Hi. I've samba-3.0.11 now, installed from rpm on Redhat 9.0. Problem was with 3.0.10 too. I don't exactly know when it was broken, because I found it week ago. I've samba as PDC with LDAP backend some time ago when user changes password in windows or when password chenged with smbpasswd - LDAP password of this user was changed too. Now LDAP passwords remains the same as it was. Configure files wasn't changed - only adding/removing some shares, testparm shows "ldap passwd sync = yes". I've searched this list a while and found only one mail, said that it was broken there when upgrading from 3.0.7 to 3.0.9, but there was no answer: http://lists.samba.org/archive/samba/2005-January/098466.html Any ideas what is broken? ---- Alexander Zubkov
> Hi. > I've samba-3.0.11 now, installed from rpm on Redhat 9.0. Problem was > with 3.0.10 too. I don't exactly know when it was broken, because I > found it week ago. > I've samba as PDC with LDAP backend some time ago when user changes > password in windows or when password chenged with smbpasswd - LDAP > password of this user was changed too. Now LDAP passwords remains the > same as it was. > Configure files wasn't changed - only adding/removing some shares, > testparm shows "ldap passwd sync = yes".whats your passwd program= (say) and are you using the IDEALX to add users and so on...?> I've searched this list a while and found only one mail, said that it > was broken there when upgrading from 3.0.7 to 3.0.9, but there was no > answer: http://lists.samba.org/archive/samba/2005-January/098466.html > Any ideas what is broken? > > ---- > Alexander Zubkov > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba
>>Hi.>>I've samba-3.0.11 now, installed from rpm on Redhat 9.0. Problem was >>with 3.0.10 too. I don't exactly know when it was broken, because I >>found it week ago. >>I've samba as PDC with LDAP backend some time ago when user changes >>password in windows or when password chenged with smbpasswd - LDAP >>password of this user was changed too. Now LDAP passwords remains the >>same as it was. >>Configure files wasn't changed - only adding/removing some shares, >>testparm shows "ldap passwd sync = yes". > > > whats your passwd program= (say) In the case of LDAP password sync You need no passwd program as far as i know. Samba should chancge it through LDAP interface and it was doing it till some date... I'll try at days to set up older versions of samba an will post the results. > and are you using the IDEALX to add users and so on...? > No, I'm not using it. I add users to LDAP and then do "smbpasswd -a". PS. (to Mark Sarria) I've replied to my e-mail because I haven't see your at list. May be because You CC it to me and list ignored it. ---- Zubkov Alexander
> I've samba as PDC with LDAP backend some time ago when user changes > password in windows or when password chenged with smbpasswd - LDAP > password of this user was changed too. Now LDAP passwords remains the > same as it was. > I've searched this list a while and found only one mail, said that it > was broken there when upgrading from 3.0.7 to 3.0.9,We are on SuSe's 3.0.9 and "ldap passwd sync" works. I don't believe it is broken.
Hi, On Sat, Feb 05, 2005 at 11:33:39PM +0300, Alexander Zubkov wrote:> Yeah! I did it, thanks all, who helped. > Searching for "rootDSE" in Internet showed that it is exported by LDAP > server as other data (in common words) so access control are applied to > it too. And my hands ( lame ;) ) wrote at the end of slapd.conf: > access dn=".*,dc=domain,dc=my" by * read > But rootDSE, of course not subtree of this! And LDAP, honestly, denied > access to it. So the solution was: > access to * by * readIt is much better to set access to dn.base="" by * read to prevent to open potential security gap. The above ACL only allows world-read access to the root-dse and not to all other non-matched content of your entire DIT. Thanks, Guenther -- Guenther Deschner Samba Team SerNet GmbH - Goettingen gd@samba,org gd@sernet.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20050205/9d1b415d/attachment.bin
On Saturday 05 February 2005 02:17 pm, Alexander Zubkov wrote:> In debug mode smbpasswd say this:> ---- samba 3.0.11 ----...> smbldap_check_root_dse: Expected one rootDSE, got 0 > ldap_connect_system: succesful connection to the LDAP server > ldap_connect_system: LDAP server does not support paged results > smbldap_check_root_dse: Expected one rootDSE, got 0 > ldap password change requested, but LDAP server does not support it -- > ignoring > ldapsam_update_sam_account: successfully modified uid = test in the LDAP > database > -------- > > Why samba-3.0.6 can sync password and samba-3.0.11 say that may LDAP > server does not support it? Any ideas? > > ---- > Alexander ZubkovI am guessing that Samba is using a different criteria/mechanism to change the passwords now. Perhaps it has to do with increasing support for non-openLDAP implementations. One thing I noticed is that your rootDSE is not readable. The rootDSE contains information about your LDAP server that some applications (such as addressbooks that need to automatically determine the baseDN) need. Info about the rootDSE can be found at http://www.techgalaxy.net/Docs/Dev/LDAPv3 RootDSE Overview.htm. For OpenLDAP you need an ACL like this: access to attrs=namingcontexts by anonymous read (or lock it down by IP range or some other way to make it more secure) Correcting your LDAP config to include the above may keep Samba from being confused -- just a thought. Misty