samba - Nov 2004 - Samba3 + LDAP - w2k says it couldn't change password (but it did)

Hello,

I have a following test environment:

1) Samba PDC + OpenLDAP Slave (192.168.1.2)
2) OpenLDAP Master (192.168.1.1).

Whatever is changed/added on the Master, it gets replicated to Slave.

Now, when a user is logged in, and tries to change the password - he/she must
supply the old password, and twice new one (normal behaviour).

After pressing OK the user is said that the password wasn't changed, check
BIG/small characters etc. (although old password and new were correctly typed).

However, the password was changed in LDAP master, and replicated to the slave -
so after a logout, user can log in with a new password (though this user was
said that the password wasn't changed).

This is what I have in log.machine with log level = 9:

[2004/11/02 15:24:20, 0] libsmb/smbencrypt.c:decode_pw_buffer(519)
  decode_pw_buffer: incorrect password length (-954408756).
[2004/11/02 15:24:20, 0] libsmb/smbencrypt.c:decode_pw_buffer(520)
  decode_pw_buffer: check that 'encrypt passwords = yes'


The log is the same whether I have "encrypt passwords = yes" or
don't have it at all.

Any clue?

Tomek


----------------------------------------------------------------------
Startuj z INTERIA.PL!!! >>> http://link.interia.pl/f1837

mangoo@interia.pl wrote:
> [2004/11/02 15:24:20, 0] libsmb/smbencrypt.c:decode_pw_buffer(519)
>   decode_pw_buffer: incorrect password length (-954408756).
> [2004/11/02 15:24:20, 0] libsmb/smbencrypt.c:decode_pw_buffer(520)
>   decode_pw_buffer: check that 'encrypt passwords = yes'


I thought maybe it has something to do with "passwd sync program", as 
thee output it gives is different as in examples hanging around (in 
examples it is like below:

passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
*passwd:*all*authentication*tokens*updated*

In my case (I use smbldap-tools 0.85) it's like that:

# /usr/local/sbin/smbpasswd
Changing password for bella
New password :
Retype new password :
#

So I changed this line to:

passwd chat = *Changing*password*for*'%u'*\n *New*password* %n\n 
*Retype*new*password* %n\n*

And now it says I don't have necessary permissions to change the password.

Any clue?









Below my smb.conf (passwd chat is like above though, I tried other 
possibilities too):

[global]
unix charset = LOCALE
workgroup = MAGISTA
netbios name = SERVER
interfaces = eth0, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldap://127.0.0.1
#ldap filter = (uid=%u)
username map = /etc/samba/smbusers

log level = 9
syslog = 0
log file = /var/log/samba/log.%m
max log size = 50

smb ports = 139 445

name resolve order = wins bcast hosts

time server = Yes

#printcap name = CUPS
#show add printer wizard = No

encrypt passwords = yes

add user script = /usr/local/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/local/sbin/smbldap-userdel '%u'
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u'
'%g'
delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u'
'%g'
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g'
'%u'

# must be %m, contrary to what HOWTOs say (they say %u)
add machine script = /usr/local/sbin/smbldap-useradd -w '%m'

;password sync
    passwd program = /usr/local/sbin/smbldap-passwd %u
#   passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
*passwd:*all*authentication*tokens*updated*
     passwd chat = *New*password* %n\n *Retype*new*password* %n\n

   unix password sync = Yes



logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = U:

domain logons = Yes
preferred master = Yes
wins support = Yes

ldap suffix = dc=magista,dc=de
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups

ldap idmap suffix = ou=Idmap
ldap admin dn = cn=replica,dc=magista,dc=de
ldap replication sleep = 5000
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 1000-20000
idmap gid = 500-20000
map acl inherit = Yes
#printing = cups
#printer admin = Administrator, chrisr

[Shared]
   path = /home/samba/shared
   comment = Shared folder
   browseable = yes
   writeable = yes
   create mask = 1666
   directory mask = 1777

[profiles]
   path = /home/samba/profiles
   writeable = yes
   browseable = no
   create mask = 0600
   directory mask = 0700

[netlogon]
   comment = Network Logon Service
   path = /home/netlogon
   read only = yes
   browseable = no
   write list = tom

[unattended]
   comment = Installation Sources
   path = /home/unattended
   read only = yes
   browseable = no
   valid users = unattended