samba - Sep 2004 - Samba3 + smbldap-tools & smbpasswd

I've been fiddling lately with Samba 3 coupled with openldap, nss_ldap,
pam_ldap and the smbldap-tools to create a PDC.

Following various examples, most things work, but I have an issue with
changing passwords from Windows.

If I manually change a password with smbldap-passwd, the script
correctly adjusts the sambaPwdMustChange attribute according to what
defaultMaxPasswordAge is set to.

If I change the password through Windows, Samba presumably uses
smbpasswd, because the sambaPwdMustChange attribute is then somehow set
to only 2 days into the future. The same thing happens if I run
smbpasswd manually. As a simple hack I even tried symlinking
/usr/bin/smbpasswd to /use/local/sbin/smbldap-passwd, but samba *still*
used it's own mechanism, which always ends up in sambaPwdMustChange
being just a couple of days ahead.

Meaning of course, if users will ever change their own passwords, the
ldap record will manually need fixing. Is there a way I can get samba to
use only the smbldap-passwd script or otherwise fix this so 
sambaPwdMustChange is set to defaultMaxPasswordAge from the
smbldap-tools conf file, or at least something further ahead in the
future than two days?

-- 
Dan

Hi dan which version samba do you use?
a microsoft patch broke password change before samba 3.04
so use the last samba version 3.07
maybe this is short answer
Regards

Dan Slatford schrieb:
> I've been fiddling lately with Samba 3 coupled with openldap, nss_ldap,
> pam_ldap and the smbldap-tools to create a PDC.
> 
> Following various examples, most things work, but I have an issue with
> changing passwords from Windows.
> 
> If I manually change a password with smbldap-passwd, the script
> correctly adjusts the sambaPwdMustChange attribute according to what
> defaultMaxPasswordAge is set to.
> 
> If I change the password through Windows, Samba presumably uses
> smbpasswd, because the sambaPwdMustChange attribute is then somehow set
> to only 2 days into the future. The same thing happens if I run
> smbpasswd manually. As a simple hack I even tried symlinking
> /usr/bin/smbpasswd to /use/local/sbin/smbldap-passwd, but samba *still*
> used it's own mechanism, which always ends up in sambaPwdMustChange
> being just a couple of days ahead.
> 
> Meaning of course, if users will ever change their own passwords, the
> ldap record will manually need fixing. Is there a way I can get samba to
> use only the smbldap-passwd script or otherwise fix this so 
> sambaPwdMustChange is set to defaultMaxPasswordAge from the
> smbldap-tools conf file, or at least something further ahead in the
> future than two days?
>

On Thu, 2004-09-16 at 00:10, rruegner wrote:
> have you set
> time server = yes
> you should post yor whole smb.conf
I should :)

[global]

   netbios name = TESTDOM-PDC
   workgroup = TESTDOM
   server string = TESTDOM Domain Controller
   wins support = yes
   time server = yes
   dns proxy = no
   name resolve order = lmhosts host wins bcast
   interfaces = 10.10.10.99

   domain master = yes
   domain logons = yes
   preferred master = yes
   local master = yes
   os level = 64

   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog only = no
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   security = user
   encrypt passwords = true
   passdb backend = ldapsam:ldap://localhost
   obey pam restrictions = yes
   guest account = nobody
   invalid users = root

   load printers = yes
   printing = cups
   printcap name = cups
   printer admin = @ntadmin

   preserve case = yes
   short preserve case = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

    ldap suffix = dc=testdom,dc=com
    ldap user suffix = ou=Users
    ldap group suffix = ou=Groups
    ldap machine suffix = ou=Computers
#    ldap admin dn = cn=samba,ou=DSA,dc=testdom,dc=com
    ldap admin dn = cn=Manager,dc=testdom,dc=com
    ldap ssl = no
    ldap delete dn = no
    ldap passwd sync = Yes
    ldap ssl = start tls

  add user script = /usr/local/sbin/smbldap-useradd -m "%u"
  delete user script = /usr/local/sbin/smbldap-userdel "%u"
  add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
  add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
  delete group script = /usr/local/sbin/smbldap-groupdel "%g"
  add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
  delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
  set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"

[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   create mask = 0600
   directory mask = 0700

[netlogon]
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = no
   writable = yes
   browsable = no
   share modes = no

[profiles]
   comment = User Profiles
   path = /home/samba/profiles
   read only = no
   create mode = 0600
   directory mode = 0700
   browseable = no
   guest ok = Yes
   profile acls = Yes
   csc policy = disable
   # next line is a great way to secure the profiles
   force user = %U
   # next line allows administrator to access all profiles
   valid users = %U @"Domain Admins"
   ; this stops w2k fucking up it's logon
   veto oplock files = /prf*.tmp/

[printers]
   comment = All Printers
   browseable = yes
   path = /tmp
   printable = yes
   public = no
   writable = no
   create mode = 0700


-- 
Dan

On Thu, 2004-09-16 at 12:46, rruegner wrote:
> >    load printers = yes
> >    printing = cups
> >    printcap name = cups
> is there a group ntadmin in ldap? usally it only in passwd
> >    printer admin = @ntadmin
I haven't gotten round to doing anything with printing yet. I think
that's the next challenge.
> see my parameters and compare
Well, I think I can actually spot something wrong with your config,
while discovering mine was never broken to the degree I thought!

You have the -a (add samba attributes) and -P (invoke smbldap-passwd)
switches to the adduser script, which seem unnecessary. The penny's
dropped and I've realised the scripts are only for taking care of
managing the posix account side of things - samba adds the samba
attributes to the LDAP record, so -a is not needed. Indeed, adding it
broke things for me as both script and samba try to add the same
attributes. -P doesn't seem needed either. I can add accounts perfectly
via usermgr.exe without these attributes.

I realised my sambaPwdMustChange value was being set two days ahead,
because that's set by default in the policy config part of usermgr.exe!
So, that was actually working fine, user error. Samba *doesn't* need to
run smbldap-passwd.pl for password changes at all. It will update the
samba related attributes itself, AND update the userPassword (posix)
field if you have "ldap passwd sync = Yes" set in smb.conf

So, basically, it was all working fine to begin with. Gah!
> >     ldap ssl = no
> makes no sense if you say ldap ssl no above
> >     ldap ssl = start tls
Well, TLS is different to using old SSL as I understand it. TLS works
over usual port 389 while SSL is over 636. This much does work.

The 'net time' thing I mentioned before isn't a problem, I realised
the
wrong time was being plucked from a random windows box on the network,
not the samba server :) Hurrah for caffine.

-- 
Dan

On Thu, 2004-09-16 at 15:52, rruegner wrote:
> uff , this was a long way
> good, you have figured it out
> regards
Yes, and thanks for your help! :)

-- 
Dan