Sævaldur Gunnarsson
2005-Jun-07 21:02 UTC
[Samba] Problems with userPassword when it's base64 encoded
I'm switching from OpenLDAP to the newly released Fedora Directory
Server (formely known as the Netscape Directory Server) as a LDAP
backend for my Samba domain.
I'm now faced with a problem regarding how Fedora DS handles the
userPassword field.
Unlike OpenLDAP it encodes it in base64 so instead of reading
userPassword: {SSHA}0lP+r3Z1NVan7Caf4CG9oSgnTbQRrv/p
it reads:
userPassword:: e1NTSEF9MGxQK3IzWjFOVmFuN0NhZjRDRzlvU2duVGJRUnJ2L3A
Samba apparently does not like this because when I try to change the
password using the "ctrl+alt+del -> Change Password" method I get
the
following error in samba.log (with log level = passdb:5)
-- cut here --
[2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
init_sam_from_ldap: Entry found for user: gg
[2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
init_sam_from_ldap: Entry found for user: gg
[2005/06/07 19:27:45, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1704)
ldapsam_update_sam_account: user gg to be modified has dn:
uid=gg,ou=People,dc=kung,dc=foo
[2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_ldap_from_sam(893)
init_ldap_from_sam: Setting entry for user: gg
[2005/06/07 19:27:45, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1587)
ldapsam_modify_entry: LDAP Password could not be changed for user gg:
Unknown error
Current passwd must be supplied by the user.
[2005/06/07 19:27:45, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1731)
ldapsam_update_sam_account: failed to modify user with uid = gg,
error: Current passwd must be supplied by the user.
(Success)
[2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
init_sam_from_ldap: Entry found for user: gg
[2005/06/07 19:27:45, 0] libsmb/smbencrypt.c:decode_pw_buffer(539)
decode_pw_buffer: incorrect password length (-988553355).
[2005/06/07 19:27:45, 0] libsmb/smbencrypt.c:decode_pw_buffer(540)
decode_pw_buffer: check that 'encrypt passwords = yes'
-- cut here --
And a dialog from Windows that says:
"The User name or old password is incorrect. Letters in passwords must
be typed using the correct case."
The SambaNTPassword and SambaLMPassword entries change, but the
userPassword entry does not.
I'm using the ldap passwd sync = Yes option in my smb.conf since the
LDAP server is used for Linux authentication as well as Samba
authentication.
However, if I use the smbldap-passwd utility everything works like a charm.
Both the SambaLMPassword/SambaNTPassword and userPassword entries are
changed.
If the ldap passwd sync option is set to No in the smb.conf then Windows
does not complain when I use ctrl+alt+del method, but then of course the
userPassword entry is not modified.
The samba server is a RHEL4 machine with samba-3.0.10-1.4E and
fedora-ds-7.1-2.RHEL4.
Output from ldapsearch of the user gg:
--cut here --
kung.foo.is /opt/fedora-ds/slapd-palladium/config/schema# ldapsearch -x
-ZZ -D "uid=gg,ou=People,dc=kung,dc=foo" -W uid=gg userPassword
SambaLMPassword SambaNTPassword
Enter LDAP Password:
# gg, People, kung.foo
dn: uid=gg,ou=People,dc=kung,dc=foo
userPassword::
e1NTSEF9OEZaWTRMZFlpMWYxb0E1WWdEdy8raC9SbXkwbUVleU8SambaLMPassword:
7B9FBD79429286DBAAD3B435B51404EE
SambaNTPassword: 2352D5C13878770724EA84A32EFCD485
--cut here--
Advise of how to correct this are greatly appreciated.
