Craig White wrote:
On Wed, 2006-03-29 at 21:49 -0500, Gary Dale wrote:
Craig White wrote:
On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote:
Back to square 1! I stripped out my unsuccessful attempts to get Samba
working with LDAP on my Debian Sarge server and am back with a tdbsam
backend. I actually tried to purge as much of the old Samba & LDAP as I
could then reinstalled fresh. This included removing the Windows groups
and users and even the old tdbsam data.
Unfortunately, I'm back where I started - users can't change their own
passwords using the Windows password change dialogue. Their system will
go away for a very long time (more than 15 minutes) then silently fail
to change the password.
For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian)
on a 2.6.8 kernel. This should mean that this is NOT the old Windows
security patch issue.
I've attached my smb.conf (minus the shares definitions) if that helps.
Also, for what it's worth, the user accounts are all in Domain Users and
users. All but mine use /bin/false as the login shell (but none of us
can change passwords). My account is also in Domain Admins - and I can
add machine accounts with it.
Any ideas anyone?
----
I kept my mouth shut because you were following someone's step by step
and not the samba official documentation.
If you want to follow the Samba By Example, methodology, you will
probably find a lot more people willing to help.
Changing passwords seems to only require that samba, smbldap-tools be
properly configured for your ldap setup and a script referenced in your
smb.conf
The smb.conf you attached of course has nothing to do with LDAP and it
isn't clear what you are trying to do.
I would suggest that you familiarize yourself with the Samba By Example
book (dead tree form) or pdf or html from the samba.org web site and
figure out what you are trying to do so someone could actually help.
Craig
I've followed the Samba by example in this case. It was not very
helpful. Between the typos, omissions, errors, and general lack of
content, it's hard to get anything to work following it. Sorry to be so
negative about it, but it seems to assume that if you just install the
packages, things work.
Now a plain vanilla Debian Sarge system is hardly esoteric, but my
experience has been that things only work if you are doing a virgin
setup. In my case, Samba was originally vampired from my old W2K server
and I've always had the password problem. Trying to install LDAP on a
system that previously had a not-quite-working tdbsam backend also isn't
something that the howto writers seem to have tried.
The other howto I followed was one of several that were written
specifically for people trying to get Samba+LDAP to work on a Debian
system. After several days of trying to get it to work, even following
idealx.org's howto, it still wouldn't. So I ripped everything out and
went back to a basic Samba setup without LDAP. And now I'm back to the
same old problem I had before - users can't change their passwords.
And yes, my current setup was following the Samba by Example - html
form. I also have the dead-tree Samba Howto collection. According to
them, I have a working system. :)
The basic "by example" says in some very elegant story telling, after
assuming that you have Samba installed, to smbpasswd -a root, map the
Administrator account to it, add some groupmaps, stir in some users and
voila, everything works. My setup passes the validation and the
troubleshooting. It works, except that it doesn't.
Again, I'll admit that this probably does work on a fresh system. I've
set up Samba PDCs from scratch before without problems. However, it
doesn't seem to want to work on this existing server, even after I
sacrificed my old accounts vampired from W2K to try to get this working.
I shouldn't have to rebuild my entire server just to be able to change
passwords!
Finally, you need to recognize that Debian does things its way. It has
installation scripts that ask you questions up front and put the answers
in multiple files scattered across your system. Samba by Example doesn't
actually tell you what to put where or why. In fact, it's actually
difficult to tell exactly which program or file you need to be using at
any given moment. We're not all Samba developers, after all. SWAT,
smbpasswd, pdbedit, etc. all seem to do the similar things but heaven
help the poor user who's trying to find out when or why you should use
one over the other.
What I'm basically trying to say is you can't assume that everyone is
going to get to place by a particular route. Debian howtos are useful
for those of us with Debian-based systems because they give Debian
package names and follow Debian installation dialogues. If there is
something in the howto that you think is wrong or missing, then identify
it. It's not as if the "official" Samba documentation is all
encompassing and perfect. I've had to consult a couple of dozen
different guides in trying to get LDAP working. The official Samba ones
were less detailed and less informative than many of the others. And the
By Example guides spend far too much time in narrative and talking about
other software. Plus it's too Red Hat specific. A lot of the stuff it
tells you to do isn't right for Debian.
