samba - Apr 2018 - Password change

Hi Rowland,

I tried that but didn't work.
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 9033b998
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=testdom
olcAccess: {0}to attrs=sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=admin,dc=testdom" write by self write by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcLastMod: TRUE

smb.conf
        add user script = /usr/sbin/smbldap-useradd -m '%u'
        delete user script = /usr/sbin/smbldap-userdel '%u'
        add group script = /usr/sbin/smbldap-groupadd -p '%g'
        delete group script = /usr/sbin/smbldap-groupdel '%g'
        add user to group script = /usr/sbin/smbldap-groupmod -m '%g'
'%u'
        delete user from group script = /usr/sbin/smbldap-groupmod -x
'%g'
'%u'
        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
        set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully*

I get the same message whatever I try, even using smbpasswd %u doesn't
work. If I do ctrl+alt+del and put some rubbish entry in the existing
password, it doesn't even tell me that the existing password is wrong.

Regards,
Robin








On Tue, 24 Apr 2018 23:45:22 +1000

Robin G via samba <samba at lists.samba.org> wrote:


> Hi Guys,
>
> We are getting the following error when the users are trying to change
> the password from their windows machine: "Configuration information
> could not be read from the domain controller, either machine is
> unavailable or access is denied"
>
> Our Samba PDC has LDAP backend. We have the following
>
> Have the following in /etc/ldap/slapd.d/cn=config/olcDatabase{1}.hdb
>
> olcAccess: {0}to attrs=userPassword by self write by anonymous auth by
> * none


The line should be:



olcAccess: {0}to

attrs=sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange by
dn="cn=admin,dc=example,dc=com" write by self write by * none


> This is a fairly new setup and don't think it has worked before.


I suppose the real question is, if this is a fairly new setup, why was a
PDC chosen instead of an AD DC ?



Rowland

On Thu, 26 Apr 2018 13:57:12 +1000
Robin G via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> I tried that but didn't work.
> # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> # CRC32 9033b998
> dn: olcDatabase={1}hdb
> objectClass: olcDatabaseConfig
> objectClass: olcHdbConfig
> olcDatabase: {1}hdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=testdom
> olcAccess: {0}to
> attrs=sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange by
> dn="cn=admin,dc=testdom" write by self write by * none olcAccess:
> {1}to attrs=shadowLastChange by self write by * read olcLastMod: TRUE
> 
> smb.conf
>         add user script = /usr/sbin/smbldap-useradd -m '%u'
>         delete user script = /usr/sbin/smbldap-userdel '%u'
>         add group script = /usr/sbin/smbldap-groupadd -p '%g'
>         delete group script = /usr/sbin/smbldap-groupdel '%g'
>         add user to group script = /usr/sbin/smbldap-groupmod -m
'%g'
> '%u' delete user from group script = /usr/sbin/smbldap-groupmod -x
> '%g' '%u'
>         add machine script = /usr/sbin/smbldap-useradd -t 0 -w
"%u"
>         set primary group script = /usr/sbin/smbldap-usermod -g
'%g'
> '%u' passwd program = /usr/sbin/smbldap-passwd -u %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
> 
> I get the same message whatever I try, even using smbpasswd %u doesn't
> work. If I do ctrl+alt+del and put some rubbish entry in the existing
> password, it doesn't even tell me that the existing password is wrong.
> 
One problem (and Louis has already pointed this out) smbldap-tools
appears to be a dead project, so it is highly unlikely you will get
this fixed, if it is the culprit. 

The thing is, you have this: olcSuffix: dc=testdom

Are you using this in production ? or is this just a test domain ?
If it is a test domain, then can I suggest you replace it with a test
AD domain. If it is production, can I urge you to upgrade to an AD
domain.

It seems that either your ldap setup is totally incorrect or your
windows machines cannot talk to your ldap server, I would go with the
later.

Rowland

Hi Rowland,

Thank you.

The actual production domain name is resolvs

The AD migration stage is still being tested  and we need to get this
sorted to get a go ahead :)
I've managed to get rid of the message that comes up post the password
change, now it says the password has changed. Only issue is that it doesn't
actually change it. Tailing the /var/log/syslog gives the following

sladp [pid]  Entry (uid=psmith,ou=users,ou=resolvs) , attribute
'userPassword; not allowed
                 entry failed schema check : attribute 'userPassword'
not
allowed

The above comes up right at the time user is changing the password.

