Re: [Samba] ldap passwd sync not working

Tue, 12 Feb 2008 05:11:48 -0800 

Fabiano Caixeta Duarte wrote:

Hi, there!

When my XP users try to change passwords, they get a message saying that
password has been changed. That's not true!

NT and LM passwords are changed but unixPassword isn't.

Look at this openldap.log lines:

Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
dn="uid=teste,ou=Users,dc=domain"
Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
sambaPwdLastSet sambaPwdLastSet

See?

My smb.conf have this ldap related options:

passdb backend = ldapsam:ldap://apolo.domain
idmap backend = ldapsam:ldap://apolo.domain
ldap suffix = dc=domain
ldap admin dn = cn=root,dc=domain
ldap ssl = start_tls
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap passwd sync = yes
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"




> The question may not be related to LDAP since your domain passwords are
> changed. You should be looking at why the Unix password isn't being
> changed.
> - Are you using LDAP for Unix authentication?
> - Can you change the Unix password using passwd?
> - is your password chat in smb.conf correct for your system?
AFAIK when using ldapsam, we must use ldap attributes for storing unix information. So passwd won't work.
If so, we cannot use "passwd chat" "passwd program" "unix password sync", etc. Instead, we have to use "ldap passwd sync". 

Am I wrong?

And yes, I'm using also unix authentication for some services.
I assume that I missed something on smb.conf because samba doesn't ask for modification on unixPassword ldap attribute as shown on openldap.log 

Thanks for your attention.

--
Fabiano Caixeta Duarte
Especialista em Redes de Computadores
Linux User #195299
Ribeirão Preto - SP
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to