hi,
i am at time trying to setup up a samba pdc as replacement for a windows
nt pdc (thats the good message). I've already a running openldap
2.1.4-86 with ou's people, groups and computers. I've also already added
users to it (with a modifiied version of the migration tools). Also
working is pam_ldap and nss_ldap (i can login in into my unix machine
with the ldap users - and i can get the usernames for uid which belongs
to ldap users). Also possible is it already for users to log into the
PDC - but at the first login the get the message that the should change
their passwords (because of pwdMustChange is 0 at the first login) - if
they then are trying to change the password it won't work (server log:
PANIC: failed to set gid). If the log in without changing the password -
and then hit STRG-ALT-DEL - and alter the password then it works
(why??). My guest account is smbguest - smbguest is in the ldap
directory with no password (smbldap-passwd smbguest with null values).
When i look for the logs then i very often see that something is trying
to authenticate smbguest and fails because of an invalid password - why
is that ?
For changing the userpasswords i've taken the smbldap-passwd.pl script
and modifyied it so that pwdMustchange gets setted to now()+30days and
pwdLastSet gets now() (why isn't that in the standard script?). This
works perfectly when i change a password in the shell - but when a
password gets change with windows then the password gets changed but the
pwdMustChange and pwdLastChange values don't get modifyied (why?).
my samba version is: samba-2.2.5-177 with ldap support ;-)
os: SLES 8.0
and i have already read every howto which i found in google
for my general understanding - what exactly happens when a user on a
windows machine wants to alter his password ? is it:
samba gets the request - and only calls the programm specifyied in
passwd program ? or does it anything else ?
here a piece of my smb.conf
workgroup = DIALOG-TELEKOM
netbios name = ZION
interfaces = eth0 172.16.0.27/24
bind interfaces only = Yes
security = user
encrypt passwords = Yes
null passwords = Yes
username map = /etc/samba/usermap
log level = 2
syslog = 0
time server = Yes
unix extensions = Yes
kernel oplocks = Yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
printcap name = CUPS
add user script = /usr/local/sbin/smbldap-useradd.pl -w %u
logon path = \\%N\profiles\%u
logon script = logon.bat
unix password sync = Yes
passwd program = /usr/sbin/smbldap-passwd.pl -o %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*successfully*
logon drive = U:
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
wins support = Yes
printing = cups
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
browseable = No
guest account = smbguest
domain admin group = @sambaadmin
admin users = @sambaadmin
printer admin = @sambaadmin
# ldap parameters
ldap admin dn = "cn=administrator,dc=dialog-telekom,dc=at"
ldap server = localhost
ldap ssl = off
ldap port = 389
ldap suffix = "ou=people,dc=dialog-telekom,dc=at"
and here the part i've added to smbldap-passwd
changetype: modify
replace: pwdMustChange
pwdMustChange: $pwdmustchange
-
changetype: modify
replace: pwdLastSet
pwdLastSet: $pwdlastset
i think i will go to the samba pr?sentation toomorrow in Linz/Vienna and
take a look for a samba expert ;-)
mfG
Wolfgang Pichler
