[Samba] Password change
Rowland Penny
rpenny at samba.org
Thu Apr 26 10:08:17 UTC 2018
On Thu, 26 Apr 2018 13:57:12 +1000
Robin G via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
>
> I tried that but didn't work.
> # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> # CRC32 9033b998
> dn: olcDatabase={1}hdb
> objectClass: olcDatabaseConfig
> objectClass: olcHdbConfig
> olcDatabase: {1}hdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=testdom
> olcAccess: {0}to
> attrs=sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange by
> dn="cn=admin,dc=testdom" write by self write by * none olcAccess:
> {1}to attrs=shadowLastChange by self write by * read olcLastMod: TRUE
>
> smb.conf
> add user script = /usr/sbin/smbldap-useradd -m '%u'
> delete user script = /usr/sbin/smbldap-userdel '%u'
> add group script = /usr/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/sbin/smbldap-groupmod -m '%g'
> '%u' delete user from group script = /usr/sbin/smbldap-groupmod -x
> '%g' '%u'
> add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
> set primary group script = /usr/sbin/smbldap-usermod -g '%g'
> '%u' passwd program = /usr/sbin/smbldap-passwd -u %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
>
> I get the same message whatever I try, even using smbpasswd %u doesn't
> work. If I do ctrl+alt+del and put some rubbish entry in the existing
> password, it doesn't even tell me that the existing password is wrong.
>
One problem (and Louis has already pointed this out) smbldap-tools
appears to be a dead project, so it is highly unlikely you will get
this fixed, if it is the culprit.
The thing is, you have this: olcSuffix: dc=testdom
Are you using this in production ? or is this just a test domain ?
If it is a test domain, then can I suggest you replace it with a test
AD domain. If it is production, can I urge you to upgrade to an AD
domain.
It seems that either your ldap setup is totally incorrect or your
windows machines cannot talk to your ldap server, I would go with the
later.
Rowland
More information about the samba
mailing list