Matt Stucky (Office)
2006-Nov-28 00:55 UTC
[Fedora-directory-users] Samba LDAP password sync
Hi All,
I''ve set up FDS as the ldap back end for a Samba PDC. It is working
well, but I''m having a problem with Windows users changing their
password from Windows. When I use "ldap passwd sync = yes" (in the
samba config) Windows users receive an error message when they attempt
to change their password. What actually happens is their Samba/NT
passwords are changed, but the posix password is not. If I use "ldap
passwd sync = no" (default) then the users can successfully change their
passwords but, as per the smb.conf man page, only the Samba/NT passwords
are changed, not the posix password. I have FDS, User Admin tool
(Webmin - LDAP users and Groups), and /etc/ldap.conf set to use MD5 for
password hashing.
If, on the server I run "smbpasswd test_user" and attempt to change a
user''s password that way; it gives me the error:
---------------
ldapsam_modify_entry: LDAP Password could not be changed for user
test_user: Confidentiality required
Operation requires a secure connection.
Failed to modify entry for user test_user.
Failed to modify password entry for user test_user
---------------
It looks like FDS requires SSL in order for a user''s posix password to
be changed from Samba/Windows. I need to have the Samba and posix
passwords syncronized. Do I need to set up SSL for that to work, or is
there something else I am missing? I found a post where someone used
"unix password sync = yes" with smbldap-passwd for the password
program
as a workaround for this same problem, but I would prefer the tidier and
simpler "ldap passwd sync = yes". Has anyone run into this and
figured
out how to make it work?
- Matt
On Tue, 2006-11-28 at 10:55 +1000, Matt Stucky (Office) wrote:> Hi All, > > I''ve set up FDS as the ldap back end for a Samba PDC. It is working > well, but I''m having a problem with Windows users changing their > password from Windows. When I use "ldap passwd sync = yes" (in the > samba config) Windows users receive an error message when they attempt > to change their password. What actually happens is their Samba/NT > passwords are changed, but the posix password is not. If I use "ldap > passwd sync = no" (default) then the users can successfully change their > passwords but, as per the smb.conf man page, only the Samba/NT passwords > are changed, not the posix password. I have FDS, User Admin tool > (Webmin - LDAP users and Groups), and /etc/ldap.conf set to use MD5 for > password hashing. > > If, on the server I run "smbpasswd test_user" and attempt to change a > user''s password that way; it gives me the error: > --------------- > ldapsam_modify_entry: LDAP Password could not be changed for user > test_user: Confidentiality required > Operation requires a secure connection. > > Failed to modify entry for user test_user. > Failed to modify password entry for user test_user > --------------- > > It looks like FDS requires SSL in order for a user''s posix password to > be changed from Samba/Windows. I need to have the Samba and posix > passwords syncronized. Do I need to set up SSL for that to work, or is > there something else I am missing? I found a post where someone used > "unix password sync = yes" with smbldap-passwd for the password program > as a workaround for this same problem, but I would prefer the tidier and > simpler "ldap passwd sync = yes". Has anyone run into this and figured > out how to make it work?---- my guess is that you have something wrong with your ''password chat script'' in smb.conf or possibly something amiss in smbldap configuration because it does work. Craig
Matt Stucky (Office)
2006-Nov-28 01:28 UTC
Re: [Fedora-directory-users] Samba LDAP password sync
As I understand it, the password chat is only used with "unix password sync" and is not used with "ldap passwd sync". Are you using MD5 for your passwords? -Matt Craig White wrote:> On Tue, 2006-11-28 at 10:55 +1000, Matt Stucky (Office) wrote: > >> Hi All, >> >> I''ve set up FDS as the ldap back end for a Samba PDC. It is working >> well, but I''m having a problem with Windows users changing their >> password from Windows. When I use "ldap passwd sync = yes" (in the >> samba config) Windows users receive an error message when they attempt >> to change their password. What actually happens is their Samba/NT >> passwords are changed, but the posix password is not. If I use "ldap >> passwd sync = no" (default) then the users can successfully change their >> passwords but, as per the smb.conf man page, only the Samba/NT passwords >> are changed, not the posix password. I have FDS, User Admin tool >> (Webmin - LDAP users and Groups), and /etc/ldap.conf set to use MD5 for >> password hashing. >> >> If, on the server I run "smbpasswd test_user" and attempt to change a >> user''s password that way; it gives me the error: >> --------------- >> ldapsam_modify_entry: LDAP Password could not be changed for user >> test_user: Confidentiality required >> Operation requires a secure connection. >> >> Failed to modify entry for user test_user. >> Failed to modify password entry for user test_user >> --------------- >> >> It looks like FDS requires SSL in order for a user''s posix password to >> be changed from Samba/Windows. I need to have the Samba and posix >> passwords syncronized. Do I need to set up SSL for that to work, or is >> there something else I am missing? I found a post where someone used >> "unix password sync = yes" with smbldap-passwd for the password program >> as a workaround for this same problem, but I would prefer the tidier and >> simpler "ldap passwd sync = yes". Has anyone run into this and figured >> out how to make it work? >> > ---- > my guess is that you have something wrong with your ''password chat > script'' in smb.conf or possibly something amiss in smbldap configuration > because it does work. > > Craig > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
