robert.walland@r-kb.si
2005-Nov-07 20:14 UTC
[Samba] LDAP+BDC user password change trouble
Hi, We are using a PDC (Primary LDAP) and BDC (Replica LDAP). Changing password on PDC works fine, but no way when users are logged on BDC. The truth is that PDC and BDC are configured with passdb backend = ldapsam:ldap://127.0.0.1/. The users get the message like "You are not allowed to change password" or "You can not change password at this time" when they want to change their password. Is it only possible to change password when the BDC is showing to Primary LDAP? As I know LDAP supports that you can change something on Replica which is then synchronized with the primary LDAP. I'm using only idealx scripts and they are not included in the BDC smb.conf, because BDC should do only logging for now. Some lines from my smb.conf workgroup = DOMAIN netbios name = SERVER server string = LDAP BDC Samba Server %v os level = 65 preferred master = no local master = yes domain master = no domain logons = yes security = user enable privileges = no encrypt passwords = yes obey pam restrictions = No name resolve order = wins bcast dns proxy = no socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY syslog = 2 syslog only = yes preserve case = yes case sensitive = no logon path logon home passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=samba,ou=DSA,dc=r-kb,dc=si ldap suffix = dc=r-kb,dc=si ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap machine suffix = ou=Computers # ldap idmap suffix = ou=Idmap #ldap delete dn = Yes #ldap chat debug = Yes ldap ssl = no
On Mon, 2005-11-07 at 21:14 +0100, robert.walland@r-kb.si wrote:> Hi, > We are using a PDC (Primary LDAP) and BDC (Replica LDAP). Changing > password on PDC works fine, but no way when users are logged on BDC. The > truth is that PDC and BDC are configured with passdb backend = > ldapsam:ldap://127.0.0.1/. The users get the message like "You are not > allowed to change password" or "You can not change password at this > time" when they want to change their password. > Is it only possible to change password when the BDC is showing to Primary > LDAP? As I know LDAP supports that you can change something on Replica > which is then synchronized with the primary LDAP.This is supported on some commerical ldap servers, and Fedora (I think). I've only used OpenLDAP so far, which is strictly master/slave(s).> I'm using only idealx > scripts and they are not included in the BDC smb.conf, because BDC should > do only logging for now. > Some lines from my smb.confThe way this works is that the slave ldap server should send a referral saying 'do your modify over here'. If the LDAP server sends this (configured in the slapd.conf for openldap), then Samba makes the modification on the master. It is not configured in Samba itself. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20051108/8d5744e2/attachment.bin