David Hill
2004-Jan-13 12:04 UTC
[Samba] Samba 3.0.1 + LDAP + User Password Change failure
Samba 3.0.1-03 on mandrake 9.2 with LDAP and smbldap tools Can log on from w2k workstation as user but user cant change password get message you do not have permission to change your password suspect this is whats causing failure [2004/01/13 09:36:53, 10] smbd/chgpasswd.c:dochild(217) Invoking '/usr/share/samba/scripts/smbldap-passwd -o 'tstuser1'' as password change program. [2004/01/13 09:36:53, 0] lib/util_sock.c:read_socket_with_timeout(279) read_socket_with_timeout: timeout read. read error = Input/output error. [2004/01/13 09:36:53, 2] smbd/chgpasswd.c:expect(280) expect: Input/output error Trying to use usermanager to change password also fails but does allow other info in LDAP to be changed so assume that settting LDAP manager password in secrets has worked ok. Have tried with and without password chat time out in smb.conf smbldap-passwd works fine from command line on linux box so LDAP appears to be working fine Need help to see the error of my ways as am in process of setting up samba as PDC for 130 user site initially for exchange e-mail user authentication. smb.conf, logs etc follow smb.conf [global] workgroup = SAMBA3 server string = Samba Server %v map to guest = Bad User obey pam restrictions = No passdb backend = ldapsam:ldap://127.0.0.1:389 idmap backend = ldapsam:ldap://127.0.0.1:389 passwd program = /usr/share/samba/scripts/smbldap-passwd -o '%u' # passwd chat = *: %n\\n *: %n\\n # passwd chat timeout = 100 unix password sync = Yes passwd chat debug = Yes log level = 10 log file = /var/log/samba/log.%m max log size = 200 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/bin/smbldap-useradd -a '%u' delete user script = /usr/bin/smbldap-userdel -d '%u' add group script = /usr/bin/smbldap-groupadd -a -g '%g' && /usr/bin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2} ' delete group script = /usr/bin/smbldap-userdel -d -g '%g' add user to group script = /usr/bin/smbldap-groupmod -m '%u' -g '%g' delete user from group script = /usr/bin/smbldap-groupmod -x '%u' -g '%g' set primary group script = /usr/bin/smbldap-usermod -u '%u' -g '%g' add machine script = /usr/bin/smbldap-useradd -w -d /dev/null -s /bin/false '%m' logon script = test.bat logon path logon drive = H: logon home domain logons = Yes preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap suffix = dc=hill,dc=co.uk ldap machine suffix = ou=computers ldap user suffix = ou=users ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap admin dn = "cn=manager,dc=hill,dc=co.uk" ldap ssl = no ldap passwd sync = Yes printer admin = @"Domain Admins" hosts allow = 192.168.5., 127. printing = lprng [homes] comment = Home Directories path = /V1/users_p read only = No browseable = No [netlogon] comment = Network Logon Service path = /V1/netlogon guest ok = Yes writable = no [Profiles] path = /V1/profiles guest ok = Yes browseable = No available = No [users_s] path = /V1/users_s public = Yes read only = no browseable = Yes [printers] comment = All Printers path = /var/spool/samba read only = No create mask = 0700 guest ok = Yes printable = Yes use client driver = Yes browseable = No Samba log - relevant section - I hope Trying _Get_Pwnam(), username as lowercase is tstuser1 [2004/01/13 09:36:53, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [tstuser1]! [2004/01/13 09:36:53, 3] smbd/chgpasswd.c:chgpasswd(465) Password change (as_root=Yes) for user: tstuser1 [2004/01/13 09:36:53, 10] smbd/chgpasswd.c:findpty(87) findpty: Allocated slave pty /dev/pts/1 [2004/01/13 09:36:53, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3 [2004/01/13 09:36:53, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(103) : conn_ctx_stack_ndx = 1 [2004/01/13 09:36:53, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3 [2004/01/13 09:36:53, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2004/01/13 09:36:53, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2004/01/13 09:36:53, 3] smbd/chgpasswd.c:chat_with_program(422) Dochild for user tstuser1 (uid=0,gid=0) (as_root = Yes) [2004/01/13 09:36:53, 10] smbd/chgpasswd.c:dochild(217) Invoking '/usr/share/samba/scripts/smbldap-passwd -o 'tstuser1'' as password change program. [2004/01/13 09:36:53, 0] lib/util_sock.c:read_socket_with_timeout(279) read_socket_with_timeout: timeout read. read error = Input/output error. [2004/01/13 09:36:53, 2] smbd/chgpasswd.c:expect(280) expect: Input/output error [2004/01/13 09:36:53, 3] smbd/chgpasswd.c:talktochild(311) Response 1 incorrect [2004/01/13 09:36:53, 