[Samba] Password change
Robin G
robinghere3 at gmail.com
Fri Apr 27 05:33:12 UTC 2018
Hi Rowland,
Thank you.
The actual production domain name is resolvs
The AD migration stage is still being tested and we need to get this
sorted to get a go ahead :)
I've managed to get rid of the message that comes up post the password
change, now it says the password has changed. Only issue is that it doesn't
actually change it. Tailing the /var/log/syslog gives the following
sladp [pid] Entry (uid=psmith,ou=users,ou=resolvs) , attribute
'userPassword; not allowed
entry failed schema check : attribute 'userPassword' not
allowed
The above comes up right at the time user is changing the password.
This seems to the crux of the issue.
The samba.ldif file was obtained from the 4.3.1 binaries as it is the
version of Samba that we have
sladp is version 2.4.2
-When we change the password using LDAP itself (php console) the user can
login with the new password.
- If try changing password using smbldap-tools it gives us user doesn't
exist.
- If we change using smbpasswd it gives us ( Please note we are using the
root to run this command)
WARNING: The "syslog" option is deprecated
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=RESOLVS))]
smbldap_open_connection: connection opened
New SMB password:
Retype new SMB password:
init_sam_from_ldap: Entry found for user: psmith
init_ldap_from_sam: Setting entry for user: psmith
ldapsam_update_sam_account: successfully modified uid = psmith in the LDAP
database
Only that it doesn't.
Here is our smb.conf. We also tried removing all the bits about smldap and
used the editposix option
[global]
workgroup = RESOLVS
netbios name = DC1
security = USER
obey pam restrictions = yes
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
os level = 50
passdb backend = ldapsam:ldap://192.168.1.1
ldap admin dn = cn=admin,dc=resolvs
ldap suffix = dc=example,dc=com
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
idmap config *: backend = ldap
idmap config *: range = 11000-12999
idmap config *: ldap_url = ldap://localhost/
idmap config *: ldap_base_dn = ou=idmap, dc=resolvs
idmap config *: ldap_user_dn = cn=admin,dc=resolvs
ldap password sync = yes
ldapsam:editposix = yes
ldapsam:trusted = yes
unix password sync = No
Have ran the smbpasswd -w ldappassword
olcSuffix: dc=resolves
olcAccess: {0}to attrs=sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=admin,dc=resolvs" write by self write by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
Robin
On Thu, Apr 26, 2018 at 8:08 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 26 Apr 2018 13:57:12 +1000
> Robin G via samba <samba at lists.samba.org> wrote:
>
> > Hi Rowland,
> >
> > I tried that but didn't work.
> > # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> > # CRC32 9033b998
> > dn: olcDatabase={1}hdb
> > objectClass: olcDatabaseConfig
> > objectClass: olcHdbConfig
> > olcDatabase: {1}hdb
> > olcDbDirectory: /var/lib/ldap
> > olcSuffix: dc=testdom
> > olcAccess: {0}to
> > attrs=sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange by
> > dn="cn=admin,dc=testdom" write by self write by * none olcAccess:
> > {1}to attrs=shadowLastChange by self write by * read olcLastMod: TRUE
> >
> > smb.conf
> > add user script = /usr/sbin/smbldap-useradd -m '%u'
> > delete user script = /usr/sbin/smbldap-userdel '%u'
> > add group script = /usr/sbin/smbldap-groupadd -p '%g'
> > delete group script = /usr/sbin/smbldap-groupdel '%g'
> > add user to group script = /usr/sbin/smbldap-groupmod -m '%g'
> > '%u' delete user from group script = /usr/sbin/smbldap-groupmod -x
> > '%g' '%u'
> > add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
> > set primary group script = /usr/sbin/smbldap-usermod -g '%g'
> > '%u' passwd program = /usr/sbin/smbldap-passwd -u %u
> > passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
> >
> > I get the same message whatever I try, even using smbpasswd %u doesn't
> > work. If I do ctrl+alt+del and put some rubbish entry in the existing
> > password, it doesn't even tell me that the existing password is wrong.
> >
>
> One problem (and Louis has already pointed this out) smbldap-tools
> appears to be a dead project, so it is highly unlikely you will get
> this fixed, if it is the culprit.
>
> The thing is, you have this: olcSuffix: dc=testdom
>
> Are you using this in production ? or is this just a test domain ?
> If it is a test domain, then can I suggest you replace it with a test
> AD domain. If it is production, can I urge you to upgrade to an AD
> domain.
>
> It seems that either your ldap setup is totally incorrect or your
> windows machines cannot talk to your ldap server, I would go with the
> later.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list