Edmundo Valle Neto escreveu:
Fabiano Caixeta Duarte escreveu:
Fabiano Caixeta Duarte wrote:
Hi, there!
When my XP users try to change passwords, they get a message saying
that
password has been changed. That's not true!
NT and LM passwords are changed but unixPassword isn't.
Look at this openldap.log lines:
Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
dn="uid=teste,ou=Users,dc=domain"
Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
sambaPwdLastSet sambaPwdLastSet
See?
My smb.conf have this ldap related options:
passdb backend = ldapsam:ldap://apolo.domain
idmap backend = ldapsam:ldap://apolo.domain
ldap suffix = dc=domain
ldap admin dn = cn=root,dc=domain
ldap ssl = start_tls
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap passwd sync = yes
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
> The question may not be related to LDAP since your domain passwords are
> changed. You should be looking at why the Unix password isn't being
> changed.
> - Are you using LDAP for Unix authentication?
> - Can you change the Unix password using passwd?
> - is your password chat in smb.conf correct for your system?
AFAIK when using ldapsam, we must use ldap attributes for storing unix
information. So passwd won't work.
passwd works partially. passwd uses PAM, and PAM can access LDAP but it
only knows about posix attributes.
If so, we cannot use "passwd chat" "passwd program" "unix password
sync", etc. Instead, we have to use "ldap passwd sync".
Well, you can, but yes, ldap passwd sync does the same thing without
need to configure anything, so, it works but just doesnt make sense
configure both.
idealx documentation explain that:
http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108
6.8 The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u
is not called, or i got a error message when changing the password from
windows
The directive is called if you also set unix password sync = Yes. Notes:
* if you use OpenLDAP, none of those two options are needed. You just
need ldap passwd sync = Yes.
* the script called here must only update the userPassword attribute.
This is the reason of the -u option. Samba passwords will be updated by
samba itself.
* the passwd chat directive must match what is prompted when using the
smbldap-passwd command
So..., just -u to change only userPassword and a working passwd chat :)
And in: 8.1.3 The samba configuration file : /etc/samba/smb.conf
#unix password sync = Yes
#passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
#passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new
password*" %n\n"
ldap passwd sync = Yes
One OR another. But both approaches works.
Am I wrong?
Yes.
And yes, I'm using also unix authentication for some services.
I assume that I missed something on smb.conf because samba doesn't ask
for modification on unixPassword ldap attribute as shown on openldap.log
Thats funny, I cannot point anything missing in your smb.conf, ldap
passwd sync should work alone. but you can try smbldap-passwd as shown
at the tree lines above. Make sure it works at the command line first.
Thanks for your attention.
Regards.
Edmundo Valle Neto
Sure enough smbldap-passwd works. I have tried this once ldap passwd
sync was not working. Though, there are two problems: 1) it's too slow
and 2) it shows a message to the user telling he has no permissions to
change password. So it's confusing. I don't feel comfortable using such
a thing.
Actually, I was hoping for some answer from whom has ldap passwd sync
working. Hints on how to debug and so on.
Thanks again!
--
Fabiano Caixeta Duarte
Especialista em Redes de Computadores
Linux User #195299
Ribeirão Preto - SP
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
