[Samba] ldbmodify sometimes fails when changing attribute "unicodePwd" depending on line order in LDIF file

Rowland Penny rpenny at samba.org
Mon Jul 4 15:01:16 UTC 2022

On Mon, 2022-07-04 at 12:38 +0000, Heil, Stefan via samba wrote:
> Dear list members,
> In our Samba-DC setup we have a shell-script which regularly adds /
> modifies / deletes user accounts by importing LDIF files with
> changes.
> The script runs directly on the Samba-DC, and has been serving our
> use-
> case well and without problems for the last 5+ years. Originally,
> this
> was deployed on an Ubuntu-18.04 system with Samba-4.7.6-Ubuntu, but
> we
> are currently preparing the migration to Debian (stable / Bullseye)
> which comes with Samba-4.13.13-Debian. 
> While the initial deployment on Bullseye (done via Puppet) ran
> without
> modifications, the script that imports changes did not run anymore,
> if
> the LDIF file contains changes of the 'unicodePwd' attribute - but,
> as
> we later found out, ONLY if the lines in the LDIF file have a certain
> order. 
> The below LDIF file can be imported without errors on Ubuntu-18.04
> with
> Samba-4.7.6:
> $ cat password.ldif
> # passwords
> dn:CN=username,OU=group,DC=domain,DC=example,DC=com
> changetype: modify
> replace: unicodePwd
> replace: pwdLastSet
> unicodepwd::B4ek4PI4I1IExnPVfZz+Ag==
> pwdLastSet:132868855091315424

You shouldn't have to set 'pwdLastSet', it should be done for you when
the password is changed, having said that, why are you doing it this
way ? Wouldn't it be better to use samba-tool ?


More information about the samba mailing list