password syncing using pam when using ldap for system auth
Andrew Bartlett
abartlet at samba.org
Sat Jan 4 02:44:01 GMT 2003
On Sat, 2003-01-04 at 00:56, bryan hunt wrote:
>
> I am using samba and ldap.
> LDAP is used for linux login and imap authentication.
> Samba is used for domain login and file sharing.
>
> Everything is up and running with one exception
>
> When I try to do a password change from a windows machine I
> get the following error ( repeated about 8 times )
>
> [2003/01/02 18:51:48, 0] lib/util_sec.c:assert_gid(114)
> Failed to set gid privileges to (0,65534) now set to (0,-1) uid=(0,65534)
> [2003/01/02 18:51:48, 0] lib/util.c:smb_panic(1094)
> PANIC: failed to set gid
I would look into if you have any groups with gid == -1, particularly
for the 'nobody' user. This could be causing a problem here.
> If I get rid of the password syncing option in the smb.conf
> the password gets changed with no problems but with
> the
> pam password change = yes
> option set in the file the user password change fails .
I don't think this has any relation to the previous errors. Instead,
it's due to the way Samba changes passwords.
> I want to get the password syncing working because it would be
> cool for my users to have a single password for mail/unix stuff etc.
>
> Anyone encountered this before ? I've done a lot of googling and searched
> the bugs database but nobody seems to have encountered this problem before.
>
> I can change a users unix ( ldap ) password straight from the command line
> (using the passwd program) without any problems.
Are you changing their password, or setting their password? The
different matters, because Samba can only *set* the password, it does
not know the old password.
On /etc/passwd based systems, samba can do this, because it becomes root
for the operation. On LDAP, it's more difficult - it needs to convince
the LDAP server that it has the right to set the password.
> This is the /etc/pam.d/passwd configuration that I have
> set up ....
>
> #%PAM-1.0
> auth sufficient /lib/security/pam_ldap.so
> auth required /lib/security/pam_unix_auth.so use_first_pass
> account sufficient /lib/security/pam_ldap.so
> account required /lib/security/pam_unix_acct.so
> # I commented this out in case samba couldn't handle it ...
> #password required /lib/security/pam_cracklib.so retry=3
> password sufficient /lib/security/pam_ldap.so
> password required /lib/security/pam_pwdb.so try_first_pass
>
> This is the /etc/pam.d/samba config ....
>
> #%PAM-1.0
> auth sufficient /lib/security/pam_ldap.so
> auth required /lib/security/pam_unix_auth.so try_first_pass
> account sufficient /lib/security/pam_ldap.so
> account required /lib/security/pam_unix_acct.so
>
> I also tried this config .....
>
> #%PAM-1.0
> auth required /lib/security/pam_nologin.so
> auth required /lib/security/pam_stack.so service=system-auth
> account required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
>
> No errors with that one but the password remained unchanged ....
>
> Any ideas guys ? I reckon I must have screwed up the pam configuration
> for /etc/pam.d/samba but I am no pam expert so I am currently thrashing
> arround in the dark ....
The big thing about syncing with PAM is that you must set the manager
password in some config file, so that pam_ldap can make an
administrative connection to the LDAP server. See the pam_ldap
documentation for details.
However, we have made this a bit easier in Samba 3.0 - there is a new
option called 'ldap password sync' that works with Samba's existing
pdb_ldap to set the user's password, using Samba's administrative
rights.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030104/d6b9bfa0/attachment.bin
More information about the samba-technical
mailing list