samba - Dec 2003 - FW: Samba 3 PDC with LDAP - Error when changinguserpasswordfrom windows

-- Sorry to annoy, but for clarity comments are posting in-line.

-----Original Message-----
From: s.jousse@free.fr [mailto:s.jousse@free.fr] 
Sent: Thursday, December 18, 2003 4:31 PM
To: toby-list@mail.nixa.k12.mo.us; samba@lists.samba.org
Subject: Re: [Samba] Samba 3 PDC with LDAP - Error when
changinguserpasswordfrom windows

|1. yes, I tried these lines and in the logs, there was a failure in
|response 
|3 "match no". When I manually ran smbldaa-passwd.pl in xterm, I saw
that
|here's never a "successfully" meesage when the password is
changed with
|success, I looked the code (luckily it's Perl ;o)), and I didn't see
any
|"print "succes"" or "print "password
changed"". So, I added it myself and
|now, it passed the Response 3 correctly (match yes) like you see ine the
|logs.
|--> Maybe I made a mistake when changing the script like that, just added a
|print just before "exit 0"...

Well, if you've messed in perl at all, it's uncommon you'd mess up
the
script by adding a print before the exit.  The correct "Response" from
the
script is an exit with errorlevel 0, which implies success.

|2. I only changed the script like I just said in answer above... I got
|smbldap-tools on samba.idealx.org, in the menu on the right side but I'm
|looking better now, and this version is 0.8.1 and in the page, there's a
|0.8.2 version... I'll try 0.8.2 tomorrow now to see why there's still 2
|connections. Which are the better: in samba 3 tarball (i don't see version
|number in scripts) or at idealx website?
||--> I just look the code of smbldap-passwd.pl and there's still not
"print
|"success""...

I'm not seeing in the code which version you may be speaking of.  I know
that I am running v 1.26 according to smbldap_tools.pm header.  When I setup
this server, I downloaded the most recent version of the tools off of
samba.idealx.org's site, they have been working fine for me.

|3. Sorry, I don't understand exactly...
|--> I just know that my password is changed with success despite of the
|error popup on Windows.

Well, the way to check to see if the passwords are *really* updating as they
should be is to [ok, all hashes should be examined if you want to REALLY
check, but sambaLMPassword is the hash that your logs are indicating a
malfunction on.]
   - set your password to something for user BOB <for example, of course>.
   - smbldap-usershow BOB
   - notice / write down the sambaLMPassword value shown.
   - run smbldap-passwd bob (or change the password from another box, it's
all good)
   - smbldap-usershow BOB again
   - make sure that the sambaLMPassword values are different.  If it did not
change, all your hashes are not updated and some will still be using the old
password.



|4. The default passwd chat failed on Response 3, this is in my answer for
|1st question.
|I took the schema in samba tarball (examples/LDAP/samba.schema), maybe it
|was corrupted or modified by error, I'll see tomorrow too (too much things
|to do tomorrow! :o))
|--> In what order I must add samba.schema in slapd.conf? I put it after all
|others (cosine.schema, nis.schema, ...)


Order:
Core.schema
Cosine.schema
Nis.schema
Inetorgperson.schema
Samba.schema



|5. (Added myself) I setup pam_ldap and nss_ldap (from padl software). I
|modified these files: /etc/nsswitch.conf, /etc/ldap.conf and some in
|/etc/pam.d/ (system-auth, su, ssh, ...). I dont have any Linux user, ALL my
|users are in LDAP (except for system users like root, bin, postfix, mysql,
|...). I'll mostly control the server by shh or web interface, and rarely on
|the machine itself (console or X mode). I have several questions:
|a) Do I must put system users in LDAP or just in /etc/passwd is enough?

Depends on how you setup the system.  If you use authconfig to have the
local system use LDAP for it's passwords, then you must put all users in
LDAP.  I'm not an expert on the merits of this; however, all I've read
always indicates to use LDAP as the backend on the machine itself, so based
on others advice, I will passively say to do it.

|b) Wich files in /etc/pam.d/ I must modified to have my services and
|password sync work?

Didn't use pam or nss, are you running from an older how-to on your setup?
I know that several articles on 2.2.x would have you set it up that way, but
samba3 is much *much* better at PDC stuff (thanks guys!)


|c) I build Samba without --with-pam and --with-pam_smbpass, is it a mistake
|or is it good? And what are these options exactly in simple words, i didn't
|understand docs...

Again, old docs? 


|d) Is there a doc that well explain how to install Samba 3 in PDC role
|using
|LDAP backend? If there's one, I didn't find it. I took little parts
from
|several docs, and mostly are for Samba 2.2.

Aha!  Yes, there are several docs available.  First, I must say that John
Terpstra has compiled a WONDERFUL set of how-to's for Samba3.  You can
purchase it through your local bookstore, or download the PDF at
http://us3.samba.org/samba/docs/Samba-HOWTO-Collection.pdf .  May I suggest
you purchase this book to help support his work, and simply because it's an
excellent samba reference.

Also, if you are looking for a good step-by-step for setting up Samba3 with
LDAP, Carl Weiss has made an excellent how-to for Samba3 setup with OpenLDAP
backend on RedHat 9.  It is available at
http://ninja.carlweiss.com:81/Samba3-redhat9-openldap.html .

Both are excellent references, Mr. Weiss's is a darn near
keystroke-by-keystroke method.

|e) In log, I saw that when a user under WinXP open a session on the domain,
|Samba search for a guest, nobody group or user in LDAP and after, it
|connects with Manager (my LDAP admin) and do the authentication process,
|why
|is it searching guest or nobody?

|Thank you very much for your help and advice!
|Sebastion Jousse.

I would have to see what you are trying to do exactly in the log files.  As
far as why samba uses permissions internally -- I'm sure that Jerry Carter
or some of the really knowledgeable people out there can explain it, I could
hazard a guess, but it would be safe to say in general:  That's how they
made it work with M$'s products.



----- Original Message ----- 
From: "Toby Schaefer" <toby-list@mail.nixa.k12.mo.us>
To: <samba@lists.samba.org>
Sent: Thursday, December 18, 2003 6:57 PM
Subject: RE: [Samba] Samba 3 PDC with LDAP - Error when
changinguserpasswordfrom windows


 >From what it looks like, you are most likely setup correctly... A
few
> questions:
>
> 1. In your smb.conf, is pw change as such:
>
> passwd chat debug = Yes
> passwd program =/usr/local/bin/smbldap-passwd.pl -o %u
> passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
>
> (I'm guessing it is due to your logs showing it correctly.)
>
> 2. It seems that it's dying trying to open a second connection to your
LDAP
> server that it isn't closing.  Have you the latest smbldap-tools (the
ones
> that came with Samba3?), and have you modified them at all.
>
> 3. You may want to do a test - It seems to not be updating all your tokens
> correctly.  To test this, make a note of what the sambaLMPassword is, then
> try to change the password.  See if this value changes.  If it doesn't,
then
> it's going to get rather confusing having multiple hashes!
>
> 4.  Finally, has the password chat ever worked over there?  It's
working
in
> our domain beautifully; however, YMMV. :)  If it has never worked
correctly,
> I'd at this point look to make sure your schema is correct and that
somehow
> the sambaLMPassword portion didn't get hosed during setup.
>
> Cheers,
>
> Toby Schaefer
-- Sorry to annoy, but for clarity comments are posting in-line. 

Toby Schaefer