3] smbd/chgpasswd.c:chat_with_program(367) Child failed to change password: tstuser1 [2004/01/13 09:36:53, 3] smbd/chgpasswd.c:chat_with_program(403) The status of the process exiting was 32512 [2004/01/13 09:36:53, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (1003, 513) - sec_ctx_stack_ndx = 1 [2004/01/13 09:36:53, 5] rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7120) init_r_chgpasswd_user [2004/01/13 09:36:53, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1469) _samr_chgpasswd_user: 1469 [2004/01/13 09:36:53, 5] rpc_parse/parse_prs.c:prs_debug(82) 000000 samr_io_r_chgpasswd_user [2004/01/13 09:36:53, 5] rpc_parse/parse_prs.c:prs_ntstatus(665) 0000 status: NT_STATUS_ACCESS_DENIED [2004/01/13 09:36:53, 5] rpc_server/srv_pipe.c:api_rpcTNP(1549) api_rpcTNP: called samr successfully slapd.conf include /usr/share/openldap/schema/core.schema include /usr/share/openldap/schema/cosine.schema #include /usr/share/openldap/schema/corba.schema include /usr/share/openldap/schema/nis.schema include /usr/share/openldap/schema/inetorgperson.schema #include /usr/share/openldap/schema/java.schema #include /usr/share/openldap/schema/krb5-kdc.schema #include /usr/share/openldap/schema/kerberosobject.schema #include /usr/share/openldap/schema/misc.schema #include /usr/share/openldap/schema/openldap.schema #include /usr/share/openldap/schema/rfc822-MailMember.schema #include /usr/share/openldap/schema/pilot.schema #include /usr/share/openldap/schema/autofs.schema include /usr/share/openldap/schema/samba3.schema #include /usr/share/openldap/schema/qmail.schema #include /usr/share/openldap/schema/mull.schema #include /usr/share/openldap/schema/netscape-profile.schema #include /usr/share/openldap/schema/trust.schema #include /usr/share/openldap/schema/dns.schema #include /usr/share/openldap/schema/cron.schema #include /etc/openldap/schema/local.schema # Define global ACLs to disable default read access. include /etc/openldap/slapd.access.conf # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args modulepath /usr/lib/openldap #moduleload back_dnssrv.la #moduleload back_ldap.la #moduleload back_passwd.la #moduleload back_sql.la # SASL config #sasl-host ldap.example.com # To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem # and uncomment the following lines. #TLSRandFile /dev/random #TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/ssl/openldap/ldap.pem TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem #TLSCACertificatePath /etc/ssl/openldap/ TLSCACertificateFile /etc/ssl/openldap/ldap.pem #TLSVerifyClient 0 ####################################################################### # ldbm database definitions ####################################################################### database ldbm suffix "dc=hill,dc=co.uk" #suffix "o=My Organization Name,c=US" rootdn "cn=manager,dc=hill,dc=co.uk" #rootdn "cn=Manager,o=My Organization Name,c=US" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw testing # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessable by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass eq # from samba config index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUid eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub # following line commented out from sample config file #index mail,surname,givenname eq,subinitial # logging loglevel 256 # Basic ACL # uid=root changed to cn=root # #access to attr=userPassword # by self write # by anonymous auth # by dn="cn=root,ou=People,dc=hill,dc=co.uk" write # by * none #access to * # by dn="cn=root,ou=People,dc=hill,dc=co.uk" write # by * read # # /etc/nsswitch.conf # passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files nisplus nis dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus # # system-auth # #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so likeauth use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so password required /lib/security/pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so
Gémes Géza
2004-Jan-13 20:55 UTC
[Samba] Samba 3.0.1 + LDAP + User Password Change failure
Hi, A possible workaround for this would be to drop all passwd change related lines in your smb.conf, and specify ldap password sync = yes. At least it worked for me (Mandrake 9.1 Samba3.01pre1) Good Luck! Geza
Apparently Analagous Threads
- ldapsync, Samba LDAP bug?: win clients return error when change passwd in samba3 PDC
- password syncronization issue...
- Fw: password synchronization issue...
- Samba 3 PDC with LDAP - Error when changing userpasswordfrom windows
- %o passwd chat parameter - Samba-3.0.0beta3 - bug?