On Sat, 2003-01-04 at 00:56, bryan hunt wrote: > > I am using samba and ldap. > LDAP is used for linux login and imap authentication. > Samba is used for domain login and file sharing. > > Everything is up and running with one exception > > When I try to do a password change from a windows machine I > get the following error ( repeated about 8 times ) > > [2003/01/02 18:51:48, 0] lib/util_sec.c:assert_gid(114) > Failed to set gid privileges to (0,65534) now set to (0,-1) uid=(0,65534) > [2003/01/02 18:51:48, 0] lib/util.c:smb_panic(1094) > PANIC: failed to set gid
I would look into if you have any groups with gid == -1, particularly for the 'nobody' user. This could be causing a problem here. > If I get rid of the password syncing option in the smb.conf > the password gets changed with no problems but with > the > pam password change = yes > option set in the file the user password change fails . I don't think this has any relation to the previous errors. Instead, it's due to the way Samba changes passwords. > I want to get the password syncing working because it would be > cool for my users to have a single password for mail/unix stuff etc. > > Anyone encountered this before ? I've done a lot of googling and searched > the bugs database but nobody seems to have encountered this problem before. > > I can change a users unix ( ldap ) password straight from the command line > (using the passwd program) without any problems. Are you changing their password, or setting their password? The different matters, because Samba can only *set* the password, it does not know the old password. On /etc/passwd based systems, samba can do this, because it becomes root for the operation. On LDAP, it's more difficult - it needs to convince the LDAP server that it has the right to set the password. > This is the /etc/pam.d/passwd configuration that I have > set up .... > > #%PAM-1.0 > auth sufficient /lib/security/pam_ldap.so > auth required /lib/security/pam_unix_auth.so use_first_pass > account sufficient /lib/security/pam_ldap.so > account required /lib/security/pam_unix_acct.so > # I commented this out in case samba couldn't handle it ... > #password required /lib/security/pam_cracklib.so retry=3 > password sufficient /lib/security/pam_ldap.so > password required /lib/security/pam_pwdb.so try_first_pass > > This is the /etc/pam.d/samba config .... > > #%PAM-1.0 > auth sufficient /lib/security/pam_ldap.so > auth required /lib/security/pam_unix_auth.so try_first_pass > account sufficient /lib/security/pam_ldap.so > account required /lib/security/pam_unix_acct.so > > I also tried this config ..... > > #%PAM-1.0 > auth required /lib/security/pam_nologin.so > auth required /lib/security/pam_stack.so service=system-auth > account required /lib/security/pam_stack.so service=system-auth > session required /lib/security/pam_stack.so service=system-auth > password required /lib/security/pam_stack.so service=system-auth > > No errors with that one but the password remained unchanged .... > > Any ideas guys ? I reckon I must have screwed up the pam configuration > for /etc/pam.d/samba but I am no pam expert so I am currently thrashing > arround in the dark .... The big thing about syncing with PAM is that you must set the manager password in some config file, so that pam_ldap can make an administrative connection to the LDAP server. See the pam_ldap documentation for details. However, we have made this a bit easier in Samba 3.0 - there is a new option called 'ldap password sync' that works with Samba's existing pdb_ldap to set the user's password, using Samba's administrative rights. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
