[Samba] Password change

Rowland Penny rpenny at samba.org
Thu Apr 26 10:08:17 UTC 2018 

On Thu, 26 Apr 2018 13:57:12 +1000
Robin G via samba <samba at lists.samba.org> wrote:

> Hi Rowland,
> 
> I tried that but didn't work.
> # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> # CRC32 9033b998
> dn: olcDatabase={1}hdb
> objectClass: olcDatabaseConfig
> objectClass: olcHdbConfig
> olcDatabase: {1}hdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=testdom
> olcAccess: {0}to
> attrs=sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange by
> dn="cn=admin,dc=testdom" write by self write by * none olcAccess:
> {1}to attrs=shadowLastChange by self write by * read olcLastMod: TRUE
> 
> smb.conf
>         add user script = /usr/sbin/smbldap-useradd -m '%u'
>         delete user script = /usr/sbin/smbldap-userdel '%u'
>         add group script = /usr/sbin/smbldap-groupadd -p '%g'
>         delete group script = /usr/sbin/smbldap-groupdel '%g'
>         add user to group script = /usr/sbin/smbldap-groupmod -m '%g'
> '%u' delete user from group script = /usr/sbin/smbldap-groupmod -x
> '%g' '%u'
>         add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
>         set primary group script = /usr/sbin/smbldap-usermod -g '%g'
> '%u' passwd program = /usr/sbin/smbldap-passwd -u %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
> 
> I get the same message whatever I try, even using smbpasswd %u doesn't
> work. If I do ctrl+alt+del and put some rubbish entry in the existing
> password, it doesn't even tell me that the existing password is wrong.
> 

One problem (and Louis has already pointed this out) smbldap-tools
appears to be a dead project, so it is highly unlikely you will get
this fixed, if it is the culprit. 

The thing is, you have this: olcSuffix: dc=testdom

Are you using this in production ? or is this just a test domain ?
If it is a test domain, then can I suggest you replace it with a test
AD domain. If it is production, can I urge you to upgrade to an AD
domain.

It seems that either your ldap setup is totally incorrect or your
windows machines cannot talk to your ldap server, I would go with the
later.

Rowland

More information about the samba mailing list