Sorry to self reply, but I ommitted an important detail: winbind cache
time is configured to be 0. Thus, I think the caching must likely be
happening in the smbd side. BTW: If you're interested, you can visit
http://briefcase.yahoo.com/ldrivera in the "My Documents" folder you
should find two files whose names are kinda-self explanatory: one for RH
7.2, one for Mandrake 8.2.
These files contain all the configs I use to achieve password sync. An
explanatory document is there as well (README), so give that a read as
well.
Best
Diego
On Wed, 2002-11-27 at 13:31, Diego Rivera wrote:> Hi all,
>
> I've run into what I believe to be a funky bug in Samba 2.2.7.
Here's
> the scenario description (all Linux, all Samba 2.2.7, all same versions
> of LDAP software, etc.):
>
> Environment:
> 1 Samba PDC w/LDAP backend
> 2 Samba Clients joined to the PDC w/valid mach. accounts, etc.
>
> Clients are configured as follows:
>
> - PAM auth and password changes are done using winbind through PDC
> (thus affecting SSH, login, etc.)
> - account info is fetched through LDAP (getent goes through LDAP)
> (to avoid winbind non-deterministic uid assignments)
>
> PDC Server is configured as follows:
>
> - PAM auth is done through LDAP
> - account info is fetched through LDAP (getent goes through LDAP)
> - Samba syncs passwords through PAM, which in turn updates LDAP
> and /etc/shadow if applicable (pam_ldap, pam_unix)
> - All non-Samba password changes change LDAP (pam_ldap), /etc/shadow
> if applicable (pam_unix) and Samba (pam_smbpass) (can't use
> pam_winbind from the same machine which is a PDC)
>
> Here's the test Scenario:
>
> 1) All machines are up, passwords are "reset" (to initial,
known
> and controlled values)
> 2) Log in to both clients as a regular user using PASSWORD-1
> 3) use passwd to change the password on Client-1
> - Authenticate using the active password (PASSWORD-1) when
> asked to, and change to PASSWORD-2
> 4) use passwd to change the password on Client-2
> - Authenticate using the active password (PASSWORD-2) when
> asked to, and change to PASSWORD-3 (this one takes a while,
> but is successful in the end)
> 5) logon to either client with PASSWORD-3 fails (this is WRONG,
> as this is the last value set for the password in the PDC)
> 6) logon to either client with PASSWORD-2 succeeds (this is WRONG,
> as the last password value set in the PDC is PASSWORD-3)
>
> **** BUT ****
>
> 7) Do one of:
>
> - Re-start WINBIND on both clients
> - Re-start Samba on the PDC
>
> 8) logon to either client now works with PASSWORD-3 (the correct
> behavior)
>
> So, is WINBIND caching passwords? Maybe the Samba processed @ PDC?
> Maybe this is LDAP-related?
>
> Anybody want to track this down? Do you want me to produce logs? What
> settings should I use to produce logs that would be useful?
>
> I realize this is a kind of extreme example (i.e., in the real world,
> users will likely NOT be logged in to multiple machines AND changing
> their passwords in this manner).
>
> But still, we should kill bugs as they appear!
>
> Best
>
> Diego
>
> PS/ The PDC/PDC-client related conf's I've come up with are pretty
much
> cookie-cutter by now, so I'm probably going to post them as an RPM
> somewhere with instructions. Using this, it's possible to achieve
> transparent password sync between Unix (LDAP) and Samba passwords (thus
> affecting Windows clients as well). I'll keep interested parties
posted
> on this.