Markus Kahle
2008-Feb-20 10:05 UTC
[Samba] sambaPwdMustChange attribute didn't get updated (3.0.27a)
Hi there, i got into some trouble after updating my samba installation to 3.0.27a. My installation uses Samba-3.0.27a,OpenLDAP-2.2.13,smbldap-tools-0.9.2 as a PDC NT4-domain.Originally I used the installation-guide from smbldap-tools and everything worked fine. I also limited the access to LDAP as told in the installation-guide with no problems. After updating to 3.0.27a i realized that when using the usrmgr.exe, the password preferences in policies -> accounts didn't got saved - only the password-length option got saved. After doing some research, i managed to solve this by adding the following LDAP attributes to the access rules in slapd.conf: sambaMinPwdLength sambaPwdHistoryLength sambaLogonToChgPwd sambaMaxPwdAge sambaMinPwdAge sambaLockoutDuration sambaLockoutObservationWindow sambaLockoutThreshold sambaForceLogoff sambaRefuseMachinePwdChange But one problem still exists: If Windows-users change their password via the normal Windows dialog, the password got changed in LDAP , also the sambaLastChange attribute got updated , BUT sambaPwdCanChange and sambaPwdMustChange attributes didn't update and so all the Maximum Password Age stuff, including remind users of their password expiration and force user to change their password if expire didn't work anymore. I can't find any other maybe access right problems within ldap, so why the sambaPwdMustChange Attribute didn't update ?? The problem also exist when adding a new user. After the user change his password at first login, the sambaPwdMustChange Attribute didn't update. slapd.conf digest ---------------------------------------------------------------------------------- access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write by dn="cn=nssldap,ou=DSA,dc=bel-gmbh,dc=lan" write by self write by anonymous auth by * none access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write by * read access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write by self write by * read access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime, sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript, sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial, sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags, sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName, sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption,sambaMinPwdLength,sambaPwdHistoryLength, sambaLogonToChgPwd,sambaMaxPwdAge,sambaMinPwdAge,sambaLockoutDuration,sambaLockoutObservationWindow,sambaLockoutThreshold, sambaForceLogoff,sambaRefuseMachinePwdChange by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write by self read by * none access to dn.base="dc=bel-gmbh,dc=lan" by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write by * none access to dn="ou=Users,dc=bel-gmbh,dc=lan" by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write by * none access to dn="ou=Groups,dc=bel-gmbh,dc=lan" by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write by * none access to dn="ou=Computers,dc=bel-gmbh,dc=lan" by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write by * none access to * by self read by * read ---------------------------------------------------------------------------------- Thanks in advance for all hints and suggestions.. Bye, Markus Kahle
Markus Kahle
2008-Feb-21 08:19 UTC
[Samba] Re: sambaPwdMustChange attribute didn't get updated (3.0.27a)
Hi Fabiano,> > As long as pwdmustchange implementation has been changed you should use > an earlier version of smbldap-tools. >What do you mean ? Which pwdmustchange implementation ? I quite sure, that this password stuff was working in earlier versions of samba (e.g. 3.0.23c). I used this samba version together with the same mentioned openldap-version and smbldap-tools version and the windows password dialog "you have to change your password" blahblah appears after 90days. Now it doesn't work, so there must be some internal changes in the newer samba versions (3.0.27a) Bye, Markus