samba - Aug 2005 - LDAP and password expiry

Hello,

We are using Samba 3.0.14a-6, slapd 2.2.26-4 and smbldap-tools 0.9.1-2 on
Debian. My users are complaining about warnings that their password is about to
expire and that the are told "You do not have permission to change your
password" when they try to change it. sambaAcctFlags includes the X flag
which
I thought meant "don't expire passwords." The password changing
thing has got
me even more stumped. Can anyone offer any clues?

/etc/pam_ldap.conf:
host localhost
base dc=trec,dc=us
ldap_version 3
rootbinddn cn=admin,dc=trec,dc=us
pam_password exop

/etc/libnss-ldap.conf:
host localhost
base dc=trec,dc=us
ldap_version 3
rootbinddn cn=admin,dc=trec,dc=us
pam_password exop

Example user entry:

dn: uid=sgoodrich,ou=Users,dc=trec,dc=us
objectClass:
top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMailRecipient
cn: Suzanne Goodrich
sn: Goodrich
uid: sgoodrich
uidNumber: 2046
gidNumber: 100
homeDirectory: /home/sgoodrich
loginShell: /bin/false
gecos: Suzanne Goodrich
description: Suzanne Goodrich
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: Suzanne Goodrich
sambaSID: S-1-5-21-193596418-479643985-2333711390-5092
sambaPrimaryGroupSID: S-1-5-21-193596418-479643985-2333711390-513
sambaLMPassword: redacted
sambaNTPassword: redacted
sambaPwdLastSet: 1117397780
sambaPwdMustChange: 1125951380
userPassword: {SSHA}redacted
sambaAcctFlags: [NUX]

/etc/samba/smb.conf:
[global]
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
delete user script = /usr/sbin/smbldap-userdel "%u"
domain logons = yes
domain master = yes
enable privileges = yes
encrypt passwords = true
guest account = nobody
ldap admin dn = cn=admin,dc=trec,dc=us
ldap delete dn = yes
ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap ssl = no # start_tls
ldap suffix = dc=trec,dc=us
ldap user suffix = ou=Users
load printers = no
local master = yes
log file = /var/log/samba/log
log level = 1
logon drive = Z:
logon home = \\%L\%U
logon path = \\%L\%U\Profile
logon script = logon.cmd
map archive = no
map hidden = no
map system = no
max log size = 1000
name resolve order = host
null passwords = yes
obey pam restrictions = yes
os level = 65
pam password change = yes
panic action = /usr/share/samba/panic-action %d
passdb backend = ldapsam:ldap://localhost/
preferred master = yes
preserve case = yes
security = user
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
short preserve case = yes
show add printer wizard = no
socket options = IPTOS_THROUGHPUT TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
syslog = 1
syslog only = no
time server = yes
unix password sync = yes
wins support = yes
workgroup = TREC
passwd chat debug = yes

[homes]
comment = %u's private information.
browseable = no
writable = yes
create mask = 0660
directory mask = 0770
inherit permissions = yes
hide files = /Profile/Registry/Outlook.pst/outlook.pst/Maildir/
guest ok = no
admin users = @staff

[profile]
path = %H/Profile
browsable = no
writable = yes
create mask = 0660
directory mask = 0770
# nt acl support = no
admin users = @staff

[netlogon]
comment = Network Logon Service
path = /export/netlogon
guest ok = yes
read only = yes
share modes = no
write list = root,@staff
# nt acl support = no
force group = staff
browseable = no

> We are using Samba 3.0.14a-6, slapd 2.2.26-4 and smbldap-tools 0.9.1-2 on
> Debian. My users are complaining about warnings that their password is
> about to
> expire and that the are told "You do not have permission to change
your
> password" when they try to change it. sambaAcctFlags includes the X
flag
> which
> I thought meant "don't expire passwords." The password
changing thing has
> got
> me even more stumped. Can anyone offer any clues?
Do you also get the password actually being changed when they get that
error?  I see that and also various other errors, which are false errors
since all passwords ARE in fact changed.  


 
> /etc/pam_ldap.conf:
> host localhost
> base dc=trec,dc=us
> ldap_version 3
> rootbinddn cn=admin,dc=trec,dc=us
> pam_password exop
> 
> /etc/libnss-ldap.conf:
> host localhost
> base dc=trec,dc=us
> ldap_version 3
> rootbinddn cn=admin,dc=trec,dc=us
> pam_password exop
> 
> Example user entry:
> 
> dn: uid=sgoodrich,ou=Users,dc=trec,dc=us
> objectClass:
> top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMail
> Recipient
> cn: Suzanne Goodrich
> sn: Goodrich
> uid: sgoodrich
> uidNumber: 2046
> gidNumber: 100
> homeDirectory: /home/sgoodrich
> loginShell: /bin/false
> gecos: Suzanne Goodrich
> description: Suzanne Goodrich
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: Suzanne Goodrich
> sambaSID: S-1-5-21-193596418-479643985-2333711390-5092
> sambaPrimaryGroupSID: S-1-5-21-193596418-479643985-2333711390-513
> sambaLMPassword: redacted
> sambaNTPassword: redacted
> sambaPwdLastSet: 1117397780
> sambaPwdMustChange: 1125951380
> userPassword: {SSHA}redacted
> sambaAcctFlags: [NUX]
> 
> /etc/samba/smb.conf:
> [global]
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> domain logons = yes
> domain master = yes
> enable privileges = yes
> encrypt passwords = true
> guest account = nobody
> ldap admin dn = cn=admin,dc=trec,dc=us
> ldap delete dn = yes
> ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
> ldap group suffix = ou=Groups
> ldap machine suffix = ou=Computers
> ldap passwd sync = yes
> ldap ssl = no # start_tls
> ldap suffix = dc=trec,dc=us
> ldap user suffix = ou=Users
> load printers = no
> local master = yes
> log file = /var/log/samba/log
> log level = 1
> logon drive = Z:
> logon home = \\%L\%U
> logon path = \\%L\%U\Profile
> logon script = logon.cmd
> map archive = no
> map hidden = no
> map system = no
> max log size = 1000
> name resolve order = host
> null passwords = yes
> obey pam restrictions = yes
> os level = 65
> pam password change = yes
> panic action = /usr/share/samba/panic-action %d
> passdb backend = ldapsam:ldap://localhost/
> preferred master = yes
> preserve case = yes
> security = user
> set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
> short preserve case = yes
> show add printer wizard = no
> socket options = IPTOS_THROUGHPUT TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
> syslog = 1
> syslog only = no
> time server = yes
> unix password sync = yes
> wins support = yes
> workgroup = TREC
> passwd chat debug = yes
> 
> [homes]
> comment = %u's private information.
> browseable = no
> writable = yes
> create mask = 0660
> directory mask = 0770
> inherit permissions = yes
> hide files = /Profile/Registry/Outlook.pst/outlook.pst/Maildir/
> guest ok = no
> admin users = @staff
> 
> [profile]
> path = %H/Profile
> browsable = no
> writable = yes
> create mask = 0660
> directory mask = 0770
> # nt acl support = no
> admin users = @staff
> 
> [netlogon]
> comment = Network Logon Service
> path = /export/netlogon
> guest ok = yes
> read only = yes
> share modes = no
> write list = root,@staff
> # nt acl support = no
> force group = staff
> browseable = no
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

On Thu, 2005-08-25 at 14:53 -0400, jake@capecodhomefinder.com
wrote:
> Hello,
> 
> We are using Samba 3.0.14a-6, slapd 2.2.26-4 and smbldap-tools 0.9.1-2 on
> Debian. My users are complaining about warnings that their password is
about to
> expire and that the are told "You do not have permission to change
your
> password" when they try to change it. sambaAcctFlags includes the X
flag which
> I thought meant "don't expire passwords." The password
changing thing has got
> me even more stumped. Can anyone offer any clues?
> 
----
I believe that you will find the warning about the change password is
generated by local policy on the computers and not demanded by Samba.

I think Paul was hinting at a rather quirky thing in Samba 3 that gets
an error reported to the user when he changes his password that it
didn't work but on properly configured systems, that message seems to
get sent anyway, even when the password change does indeed work.

Craig