Rant off. :)
Do you have any suggestions other than rebuilding my entire server?
Under what conditions can a password change fail that doesn't
(apparently) affect other Samba services?
----
#1 - you are asking general questions and posting general issues which
can only at best get general answers. If you have a specific issue, you
have to ask a specific question. That is how this thing works.
As for your question about changing passwords...you give neither the
context of how you are trying to change the password (the methodology),
what you expect to happen and what is happening except in the most
general way. You offer not a single piece of logs, don't mention that
you checked the logs, in fact, don't give the slightest impression that
you know what logs do and how they work.
The point is...focus your problem to as simple a question that you can
ask and ask it. If you go more than 3 paragraphs, the likelihood of
getting and answer drops a lot. Specific questions get specific answers.
#2 - The official samba documentation is what it is. It is what you and
I make it and I know that JHT is gonna say, if there is something wrong
with the documentation, please let him know what it is and he is only
too glad to fix it.
My personal impression of the samba documentation is that it is far and
away the best documentation for any open source project that I have ever
used. Is it perfect...probably not, but probably close. Does it
anticipate all the things that you could possibly do wrong and then tell
you how to fix them - no probably not.
#3 - When I did my first migration from NT4 to Samba 3 (it was samba
3.0.0) and I remember it clearly because I was trying to learn how to
use LDAP at the same time. It was a nightmare and I'm sure the archives
showed I asked a lot of questions that evidenced the fact that I didn't
understand what I was doing. I put off the migration for a week until I
grasped LDAP first and then the integration with samba and the vampire
migration went a whole lot smoother. Still, I ended up doing the vampire
probably about 15 times because I wanted to get it right up front
because fixing it later was likely to be a bitch.
#4 - I recognize your frustration and general lack of patience with
this...might I suggest that you take a few days off and work on
something else while you get a breather, let go of your frustration and
can approach this with less of an attitude. I have to do this all the
time - in fact, I have learned to almost institutionalize the process
when I am learning something new because if I sit and keep pounding on
it, I am not likely to see what I am doing wrong.
Consider this - samba works - it works for thousands if not millions of
people.
I use LDAP everywhere since I learned how to get it done...I use it even
on very small offices. I actually have 1 client that still does use tdb
and I don't think that they ever change their passwords but if you are
patient, I will try to change a users password via Windows which I
surmise is what you are attempting to do.
In the meantime, perhaps you want to get specific with what you are
trying to do, what you expect to happen, what does happen, and what the
logs say - perhaps you have to increase the log level to get a better
picture. Perhaps someone else with great knowledge of samba PDC's with
tdb passdb can answer what your issue is.
Craig
1) I thought that my question was rather specific:
- Windows XP Pro password change dialogue doesn't work - goes away, does
nothing, then quits without reporting an error.
- Samba version 3.0.14a (Debian) running on a Sarge system.
re. logs: as per my previous posts ages ago, when I initially tried to
get this fixed, the logs on the domain controller don't show anything. I
sent in some samba logs with the loglevel set to 100 to Jeremy for his
perusal. He never replied.
2) No documentation can be all things to everyone. I'm sure there are
people who like the nice story-telling style of the Samba docs. However,
for me they are mixing in too many variables. I prefer to keep things
separate, as in "here's how to set up LDAP", "here's how to configure
CUPS", etc., along with some side discussion on how the parts fit
together. The Samba docs flit from topic to topic, repeating unnecessary
details and leaving out key bits of information. Sorry, but I've been
too busy trying to get this to work to write down all the problems I've
found with the docs. :)
3) I didn't find out about the password change problem until the
passwords started expiring. By then my old server was history. This
isn't a large network so it was a couple of weeks before the problem
showed up. I was more concerned with testing the services, like file
sharing, printing and faxing. Who'da thunk that you couldn't change a
password?
4) As I said, I'm sure this does work. I've done it many times on clean
servers. I'd love to get LDAP to work, since it can handle my Linux
accounts too. However, I'm the only one here using Linux and so far the
others can put up with coming to me to use SWAT to change their passwords.
However, people shouldn't have to become experts in the technology to
use something. Samba, LDAP, ssl, PAM and a pile of other software is a
lot to ask people to understand in detail just so they can log onto a
network. :)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
