[Samba] pam_smbldap problem
johnm at advocap.org
Wed Feb 15 13:17:34 MST 2012
Have samba pdc using smbldap etc.
In my test setup the samba is a bdc as the pdc is a crucial service.
Running debian squeeze with samba 3.5.6
Working on getting pam to keep ldap and windows passsword in sync.
have been using smbldap-passwd with some added password tests to change
in auth part of pam the migrate works with pam_smbldap
smbclient -L localhost authenticates OK.
If I use no ssl or tls for ldap connections in smb.conf
passwd will change the windows password.
If the connection to the master ldap server uses ssl or tls I get this error
Feb 15 13:21:51 nfondy passwd: pam_smbpass(passwd:chauthtok): Cannot
access samba password database, not running as root.
Again it works with out tsl or ssl.
# here are the per-package modules (the "Primary" block)
password requisite pam_passwdqc.so
password [success=2 default=ignore] pam_unix.so obscure
use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_ldap.so minimum_uid=1000
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_smbpass.so nullok
use_authtok use_first_pass debug
# end of pam-auth-update config
# I clearly do not know what to put in for ldap debug
ldap debug level = 280
ldap debug threshold = 280
# ldap ssl = start tls
ldap ssl = off
ldap follow referral = auto
ldap ssl ads = no
# next to avoid nss
ldapsam:trusted = Yes
guest account = winguest
#client lanman auth = no
client ntlmv2 auth = yes
guest account = nobody
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = ADVOCAP
netbios name = NFONDY
# server string is the equivalent of the NT Description field
server string = Fondulac Server
#normaly will use second line. just using one to debug
passdb backend = ldapsam:"ldaps://mstldap.advocap.org"
# passdb backend = ldapsam:"ldap://fonldap.advocap.org
#log level = 9
syslog = 0
log file = /var/log/samba/log.%m
max log size = 50
# next changes 4/4/2011
#smb ports = 139 445
smb ports = 139
time server = Yes
# block from examples
show add printer wizard = No
add user script = /usr/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script
= /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
# shutdown script = /var/lib/samba/scripts/shutdown.sh
# abort shutdown script = /sbin/shutdown -c
logon path = \\%L\profiles\%U
logon drive = X:
preferred master = No
wins support = Yes
ldap suffix = dc=advocap,dc=org
ldap machine suffix = ou=machines
ldap user suffix = ou=People
ldap group suffix = ou=Group
# not running winbind
# ldap idmap suffix = ou=Idmap
ldap admin dn = cn=samba,ou=DSA,dc=advocap,dc=org
# idmap backend = ldap://mstldap.advocap.org
# idmap uid = 10000-20000
# idmap gid = 10000-20000
map acl inherit = Yes
printing = cups
load printers = yes
log file = /var/log/samba/smbd.log
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = user
encrypt passwords = yes
unix password sync = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = 192.168.2.239 127.0.0.1
domain master = no
preferred master = no
domain logons = yes
logon script = %U.bat
name resolve order = wins bcast hosts
dns proxy = no
preserve case = yes
smb.conf is a bit of a mess as it's evolved over about 10 years :-(
I had been debugging by watch the ldap traffic with wireshark.
As it works with out tls and it's hard to debug with tls on :-(
It does the same if I connect through the local ldap server when it gets
refered to an ldaps connection.
To test I changed the referal in slapd.conf to ldap:/./ and it worked.
Any suggestions on how to fix or debug?
More information about the samba