On Tue, 2006-11-28 at 11:28 +1000, Matt Stucky (Office) wrote:> As I understand it, the password chat is only used with "unix password > sync" and is not used with "ldap passwd sync".---- I missed that detail - I use unix password sync and have never used ldap password sync and thus the chat. ----> > Are you using MD5 for your passwords?---- no - crypt ----> -Matt---- Craig ----> > Craig White wrote: > > On Tue, 2006-11-28 at 10:55 +1000, Matt Stucky (Office) wrote: > > > >> Hi All, > >> > >> I''ve set up FDS as the ldap back end for a Samba PDC. It is working > >> well, but I''m having a problem with Windows users changing their > >> password from Windows. When I use "ldap passwd sync = yes" (in the > >> samba config) Windows users receive an error message when they attempt > >> to change their password. What actually happens is their Samba/NT > >> passwords are changed, but the posix password is not. If I use "ldap > >> passwd sync = no" (default) then the users can successfully change their > >> passwords but, as per the smb.conf man page, only the Samba/NT passwords > >> are changed, not the posix password. I have FDS, User Admin tool > >> (Webmin - LDAP users and Groups), and /etc/ldap.conf set to use MD5 for > >> password hashing. > >> > >> If, on the server I run "smbpasswd test_user" and attempt to change a > >> user''s password that way; it gives me the error: > >> --------------- > >> ldapsam_modify_entry: LDAP Password could not be changed for user > >> test_user: Confidentiality required > >> Operation requires a secure connection. > >> > >> Failed to modify entry for user test_user. > >> Failed to modify password entry for user test_user > >> --------------- > >> > >> It looks like FDS requires SSL in order for a user''s posix password to > >> be changed from Samba/Windows. I need to have the Samba and posix > >> passwords syncronized. Do I need to set up SSL for that to work, or is > >> there something else I am missing? I found a post where someone used > >> "unix password sync = yes" with smbldap-passwd for the password program > >> as a workaround for this same problem, but I would prefer the tidier and > >> simpler "ldap passwd sync = yes". Has anyone run into this and figured > >> out how to make it work? > >> > > ---- > > my guess is that you have something wrong with your ''password chat > > script'' in smb.conf or possibly something amiss in smbldap configuration > > because it does work. > > > > Craig > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
On Mon, 2006-11-27 at 19:09 -0700, Craig White wrote:> On Tue, 2006-11-28 at 11:28 +1000, Matt Stucky (Office) wrote: > > As I understand it, the password chat is only used with "unix password > > sync" and is not used with "ldap passwd sync". > ---- > I missed that detail - I use unix password sync and have never used ldap > password sync and thus the chat. > ---- > > > > Are you using MD5 for your passwords? > ---- > no - crypt---- correction...on the system that I am using with fedora directory server, I see that it is using md5 Craig> ---- > > -Matt > ---- > Craig > ---- > > > > Craig White wrote: > > > On Tue, 2006-11-28 at 10:55 +1000, Matt Stucky (Office) wrote: > > > > > >> Hi All, > > >> > > >> I''ve set up FDS as the ldap back end for a Samba PDC. It is working > > >> well, but I''m having a problem with Windows users changing their > > >> password from Windows. When I use "ldap passwd sync = yes" (in the > > >> samba config) Windows users receive an error message when they attempt > > >> to change their password. What actually happens is their Samba/NT > > >> passwords are changed, but the posix password is not. If I use "ldap > > >> passwd sync = no" (default) then the users can successfully change their > > >> passwords but, as per the smb.conf man page, only the Samba/NT passwords > > >> are changed, not the posix password. I have FDS, User Admin tool > > >> (Webmin - LDAP users and Groups), and /etc/ldap.conf set to use MD5 for > > >> password hashing. > > >> > > >> If, on the server I run "smbpasswd test_user" and attempt to change a > > >> user''s password that way; it gives me the error: > > >> --------------- > > >> ldapsam_modify_entry: LDAP Password could not be changed for user > > >> test_user: Confidentiality required > > >> Operation requires a secure connection. > > >> > > >> Failed to modify entry for user test_user. > > >> Failed to modify password entry for user test_user > > >> --------------- > > >> > > >> It looks like FDS requires SSL in order for a user''s posix password to > > >> be changed from Samba/Windows. I need to have the Samba and posix > > >> passwords syncronized. Do I need to set up SSL for that to work, or is > > >> there something else I am missing? I found a post where someone used > > >> "unix password sync = yes" with smbldap-passwd for the password program > > >> as a workaround for this same problem, but I would prefer the tidier and > > >> simpler "ldap passwd sync = yes". Has anyone run into this and figured > > >> out how to make it work? > > >> > > > ---- > > > my guess is that you have something wrong with your ''password chat > > > script'' in smb.conf or possibly something amiss in smbldap configuration > > > because it does work. > > > > > > Craig > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users