--
< S?valdur Gunnarsson _ RHCE />
Tony Earnshaw
2005-Jun-07 22:15 UTC
[Samba] Problems with userPassword when it's base64 encoded
tir, 07.06.2005 kl. 23.02 skrev S?valdur Gunnarsson:> I'm switching from OpenLDAP to the newly released Fedora Directory > Server (formely known as the Netscape Directory Server) as a LDAP > backend for my Samba domain. > > I'm now faced with a problem regarding how Fedora DS handles the > userPassword field. > Unlike OpenLDAP it encodes it in base64 so instead of reading > userPassword: {SSHA}0lP+r3Z1NVan7Caf4CG9oSgnTbQRrv/p > it reads: > userPassword:: e1NTSEF9MGxQK3IzWjFOVmFuN0NhZjRDRzlvU2duVGJRUnJ2L3A>I'd say that your problem lies with the Fedora people - I can't see Samba 3 being changed, though Samba 4 is is still in the melting pot and this will give the developers something else to chew on. There's an active thread on Fedora Directory Server on ldap OpenLDAP interoperability list <ldap-interop@fini.net> at the moment, and I'm sure that samba-technical@samba.org would be interested in your findings. However, since it's only Fedora of the Linux fraternity that has Directory Server, and Fedora itself says that it's far from being able to open source the code at the moment, it's possible that your cry will fall on deaf ears. --Tonni --> Samba apparently does not like this because when I try to change the > password using the "ctrl+alt+del -> Change Password" method I get the > following error in samba.log (with log level = passdb:5) > > -- cut here -- > [2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) > init_sam_from_ldap: Entry found for user: gg > [2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) > init_sam_from_ldap: Entry found for user: gg > [2005/06/07 19:27:45, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1704) > ldapsam_update_sam_account: user gg to be modified has dn: > uid=gg,ou=People,dc=kung,dc=foo > [2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_ldap_from_sam(893) > init_ldap_from_sam: Setting entry for user: gg > [2005/06/07 19:27:45, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1587) > ldapsam_modify_entry: LDAP Password could not be changed for user gg: > Unknown error > Current passwd must be supplied by the user. > > [2005/06/07 19:27:45, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1731) > ldapsam_update_sam_account: failed to modify user with uid = gg, > error: Current passwd must be supplied by the user. > (Success) > [2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) > init_sam_from_ldap: Entry found for user: gg > [2005/06/07 19:27:45, 0] libsmb/smbencrypt.c:decode_pw_buffer(539) > decode_pw_buffer: incorrect password length (-988553355). > [2005/06/07 19:27:45, 0] libsmb/smbencrypt.c:decode_pw_buffer(540) > decode_pw_buffer: check that 'encrypt passwords = yes' > -- cut here -- > > And a dialog from Windows that says: > "The User name or old password is incorrect. Letters in passwords must > be typed using the correct case." > > The SambaNTPassword and SambaLMPassword entries change, but the > userPassword entry does not. > I'm using the ldap passwd sync = Yes option in my smb.conf since the > LDAP server is used for Linux authentication as well as Samba > authentication. > > However, if I use the smbldap-passwd utility everything works like a charm. > Both the SambaLMPassword/SambaNTPassword and userPassword entries are > changed. > > If the ldap passwd sync option is set to No in the smb.conf then Windows > does not complain when I use ctrl+alt+del method, but then of course the > userPassword entry is not modified. > > > The samba server is a RHEL4 machine with samba-3.0.10-1.4E and > fedora-ds-7.1-2.RHEL4. > Output from ldapsearch of the user gg: > > --cut here -- > kung.foo.is /opt/fedora-ds/slapd-palladium/config/schema# ldapsearch -x > -ZZ -D "uid=gg,ou=People,dc=kung,dc=foo" -W uid=gg userPassword > SambaLMPassword SambaNTPassword > Enter LDAP Password: > > # gg, People, kung.foo > dn: uid=gg,ou=People,dc=kung,dc=foo > userPassword:: e1NTSEF9OEZaWTRMZFlpMWYxb0E1WWdEdy8raC9SbXkwbUVleU8> SambaLMPassword: 7B9FBD79429286DBAAD3B435B51404EE > SambaNTPassword: 2352D5C13878770724EA84A32EFCD485 > --cut here-- > > Advise of how to correct this are greatly appreciated. > > -- > < S?valdur Gunnarsson _ RHCE />-- mail: tonye@billy.demon.nl http://www.billy.demon.nl
Reasonably Related Threads
- Windows client does not recognize password change...
- samba 3.0.4 on SLES8: password sync will not work...(decode_pw_buffer: incorrect password length)
- decode_pw_buffer: incorrect password length
- 3.0.11/MirOS password change problem
- Error when changing domain password in Windows XP