Am Samstag, 2. Mai 2009 05:31 schrieb John Du: > David Markey wrote: ... > My thanks to David and all who have responded to my questions. I > have identified where and what the problem is but I am not sure it is > a Samba problem or OpenLDAP problem. > > I am trying to give you a clear picture. > > 1. unix passwd sync works perfectly. > > I replaced "ldap passwd sync = Yes" with: > > unix password sync = Yes > passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u > passwd chat = "Changing UNIX password for*\nNew password*" %n\n > "*Retype new password*" %n\n" > > No changes on the OpenLDAP side. Users can change their Windows and > LDAP password correctly all the time. > > 2. ldap passwd sync = Yes does not change the LDAP password but it > changes the Windows password OK. > > 2.1 OpenLDAP with some ACLs defined. > > When the OpenLDAP server has some ACLs defined, the samba server > logs the following: > > 2009/04/30 23:38:42, 2] > passdb/pdb_ldap.c:ldapsam_modify_entry(1590) ldap password change > requested, but LDAP server does not support it -- ignoring > > The LDAP password is not changed. > > 2.2 When no ACLs are defined in slapd.conf. > > [2009/04/30 23:43:03, 10] > lib/smbldap.c:smbldap_extended_operation(1525) Extended operation > failed with error: 80 (Internal (implementation specific) error) > (password hash failed) > [2009/04/30 23:43:03, 0] > passdb/pdb_ldap.c:ldapsam_modify_entry(1651) ldapsam_modify_entry: > LDAP Password could not be changed for user johndu: Internal > (implementation specific) error > password hash failed > > Hash is defined in slapd.conf as follows: > > password-hash {CRYPT} > password-crypt-salt-format $1$%.2s # if crypt, then with MD5 password-crypt-salt-format '$1$%.8s'
> The Windows user will get a "the user name or old password is > incorrect" message in this case. > > The LDAP root DN is used all the time everywhere. > > I can mail the complete log files to you if they can help you to > determine the cause of the problem. There seems to be some > compatibility issues between the LDAP server and the Samba server. > Logically I think if the IDEALX tool works the samba server's > internal LDAP functions should work as well. > > Let me know if you any further information from me. > > Wish you all to have a good weekend! > > John -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba