Hi Jamurph, I think replikation of password policies to ldap startet of Samba 3.0.23d. Before this version you have to export them from the PDC to the LDAP-Server by
pdbedit -y -i tdbsam -e ldapsam and import them on all BDCs with pdbedit -y -i ldapsam -e tdbsam Regards Stefan . jamurph schrieb: > I have Samba and LDAP up and running, but I'm having problems editing the > password policy using pdbedit. > > (I'm running 3.0.22) > > I've had a look at the man page for pdbedit but I don't really fully > understand what it does in relation to passwd backends. Does pdbedit update > just one backend and expect a user to export the updates to other backends? > > I think I've set up ldap as my default backend - but pdbedit doesn't update > it. It looks like its updating some other backend. I guess my smb.conf > (attached) isn't configured correctly? How do I find out which one it's > updating?. I can also see a reference to pdbedit backend guest in the logs, > but I don't understand why pdbedit is looking for this. > > I tried the following command: > pdbedit -P "min password length" -C 7 -d 10 > > This is a snippet of the logs: > The LDAP server is succesfully connected > pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init > Attempting to find an passdb backend to match guest (guest) > Found pdb backend guest > pdb backend guest has a valid init > account_policy_get: min password length:7 > account policy value for min password length was 7 > account_policy_set: min password length:7 > account policy value for min password length is now 7 > > I'm guessing it's taking these values from > /var/lib/samba/account_policy.tdb, it's not taking them from ldap - because > it doesn't change sambaMinPwdLength > > I can see a search happening in the ldap logs, but I don't see any updates - > is this expected behaviour? > > I believe I need to run the following command to update LDAP? > pdbedit -y -i tdbsam -e ldapsam -d 10 > > However, when I do this, I get the following error message (more of log > attached - but this is part I think is failing) > > Attempting to find an passdb backend to match guest (guest) > Found pdb backend guest > pdb backend guest has a valid init > called with username="(null)" > tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No > such file or directory > Unable to open/create TDB passwd > Can't sampwent! > > > When configuring Samba initially, I had some problems, so I followed some > instructions and deleted the following > > rm /etc/samba/*tdb > rm /var/lib/samba/*tdb > rm /var/lib/samba/*dat > rm /var/log/samba/* > > as a result passdb.tdb is no longer, and didn't get re-created. Is there any > way I can recreate this file? Is this the cause of my problems? > > Any help much appreciated, I've attached more details in case they are > needed > > > -------------- LDAP Entry ------------------------------------ > > dn: sambaDomainName=BLAHDEV,dc=example,dc=org > sambaDomainName: BLAHDEV > sambaMinPwdAge: 0 > objectClass: top > objectClass: sambaDomain > objectClass: sambaUnixIdPool > sambaPwdHistoryLength: 0 > sambaNextGroupRid: 67109863 > uidNumber: 1005 > sambaLogonToChgPwd: 0 > sambaLockoutDuration: 30 > sambaMaxPwdAge: -1 > sambaForceLogoff: -1 > sambaLockoutThreshold: 0 > gidNumber: 1000 > sambaSID: S-1-5-21-317703500-4181503002-770181164 > sambaNextUserRid: 67109862 > sambaMinPwdLength: 5 > sambaRefuseMachinePwdChange: 0 > sambaAlgorithmicRidBase: 1000 > sambaLockoutObservationWindow: 30 > > > > ---------------- SMB.CONF ----------------------------------- > [global] > workgroup = BLAHDEV > netbios name = BLAHDEV-PDC > security = user > server string = Samba Server > log level = 2 > syslog = 0 > log file = /var/log/samba/%m.log > max log size = 100000 > time server = Yes > logon home = "" > logon path = "" > domain logons = Yes > domain master = Yes > os level = 65 > preferred master = Yes > wins support = yes > encrypt passwords = Yes > # unix password sync = Yes > passwd program = /usr/sbin/ldap_userPassword_change %u > passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n > *Result**Success**** > # Crackcheck settings to allow NT style password complexity checks > check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict > passdb backend = ldapsam:"ldap://ldap-1 ldap://ldap-2"; > ldap admin dn = cn=Manager,dc=example,dc=org > ldap suffix = dc=dc=example,dc=org > ldap group suffix = ou=Groups > ldap user suffix = ou=Users > ldap machine suffix = ou=Computers > ldap idmap suffix = ou=Idmap > idmap backend = ldap:"ldap://ldap-1 ldap://ldap-2"; > add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" > delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" > add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%u" > add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" > add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" > "%g" > set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > template shell = /bin/false > winbind use default domain = no > > > > ------------ FULL LOG FILE FOR PDBEDIT -------------------- > > [EMAIL PROTECTED] samba]# pdbedit -y -i tdbsam -e ldapsam -d 10 > INFO: Current debug levels: > all: True/10 > tdb: False/0 > printdrivers: False/0 > lanman: False/0 > smb: False/0 > rpc_parse: False/0 > rpc_srv: False/0 > rpc_cli: False/0 > passdb: False/0 > sam: False/0 > auth: False/0 > winbind: False/0 > vfs: False/0 > idmap: False/0 > quota: False/0 > acls: False/0 > lp_load: refreshing parameters > Initialising global parameters > params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" > Processing section "[global]" > doing parameter workgroup = BLAHDEV > doing parameter netbios name = BLAHDEV-PDC > handle_netbios_name: set global_myname to: BLAHDEV-PDC > doing parameter security = user > doing parameter server string = Samba Server > doing parameter log level = 2 > doing parameter syslog = 0 > doing parameter log file = /var/log/samba/%m.log > doing parameter max log size = 100000 > doing parameter time server = Yes > doing parameter logon home = "" > doing parameter logon path = "" > doing parameter domain logons = Yes > doing parameter domain master = Yes > doing parameter os level = 65 > doing parameter preferred master = Yes > doing parameter wins support = yes > doing parameter encrypt passwords = Yes > doing parameter passwd program = /usr/sbin/ldap_userPassword_change %u > doing parameter passwd chat = *New*password* %n\n *Re-enter*new*password* > %n\n *Result**Success**** > doing parameter check password script = /sbin/crackcheck -c -d > /usr/lib/cracklib_dict > doing parameter passdb backend = ldapsam:"ldap://ldap-1 ldap://ldap-2"; > doing parameter ldap admin dn = cn=Manager,dc=example,dc=org > doing parameter ldap suffix = dc=example,dc=org > doing parameter ldap group suffix = ou=Groups > doing parameter ldap user suffix = ou=Users > doing parameter ldap machine suffix = ou=Computers > doing parameter ldap idmap suffix = ou=Idmap > doing parameter idmap backend = ldap:"ldap://ldap-1 ldap://ldap-2"; > doing parameter add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" > doing parameter delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" > doing parameter add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 > -w "%u" > doing parameter add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" > doing parameter add user to group script = /opt/IDEALX/sbin/smbldap-groupmod > -m "%u" "%g" > doing parameter delete user from group script = > /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g" > doing parameter set primary group script = /opt/IDEALX/sbin/smbldap-usermod > -g '%g' '%u' > doing parameter idmap uid = 16777216-33554431 > doing parameter idmap gid = 16777216-33554431 > doing parameter template shell = /bin/false > doing parameter winbind use default domain = no > pm_process() returned Yes > lp_servicenumber: couldn't find homes > set_server_role: role = ROLE_DOMAIN_PDC > Attempting to register new charset UCS-2LE > Registered charset UCS-2LE > Attempting to register new charset UTF-16LE > Registered charset UTF-16LE > Attempting to register new charset UCS-2BE > Registered charset UCS-2BE > Attempting to register new charset UTF-16BE > Registered charset UTF-16BE > Attempting to register new charset UTF8 > Registered charset UTF8 > Attempting to register new charset UTF-8 > Registered charset UTF-8 > Attempting to register new charset ASCII > Registered charset ASCII > Attempting to register new charset 646 > Registered charset 646 > Attempting to register new charset ISO-8859-1 > Registered charset ISO-8859-1 > Attempting to register new charset UCS2-HEX > Registered charset UCS2-HEX > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Substituting charset 'UTF-8' for LOCALE > Trying to load: ldapsam:ldap://ldap-1 ldap://ldap-2 > Attempting to register passdb backend ldapsam > Successfully added passdb backend 'ldapsam' > Attempting to register passdb backend ldapsam_compat > Successfully added passdb backend 'ldapsam_compat' > Attempting to register passdb backend smbpasswd > Successfully added passdb backend 'smbpasswd' > Attempting to register passdb backend tdbsam > Successfully added passdb backend 'tdbsam' > Attempting to register passdb backend guest > Successfully added passdb backend 'guest' > Attempting to find an passdb backend to match ldapsam:ldap://ldap-1 > ldap://ldap-2 (ldapsam) > Found pdb backend ldapsam > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))] > smbldap_search: base => [dc=example,dc=org], filter => > [(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))], scope => [2] > smbldap_open_connection: ldap://ldap-1 ldap://ldap-2 > smbldap_open_connection: connection opened > ldap_connect_system: Binding to ldap server ldap://ldap-1 ldap://ldap-2 as > "cn=Manager,dc=example,dc=org" > ldap_connect_system: succesful connection to the LDAP server > The LDAP server is succesfully connected > pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init > Attempting to find an passdb backend to match guest (guest) > Found pdb backend guest > pdb backend guest has a valid init > Netbios name list:- > my_netbios_names[0]="BLAHDEV-PDC" > Trying to load: ldapsam:ldap://ldap-1 ldap://ldap-2 > Attempting to find an passdb backend to match ldapsam:ldap://ldap-1 > ldap://ldap-2 (ldapsam) > Found pdb backend ldapsam > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))] > smbldap_search: base => [dc=example,dc=org], filter => > [(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))], scope => [2] > smbldap_open_connection: ldap://ldap-1 ldap://ldap-2 > smbldap_open_connection: connection opened > ldap_connect_system: Binding to ldap server ldap://ldap-1 ldap://ldap-2 as > "cn=Manager,dc=example,dc=org" > ldap_connect_system: succesful connection to the LDAP server > The LDAP server is succesfully connected > pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init > Attempting to find an passdb backend to match guest (guest) > Found pdb backend guest > pdb backend guest has a valid init > Trying to load: tdbsam > Attempting to find an passdb backend to match tdbsam (tdbsam) > Found pdb backend tdbsam > pdb backend tdbsam has a valid init > Attempting to find an passdb backend to match guest (guest) > Found pdb backend guest > pdb backend guest has a valid init > Trying to load: ldapsam > Attempting to find an passdb backend to match ldapsam (ldapsam) > Found pdb backend ldapsam > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))] > smbldap_search: base => [dc=example,dc=org], filter => > [(&(objectClass=sambaDomain)(sambaDomainName=BLAHDEV))], scope => [2] > smbldap_open_connection: ldap://localhost > smbldap_open_connection: connection opened > ldap_connect_system: Binding to ldap server ldap://localhost as > "cn=Manager,dc=example,dc=org" > ldap_connect_system: succesful connection to the LDAP server > The LDAP server is succesfully connected > pdb backend ldapsam has a valid init > Attempting to find an passdb backend to match guest (guest) > Found pdb backend guest > pdb backend guest has a valid init > called with username="(null)" > tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No > such file or directory > Unable to open/create TDB passwd > Can't sampwent! > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
