[Samba] Password change

Robin G robinghere3 at gmail.com
Fri Apr 27 05:33:12 UTC 2018

Hi Rowland,

Thank you.

The actual production domain name is resolvs

The AD migration stage is still being tested  and we need to get this
sorted to get a go ahead :)
I've managed to get rid of the message that comes up post the password
change, now it says the password has changed. Only issue is that it doesn't
actually change it. Tailing the /var/log/syslog gives the following

sladp [pid]  Entry (uid=psmith,ou=users,ou=resolvs) , attribute
'userPassword; not allowed
                 entry failed schema check : attribute 'userPassword' not

The above comes up right at the time user is changing the password.

This seems to the crux of the issue.
The samba.ldif file was obtained from the 4.3.1 binaries as it is the
version of Samba that we have
sladp is version 2.4.2

-When we change the password using LDAP itself (php console) the user can
login with the new password.
- If try changing password using smbldap-tools it gives us user doesn't
- If we change using smbpasswd it gives us  ( Please note we are using the
root to run this command)
WARNING: The "syslog" option is deprecated
smbldap_search_domain_info: Searching
smbldap_open_connection: connection opened
New SMB password:
Retype new SMB password:
init_sam_from_ldap: Entry found for user: psmith
init_ldap_from_sam: Setting entry for user: psmith
ldapsam_update_sam_account: successfully modified uid = psmith in the LDAP

Only that it doesn't.

Here is our smb.conf. We also tried removing all the bits about smldap and
used the editposix option

        workgroup = RESOLVS
        netbios name = DC1
        security = USER
        obey pam restrictions = yes
        local master = yes
        domain master = yes
        preferred master = yes
        domain logons = yes
        os level = 50
  passdb backend = ldapsam:ldap://
   ldap admin dn = cn=admin,dc=resolvs
  ldap suffix = dc=example,dc=com
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  idmap config *: backend = ldap
  idmap config *: range = 11000-12999
  idmap config *: ldap_url = ldap://localhost/
  idmap config *: ldap_base_dn = ou=idmap, dc=resolvs
  idmap config *: ldap_user_dn = cn=admin,dc=resolvs
  ldap password sync = yes
  ldapsam:editposix = yes
  ldapsam:trusted = yes
  unix password sync = No

Have ran the smbpasswd -w ldappassword

olcSuffix: dc=resolves

olcAccess: {0}to attrs=sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange

by dn="cn=admin,dc=resolvs" write by self write by * none

olcAccess: {1}to attrs=shadowLastChange by self write by * read


On Thu, Apr 26, 2018 at 8:08 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Thu, 26 Apr 2018 13:57:12 +1000
> Robin G via samba <samba at lists.samba.org> wrote:
> > Hi Rowland,
> >
> > I tried that but didn't work.
> > # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> > # CRC32 9033b998
> > dn: olcDatabase={1}hdb
> > objectClass: olcDatabaseConfig
> > objectClass: olcHdbConfig
> > olcDatabase: {1}hdb
> > olcDbDirectory: /var/lib/ldap
> > olcSuffix: dc=testdom
> > olcAccess: {0}to
> > attrs=sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange by
> > dn="cn=admin,dc=testdom" write by self write by * none olcAccess:
> > {1}to attrs=shadowLastChange by self write by * read olcLastMod: TRUE
> >
> > smb.conf
> >         add user script = /usr/sbin/smbldap-useradd -m '%u'
> >         delete user script = /usr/sbin/smbldap-userdel '%u'
> >         add group script = /usr/sbin/smbldap-groupadd -p '%g'
> >         delete group script = /usr/sbin/smbldap-groupdel '%g'
> >         add user to group script = /usr/sbin/smbldap-groupmod -m '%g'
> > '%u' delete user from group script = /usr/sbin/smbldap-groupmod -x
> > '%g' '%u'
> >         add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
> >         set primary group script = /usr/sbin/smbldap-usermod -g '%g'
> > '%u' passwd program = /usr/sbin/smbldap-passwd -u %u
> > passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
> >
> > I get the same message whatever I try, even using smbpasswd %u doesn't
> > work. If I do ctrl+alt+del and put some rubbish entry in the existing
> > password, it doesn't even tell me that the existing password is wrong.
> >
> One problem (and Louis has already pointed this out) smbldap-tools
> appears to be a dead project, so it is highly unlikely you will get
> this fixed, if it is the culprit.
> The thing is, you have this: olcSuffix: dc=testdom
> Are you using this in production ? or is this just a test domain ?
> If it is a test domain, then can I suggest you replace it with a test
> AD domain. If it is production, can I urge you to upgrade to an AD
> domain.
> It seems that either your ldap setup is totally incorrect or your
> windows machines cannot talk to your ldap server, I would go with the
> later.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list