to
3.2.something. Trying to turn on passwd chat debug in 3.4.5 does not
give me the output it used to.
For now, my workaround is to let my users know that it is a problem,
then unlock and reset their passwords manually every time their password
expires.
I can post whatever information is necessary - just let me know what you
need.
Thank you in advance,
-Nick
More information about the samba
mailing list