This seems to the crux of the issue.
The samba.ldif file was obtained from the 4.3.1 binaries as it is the
version of Samba that we have
sladp is version 2.4.2


-When we change the password using LDAP itself (php console) the user can
login with the new password.
- If try changing password using smbldap-tools it gives us user doesn't
exist.
- If we change using smbpasswd it gives us  ( Please note we are using the
root to run this command)
WARNING: The "syslog" option is deprecated
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=RESOLVS))]
smbldap_open_connection: connection opened
New SMB password:
Retype new SMB password:
init_sam_from_ldap: Entry found for user: psmith
init_ldap_from_sam: Setting entry for user: psmith
ldapsam_update_sam_account: successfully modified uid = psmith in the LDAP
database

Only that it doesn't.

Here is our smb.conf. We also tried removing all the bits about smldap and
used the editposix option

[global]
        workgroup = RESOLVS
        netbios name = DC1
        security = USER
        obey pam restrictions = yes
        local master = yes
        domain master = yes
        preferred master = yes
        domain logons = yes
        os level = 50
  passdb backend = ldapsam:ldap://192.168.1.1
   ldap admin dn = cn=admin,dc=resolvs
  ldap suffix = dc=example,dc=com
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  idmap config *: backend = ldap
  idmap config *: range = 11000-12999
  idmap config *: ldap_url = ldap://localhost/
  idmap config *: ldap_base_dn = ou=idmap, dc=resolvs
  idmap config *: ldap_user_dn = cn=admin,dc=resolvs
  ldap password sync = yes
  ldapsam:editposix = yes
  ldapsam:trusted = yes
  unix password sync = No

Have ran the smbpasswd -w ldappassword

olcSuffix: dc=resolves

olcAccess: {0}to attrs=sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange

by dn="cn=admin,dc=resolvs" write by self write by * none

olcAccess: {1}to attrs=shadowLastChange by self write by * read


Robin



On Thu, Apr 26, 2018 at 8:08 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 26 Apr 2018 13:57:12 +1000
> Robin G via samba <samba at lists.samba.org> wrote:
>
> > Hi Rowland,
> >
> > I tried that but didn't work.
> > # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> > # CRC32 9033b998
> > dn: olcDatabase={1}hdb
> > objectClass: olcDatabaseConfig
> > objectClass: olcHdbConfig
> > olcDatabase: {1}hdb
> > olcDbDirectory: /var/lib/ldap
> > olcSuffix: dc=testdom
> > olcAccess: {0}to
> > attrs=sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange by
> > dn="cn=admin,dc=testdom" write by self write by * none
olcAccess:
> > {1}to attrs=shadowLastChange by self write by * read olcLastMod: TRUE
> >
> > smb.conf
> >         add user script = /usr/sbin/smbldap-useradd -m '%u'
> >         delete user script = /usr/sbin/smbldap-userdel '%u'
> >         add group script = /usr/sbin/smbldap-groupadd -p '%g'
> >         delete group script = /usr/sbin/smbldap-groupdel '%g'
> >         add user to group script = /usr/sbin/smbldap-groupmod -m
'%g'
> > '%u' delete user from group script =
/usr/sbin/smbldap-groupmod -x
> > '%g' '%u'
> >         add machine script = /usr/sbin/smbldap-useradd -t 0 -w
"%u"
> >         set primary group script = /usr/sbin/smbldap-usermod -g
'%g'
> > '%u' passwd program = /usr/sbin/smbldap-passwd -u %u
> > passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
> >
> > I get the same message whatever I try, even using smbpasswd %u
doesn't
> > work. If I do ctrl+alt+del and put some rubbish entry in the existing
> > password, it doesn't even tell me that the existing password is
wrong.
> >
>
> One problem (and Louis has already pointed this out) smbldap-tools
> appears to be a dead project, so it is highly unlikely you will get
> this fixed, if it is the culprit.
>
> The thing is, you have this: olcSuffix: dc=testdom
>
> Are you using this in production ? or is this just a test domain ?
> If it is a test domain, then can I suggest you replace it with a test
> AD domain. If it is production, can I urge you to upgrade to an AD
> domain.
>
> It seems that either your ldap setup is totally incorrect or your
> windows machines cannot talk to your ldap server, I would go with the
> later.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>