Toby Schaefer
2003-Dec-18 23:33 UTC
FW: [Samba] Samba 3 PDC with LDAP - Error when changinguserpasswordfrom windows
-- Sorry to annoy, but for clarity comments are posting in-line. -----Original Message----- From: s.jousse@free.fr [mailto:s.jousse@free.fr] Sent: Thursday, December 18, 2003 4:31 PM To: toby-list@mail.nixa.k12.mo.us; samba@lists.samba.org Subject: Re: [Samba] Samba 3 PDC with LDAP - Error when changinguserpasswordfrom windows |1. yes, I tried these lines and in the logs, there was a failure in |response |3 "match no". When I manually ran smbldaa-passwd.pl in xterm, I saw that |here's never a "successfully" meesage when the password is changed with |success, I looked the code (luckily it's Perl ;o)), and I didn't see any |"print "succes"" or "print "password changed"". So, I added it myself and |now, it passed the Response 3 correctly (match yes) like you see ine the |logs. |--> Maybe I made a mistake when changing the script like that, just added a |print just before "exit 0"... Well, if you've messed in perl at all, it's uncommon you'd mess up the script by adding a print before the exit. The correct "Response" from the script is an exit with errorlevel 0, which implies success. |2. I only changed the script like I just said in answer above... I got |smbldap-tools on samba.idealx.org, in the menu on the right side but I'm |looking better now, and this version is 0.8.1 and in the page, there's a |0.8.2 version... I'll try 0.8.2 tomorrow now to see why there's still 2 |connections. Which are the better: in samba 3 tarball (i don't see version |number in scripts) or at idealx website? ||--> I just look the code of smbldap-passwd.pl and there's still not "print |"success""... I'm not seeing in the code which version you may be speaking of. I know that I am running v 1.26 according to smbldap_tools.pm header. When I setup this server, I downloaded the most recent version of the tools off of samba.idealx.org's site, they have been working fine for me. |3. Sorry, I don't understand exactly... |--> I just know that my password is changed with success despite of the |error popup on Windows. Well, the way to check to see if the passwords are *really* updating as they should be is to [ok, all hashes should be examined if you want to REALLY check, but sambaLMPassword is the hash that your logs are indicating a malfunction on.] - set your password to something for user BOB <for example, of course>. - smbldap-usershow BOB - notice / write down the sambaLMPassword value shown. - run smbldap-passwd bob (or change the password from another box, it's all good) - smbldap-usershow BOB again - make sure that the sambaLMPassword values are different. If it did not change, all your hashes are not updated and some will still be using the old password. |4. The default passwd chat failed on Response 3, this is in my answer for |1st question. |I took the schema in samba tarball (examples/LDAP/samba.schema), maybe it |was corrupted or modified by error, I'll see tomorrow too (too much things |to do tomorrow! :o)) |--> In what order I must add samba.schema in slapd.conf? I put it after all |others (cosine.schema, nis.schema, ...) Order: Core.schema Cosine.schema Nis.schema Inetorgperson.schema Samba.schema |5. (Added myself) I setup pam_ldap and nss_ldap (from padl software). I |modified these files: /etc/nsswitch.conf, /etc/ldap.conf and some in |/etc/pam.d/ (system-auth, su, ssh, ...). I dont have any Linux user, ALL my |users are in LDAP (except for system users like root, bin, postfix, mysql, |...). I'll mostly control the server by shh or web interface, and rarely on |the machine itself (console or X mode). I have several questions: |a) Do I must put system users in LDAP or just in /etc/passwd is enough? Depends on how you setup the system. If you use authconfig to have the local system use LDAP for it's passwords, then you must put all users in LDAP. I'm not an expert on the merits of this; however, all I've read always indicates to use LDAP as the backend on the machine itself, so based on others advice, I will passively say to do it. |b) Wich files in /etc/pam.d/ I must modified to have my services and |password sync work? Didn't use pam or nss, are you running from an older how-to on your setup? I know that several articles on 2.2.x would have you set it up that way, but samba3 is much *much* better at PDC stuff (thanks guys!) |c) I build Samba without --with-pam and --with-pam_smbpass, is it a mistake |or is it good? And what are these options exactly in simple words, i didn't |understand docs... Again, old docs? |d) Is there a doc that well explain how to install Samba 3 in PDC role |using |LDAP backend? If there's one, I didn't find it. I took little parts from |several docs, and mostly are for Samba 2.2. Aha! Yes, there are several docs available. First, I must say that John Terpstra has compiled a WONDERFUL set of how-to's for Samba3. You can purchase it through your local bookstore, or download the PDF at http://us3.samba.org/samba/docs/Samba-HOWTO-Collection.pdf . May I suggest you purchase this book to help support his work, and simply because it's an excellent samba reference. Also, if you are looking for a good step-by-step for setting up Samba3 with LDAP, Carl Weiss has made an excellent how-to for Samba3 setup with OpenLDAP backend on RedHat 9. It is available at http://ninja.carlweiss.com:81/Samba3-redhat9-openldap.html . Both are excellent references, Mr. Weiss's is a darn near keystroke-by-keystroke method. |e) In log, I saw that when a user under WinXP open a session on the domain, |Samba search for a guest, nobody group or user in LDAP and after, it |connects with Manager (my LDAP admin) and do the authentication process, |why |is it searching guest or nobody? |Thank you very much for your help and advice! |Sebastion Jousse. I would have to see what you are trying to do exactly in the log files. As far as why samba uses permissions internally -- I'm sure that Jerry Carter or some of the really knowledgeable people out there can explain it, I could hazard a guess, but it would be safe to say in general: That's how they made it work with M$'s products. ----- Original Message ----- From: "Toby Schaefer" <toby-list@mail.nixa.k12.mo.us> To: <samba@lists.samba.org> Sent: Thursday, December 18, 2003 6:57 PM Subject: RE: [Samba] Samba 3 PDC with LDAP - Error when changinguserpasswordfrom windows >From what it looks like, you are most likely setup correctly... A few> questions: > > 1. In your smb.conf, is pw change as such: > > passwd chat debug = Yes > passwd program =/usr/local/bin/smbldap-passwd.pl -o %u > passwd chat = *new*password* %n\n *new*password:* %n\ *successfully* > > (I'm guessing it is due to your logs showing it correctly.) > > 2. It seems that it's dying trying to open a second connection to yourLDAP> server that it isn't closing. Have you the latest smbldap-tools (the ones > that came with Samba3?), and have you modified them at all. > > 3. You may want to do a test - It seems to not be updating all your tokens > correctly. To test this, make a note of what the sambaLMPassword is, then > try to change the password. See if this value changes. If it doesn't,then> it's going to get rather confusing having multiple hashes! > > 4. Finally, has the password chat ever worked over there? It's workingin> our domain beautifully; however, YMMV. :) If it has never workedcorrectly,> I'd at this point look to make sure your schema is correct and thatsomehow> the sambaLMPassword portion didn't get hosed during setup. > > Cheers, > > Toby Schaefer-- Sorry to annoy, but for clarity comments are posting in-line. Toby Schaefer
Reasonably Related Threads
- Samba 3 PDC with LDAP - Error when changinguserpasswordfrom windows
- Samba 3 PDC with LDAP - Error when changing userpasswordfrom windows
- cross vlan browsing / domain authentication
- wrong userPassword hash generated by smbpasswd (pam_password=exop and smbk5pwd ) on a samba+ldap PDC running on FreeBSD
- Samba LDAP Problem