samba - Jun 2002 - with ldap - samba - password sync - domain group map - login message

hello list!

first: sorry for my english and the long mail, but i REALLY need help!

i want to kick the nt4 pdc in our network and thought to realize single
sign on with samba and ldap. i made two testserver: the first test was with
suse linux 7.3 with latest openldap, pam_ldap, nss_ldap and samba 2.2.3a (i
compiled all components myself!). the second was with suse linux 8.0 with
openldap, pam_ldap, nss_ldap (this three components are the standard rpm's
from suse 8.0) and samba 2.2.4 (latest rpm from the suse samba-developer).


the basic systems worked and all problems i'm going to describe occurred in
both testenvironments!

1. after login from w2k i get the message, that the password expires and
asks me if i want to change. if i change or not, at next logon the
situation is the same, but i can login over a few weeks without
passwordchange.
   - the only information i found about in the web is, that i can set the
users pwdLastSet to -1, but, on the one hand, i doesn't work and on the
other hand, if anyone changes his password this field would be overwritten
automatically and the old problem starts again.


2. the unix password sync doesn't work. but i think there are two different
problems, but let me describe: if i activated the password sync, i got on
the w2k client the error "username or password wrong ....". if
it's not
activated, the passwordchange works!! so i checked the log and thougt i'm
silly as i saw the wollowing rows (!!!!!!):

[2002/06/13 15:33:23, 10] smbd/chgpasswd.c:dochild(211)
  Invoking '/etc/ldappwdsmb test' as password change program.
[2002/06/13 15:33:26, 100] smbd/chgpasswd.c:expect(265)
  expect: expected [New password: ] received [New password: ] match no
[2002/06/13 15:33:28, 100] smbd/chgpasswd.c:expect(265)
  expect: expected [New password: ] received [] match no
[2002/06/13 15:33:28, 10] smbd/chgpasswd.c:expect(276)
  expect: returning False
[2002/06/13 15:33:28, 3] smbd/chgpasswd.c:talktochild(302)
  Response 1 incorrect

after this i made a test where the chat isn't activated and the passwd-
program is a shell-script that only writes a text into a file.
at the next try there where no logging like the lines above, the passwd-
programm ended normally (because the text was in the file), but the w2k-
client told again that username or password is wrong! so i think, that this
are two different problems, but i can't understand!


3. the domain group map doesn't work! i found a lot of descriptions about
and all where same. so, i thougt i'm on the right way and made it like
these discriptions, but at samba 2.2.3a there was shown only one group
named with hieroglyphs. at 2.2.4 no group is shown from my map-file, but
there are shown the groups domain admins and domain users - could anyone
tell me where these groups are configured in samba?
i need the groupmapping because we have one w2k-database and fileserver and
i can't cick it.


please help me
thank you very much
lg
thomas reisenbichler

NSC - NetworkServiceCenter wrote:
> hello list!
> the basic systems worked and all problems i'm going to describe
occurred in
> both testenvironments!
> 
> 1. after login from w2k i get the message, that the password expires and
> asks me if i want to change. if i change or not, at next logon the
> situation is the same, but i can login over a few weeks without
> passwordchange.
>    - the only information i found about in the web is, that i can set the
> users pwdLastSet to -1, but, on the one hand, i doesn't work and on the
> other hand, if anyone changes his password this field would be overwritten
> automatically and the old problem starts again.
some report that the account flags have to be [UX      ] (with added X), 
which means that the password will not expire. however, i think this 
didn't work for men.
my solution (found in some ldap-samba-pdc-howto) was to set the 
pwdMustChange to 2147483647 (which is far in the future: 2030 or something)
> 
> 
> 2. the unix password sync doesn't work. but i think there are two
different
> problems, but let me describe: if i activated the password sync, i got on
you have to set the password chat to something that reflects your 
systems password chat (no na)

on my system, when i try to change my password (with correct 
pam.d/passwd pam_ldap.conf etc) with "passwd" i get following dialog:
<snip>
New password:
Re-enter new password:
</snip>

so the password chat in [global] is as follows:

passwd program = /usr/bin/passwd %u
passwd chat = *New\spassword:* %n\n *Re-enter\snew\spassword:* %n\n .
> 3. the domain group map doesn't work! i found a lot of descriptions
about
i have not tried this yet, but i think that 2.2.3a does not supprt 
domain-group-mapping (but 2.2.4 should ???)



mfg.cd.sadf
IOhannes