samba - Nov 2005 - LDAP+BDC user password change trouble

Hi,
We are using a PDC (Primary LDAP) and BDC (Replica LDAP). Changing 
password on PDC works fine, but no way when users are logged on BDC. The 
truth is that PDC and BDC are configured with  passdb backend = 
ldapsam:ldap://127.0.0.1/. The users get the message like "You are not 
allowed to change password"   or "You can not change password at this 
time" when they want to change their password.
Is it only possible to change password when the BDC is showing to Primary 
LDAP? As I know LDAP supports that you can change something on Replica 
which is then synchronized with the primary LDAP. I'm using only idealx 
scripts and they are not included in the BDC smb.conf, because BDC should 
do only logging for now.
Some lines from my smb.conf 
 
        workgroup = DOMAIN
        netbios name = SERVER
        server string = LDAP BDC Samba Server %v 

        os level = 65
        preferred master = no
        local master = yes
        domain master = no
        domain logons = yes
        security = user
        enable privileges = no
        encrypt passwords = yes
        obey pam restrictions = No
 
        name resolve order = wins bcast
        dns proxy = no

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 
IPTOS_LOWDELAY

        syslog = 2
        syslog only = yes

         preserve case = yes
        case sensitive = no
 
        logon path         logon home  
        passdb backend = ldapsam:ldap://127.0.0.1/
         ldap admin dn = cn=samba,ou=DSA,dc=r-kb,dc=si
        ldap suffix = dc=r-kb,dc=si
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Computers
        # ldap idmap suffix = ou=Idmap
 
        #ldap delete dn = Yes
        #ldap chat debug = Yes
        ldap ssl = no

On Mon, 2005-11-07 at 21:14 +0100, robert.walland@r-kb.si
wrote:
> Hi,
> We are using a PDC (Primary LDAP) and BDC (Replica LDAP). Changing 
> password on PDC works fine, but no way when users are logged on BDC. The 
> truth is that PDC and BDC are configured with  passdb backend = 
> ldapsam:ldap://127.0.0.1/. The users get the message like "You are not
> allowed to change password"   or "You can not change password at
this
> time" when they want to change their password.
> Is it only possible to change password when the BDC is showing to Primary 
> LDAP? As I know LDAP supports that you can change something on Replica 
> which is then synchronized with the primary LDAP. 
This is supported on some commerical ldap servers, and Fedora (I think).
I've only used OpenLDAP so far, which is strictly master/slave(s).
> I'm using only idealx 
> scripts and they are not included in the BDC smb.conf, because BDC should 
> do only logging for now.
> Some lines from my smb.conf 
The way this works is that the slave ldap server should send a referral
saying 'do your modify over here'.  If the LDAP server sends this
(configured in the slapd.conf for openldap), then Samba makes the
modification on the master.  It is not configured in Samba itself.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20051108/8d5744e2/attachment.bin