RE: [Samba] Samba + LDAP + Password Expiry = Almost working...
Hi, I hope I'm not showing my ignorance here, but I'm not following you on this one. Could be a little more specific? Kevin -Original Message- From: Kristyan Osborne [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 6:56 PM To: Collins, Kevin; [EMAIL PROTECTED] Subject: RE: [Samba] Samba + LDAP + Password Expiry = Almost working... Hi, Try looking at the parameter passwd chat = The man pages should help you out here. Cheers --- Kristyan Osborne - IT Technician Longhill High School 01273 391672 -Original Message- From: Collins, Kevin [mailto:[EMAIL PROTECTED] Sent: Tue 16/09/2003 17:53 To: '[EMAIL PROTECTED]' Cc: Subject: [Samba] Samba + LDAP + Password Expiry = Almost working... I've got a Samba 2.2.7a domain with an LDAP backend. It's been working for nearly 3 months now without much bother. By the way: Great work and thanks for all of the effort! I have been missing one minor thing from the setup since I moved away from NT 4: Password Expiration. In the past I have posted questions about this on the list and I've gotten two answers: Wait for 3. or Write your own script to do it for you. Well, I sorta went the second route. By sorta I mean that I modified a pre-existing script to make it do what I wanted it to. What I did was this...I started with IDEALX's howto and scripts to get things going. I had Samba configured to use their smbldap-passwd.pl script to modify passwords. That worked, I could change any Windows account password from Windows or the command line and indeed all three passwords for that user are changed (Unix, LM and NT passwords). I later discovered the LDAP entry pwdMustChange while looking at a user account one day. When I set this to a date inside of 14 days from today, Windows begins to barks about Password will expire in X days - Great I thought I found my solution. But the default password change script wouldn't modify this value. So I modified the script to where it would. This is where my confusion starts. When I run my modified script from the command line, I get the password changes I expect and I get the pwdMustChange date changes I expect too. Cool! I thought - things are coming together. But when I turn to my Windows machine (Windows 2000 or XP) and change my password all I get is the password changes and the value for pwdLastSet being changed. HUH? If Samba is being told to run my script in its configuration file with passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u, then why doesn't it work like when I run it from the command line? To put it simply, when I run my script on the command line, it works - exactly the way I want. When Samba is told to change passwords from a Windows machine, it either doesn't use my script or is passing some other information that causes the script to perform differently. In either case, I have spent the better part of two days looking for cure to this and not been able to find a solution. So, I'm hoping that someone here will be able to help me. I have included the smb.conf file and the modified version of the IDEALX smbpasswd.pl script below. Any help is appreciated. If it comes down to it, I (think I) can create a script that will do what I need outside of the IDEALX stuff, but I would prefer not to as they seem to work so well. SMB.CONF --- # * # -- Nesbitt Engineering, Inc. Stargazer Samba Configuration -- # * # This is the main Samba configuration file for Stargazer - NEI's Primary # Domain Controller and Lexington office File Server. # # This configuration file is only to be used for an LDAP enabled server that # will be acting as a PDC. Modifications will be required for member servers # and machine that will act as BDCs. # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this file we have used a # # for commentry and a ; for parts of the config file that are # either not enabled yet, or temporarly disabled # # NOTE: Whenever you modify this file you should run the command testparm # to check that you have not made
RE: [Samba] Samba + LDAP + Password Expiry = Almost working...
Thanks for the info... I've got a custom version of 2.2.7a with your suggestions building right now on a test machine. I'm like you, I think this is a bug in the code and can not see any reason for it to be doing this. In fact, I think your suggestion about a smb.conf parameter setting the number of days for a password to live is the proper way to go. But I don't know everything... :) Kevin -Original Message- From: Rauno Tuul [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 3:07 PM To: 'Collins, Kevin' Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] Samba + LDAP + Password Expiry = Almost working... Hi, You almost got it... Samba 2 has a weird behaviour, when using LDAP and passwd program. When you change the password from windows, thnings happen like this: 1) samba reads all the user data from LDAP to memory (doesn't read userpassword) 2) executes the passwd program to change userpassword. I this point your script also sets the new pwdMustChange valus. 3) things get tricky here, when samba writes back all the data, he got from LDAP earlier and changes password hashes. So if your script changes the pwdMustChange value, samba puts it back as it was before :P Workaround is to modify pdb_ldap.c and teach samba not to write back pwdMustChange. It can be achieved with commenting out 2 lines. When samba3 calculates new pwdMustChange based on policy. In samba2 you must do it with scripts. btw, your perl script is way too complex. I attached one my e-mail sent to samba-technical ages ago, where this trick is described. Best regards, Rauno Tuul. -Original Message- From: Collins, Kevin [mailto:[EMAIL PROTECTED] I've got a Samba 2.2.7a domain with an LDAP backend. It's been working for nearly 3 months now without much bother. By the way: Great work and thanks for all of the effort! I have been missing one minor thing from the setup since I moved away from NT 4: Password Expiration. In the past I have posted questions about this on the list and I've gotten two answers: Wait for 3. or Write your own script to do it for you. Well, I sorta went the second route. By sorta I mean that I modified a pre-existing script to make it do what I wanted it to. What I did was this...I started with IDEALX's howto and scripts to get things going. I had Samba configured to use their smbldap-passwd.pl script to modify passwords. That worked, I could change any Windows account password from Windows or the command line and indeed all three passwords for that user are changed (Unix, LM and NT passwords). I later discovered the LDAP entry pwdMustChange while looking at a user account one day. When I set this to a date inside of 14 days from today, Windows begins to barks about Password will expire in X days - Great I thought I found my solution. But the default password change script wouldn't modify this value., but I would prefer not to as they seem to work so well. . -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba + LDAP + Password Expiry = Almost working...
Hi, You almost got it... Samba 2 has a weird behaviour, when using LDAP and passwd program. When you change the password from windows, thnings happen like this: 1) samba reads all the user data from LDAP to memory (doesn't read userpassword) 2) executes the passwd program to change userpassword. I this point your script also sets the new pwdMustChange valus. 3) things get tricky here, when samba writes back all the data, he got from LDAP earlier and changes password hashes. So if your script changes the pwdMustChange value, samba puts it back as it was before :P Workaround is to modify pdb_ldap.c and teach samba not to write back pwdMustChange. It can be achieved with commenting out 2 lines. When samba3 calculates new pwdMustChange based on policy. In samba2 you must do it with scripts. btw, your perl script is way too complex. I attached one my e-mail sent to samba-technical ages ago, where this trick is described. Best regards, Rauno Tuul. -Original Message- From: Collins, Kevin [mailto:[EMAIL PROTECTED] I've got a Samba 2.2.7a domain with an LDAP backend. It's been working for nearly 3 months now without much bother. By the way: Great work and thanks for all of the effort! I have been missing one minor thing from the setup since I moved away from NT 4: Password Expiration. In the past I have posted questions about this on the list and I've gotten two answers: Wait for 3. or Write your own script to do it for you. Well, I sorta went the second route. By sorta I mean that I modified a pre-existing script to make it do what I wanted it to. What I did was this...I started with IDEALX's howto and scripts to get things going. I had Samba configured to use their smbldap-passwd.pl script to modify passwords. That worked, I could change any Windows account password from Windows or the command line and indeed all three passwords for that user are changed (Unix, LM and NT passwords). I later discovered the LDAP entry pwdMustChange while looking at a user account one day. When I set this to a date inside of 14 days from today, Windows begins to barks about Password will expire in X days - Great I thought I found my solution. But the default password change script wouldn't modify this value., but I would prefer not to as they seem to work so well. . -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
