Package: libpam-smbpass Version: 2:3.5.6~dfsg-3squeeze6 Severity: normal Have samba pdc using smbldap etc. Running debian squeeze with samba 3.5.6 Working on getting pam to keep ldap and windows passsword in sync. have been using smbldap-passwd with some added password tests to change passwords.
smbldap-passwd works smbpasswd works in auth part of pam the migrate works with pam_smbldap smbclient -L localhost authenticates OK. If I use no ssl or tls for ldap connections in smb.conf passwd will change the windows password. If the connection to the master ldap server uses ssl or tls I get this error in auth.log. Feb 15 13:21:51 nfondy passwd[30090]: pam_smbpass(passwd:chauthtok): Cannot access samba password database, not running as root. Again it works with out tsl or ssl. common-passwd: # here are the per-package modules (the "Primary" block) password requisite pam_passwdqc.so password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) password optional pam_smbpass.so nullok use_authtok use_first_pass debug # end of pam-auth-update config For this test using in smb.conf: ldap ssl = off passdb backend = ldapsam:"ldaps://mstldap.advocap.org" If I change ldaps to ldap it works. I managed to trace in wireshark using the the ssl key for mstldap. Makes one tls connection I see the key exhange etc and then a sucessfull ldap bind. It closes that connection. I assume that's one of the other pam modules. Then it tries starting another ssl connection from a new port but it does not work. Doesn't even see a tls client hello. Without ssl I can see passwords being changed etc. I tried samba from backports and it's the same. John -- System Information: Debian Release: 6.0.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-xen-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages libpam-smbpass depends on: ii libc6 2.11.3-3 Embedded GNU C Library: Shared lib ii libcap2 1:2.19-3 support for getting/setting POSIX. ii libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries ii libpam-runtime 1.1.1-6.1+squeeze1 Runtime support for the PAM librar ii libpam0g 1.1.1-6.1+squeeze1 Pluggable Authentication Modules l ii libtalloc2 2.0.1-1 hierarchical pool based memory all ii libwbclient0 2:3.5.6~dfsg-3squeeze6 Samba winbind client library ii samba-common 2:3.5.6~dfsg-3squeeze6 common files used by both the Samb libpam-smbpass recommends no packages. Versions of packages libpam-smbpass suggests: ii samba 2:3.5.6~dfsg-3squeeze6 SMB/CIFS file, print, and login se -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
