I am not a Samba Guru, But I have done a similar purpose for testing
before, as the problem is caused when you are changing the password on
the Machine 2, which is a slave, it is READ ONLY and the changes what
you do will not be updated or reflected on the original copy. And the
ldap credentials of the slave will not be written to the database.All
the changes have to be passed on from the Master database.
Lukasz Stelmach wrote:> Greetings All.
>
> First let me introduce my situation
>
> Machine1: Pdc Samba + OpenLDAP(master)
>
> Machine2: Bdc Samba + OpenLDAP(slave)
>
> LDAP stores Samba and POSIX information for each user.
>
> Case1: I login to Machine1 and invoke smbpasswd. I change
> my passwords (samba and posix without any problem). In next
> few seconds they get propagated to Machin2 wher I can login
> with new credentials.
>
> ldap log says
>
> conn=327 fd=26 ACCEPT from PATH=/var//run/ldapi (PATH=/var//run/ldapi)
> conn=327 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" method=128
> conn=327 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" mech=SIMPLE
ssf=0
> conn=327 op=0 RESULT tag=97 err=0 text=
> conn=327 op=1 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
> conn=327 op=1 SRCH attr=supportedControl
> conn=327 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=327 op=2 SRCH base="o=example,c=xx" scope=2 deref=0
filter="(&(uid=jdoe)(objectClass=sambaSamAccount))"
> conn=327 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory
sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath
sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass
sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp
> conn=327 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
> #
> #conn=328 is made via nss_ldap
> #
> conn=328 fd=27 ACCEPT from PATH=/var//run/ldapi (PATH=/var//run/ldapi)
> conn=328 op=0 BIND dn="cn=Authenticate,o=example,c=xx" method=128
> conn=328 op=0 BIND dn="cn=Authenticate,o=example,c=xx"
mech=SIMPLE ssf=0
> conn=328 op=0 RESULT tag=97 err=0 text=
> conn=328 op=1 SRCH base="ou=People,o=example,c=xx" scope=1
deref=0 filter="(&(objectClass=posixAccount)(uid=jdoe))"
> conn=328 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn
homeDirectory loginShell gecos description objectClass
> conn=328 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=328 op=2 SRCH base="o=example,c=xx" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=jdoe))"
> conn=328 op=2 SRCH attr=gidNumber
> conn=328 op=2 SEARCH RESULT tag=101 err=0 nentries=2 text=
> conn=328 op=3 ABANDON msg=3
>
> conn=327 op=3 SRCH base="ou=Groups,o=example,c=xx" scope=2
deref=0
filter="(&(objectClass=sambaGroupMapping)(gidNumber=1000))"
> conn=327 op=3 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList
description displayName cn objectClass
> conn=327 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=327 op=5 SRCH base="ou=Groups,o=example,c=xx" scope=2
deref=0
filter="(&(objectClass=sambaGroupMapping)(gidNumber=1001))"
> conn=327 op=5 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList
description displayName cn objectClass
> conn=327 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=327 op=6 SRCH base="o=example,c=xx" scope=2 deref=0
filter="(&(uid=jdoe)(objectClass=sambaSamAccount))"
> conn=327 op=6 SRCH attr=uid uidNumber gidNumber homeDirectory
sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath
sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass
sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp
> conn=327 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=328 op=4 SRCH base="o=example,c=xx" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=jdoe))"
> conn=328 op=4 SRCH attr=gidNumber
> conn=328 op=4 SEARCH RESULT tag=101 err=0 nentries=2 text=
> conn=328 op=5 ABANDON msg=5
> conn=327 op=7 SRCH base="o=example,c=xx" scope=2 deref=0
filter="(&(uid=jdoe)(objectClass=sambaSamAccount))"
> conn=327 op=7 SRCH attr=uid uidNumber gidNumber homeDirectory
sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath
sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass
sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp
> conn=327 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text=
> #
> #it seems to be here where the modifications start
> #
> conn=327 op=8 MOD dn="cn=John Doe,ou=People,o=example,c=xx"
> conn=327 op=8 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaLMPassword
sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet
> conn=327 op=8 RESULT tag=103 err=0 text=
> conn=327 op=9 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
> conn=327 op=9 SRCH attr=supportedExtension
> conn=327 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text=
> conn=327 op=10 PASSMOD id="cn=John Doe,ou=People,o=example,c=xx"
new
> conn=327 op=10 RESULT oid= err=0 text=
> conn=327 fd=26 closed (connection lost)
> conn=328 fd=27 closed (connection lost)
>
> Case2: I login to Machine2 and invoke smbpasswd. However I get
> "Password changed for user jdoe", but quite havy problems emerge.
> From now on I can't login to Machine1 and Machine2 neither with
> smbclient nor with ssh (which uses POSIX data).
>
> Case2, the answer: Ldap debug logs claim that samba gives invalid
> credentials while trying to bind. Everything calms down when
> I "refresh" Sambaroot's (that is the user I put as "ldap
admin dn"
> in smb.conf) password with ldappasswd using the value sotred in
> /etc/samba/private/secrets.tdb. It looks like instead of changing
> my password samba changes its own :-( When I fix it I can login to
> Machines with smbclient but... I discover that my POSIX password
> (userPassword) hasn't changed. I have to use the old one.
>
> ldap log says:
> conn=313 fd=26 ACCEPT from IP=10.1.2.7:2263 (IP=10.1.2.4:389)
> conn=313 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" method=128
> conn=313 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" mech=SIMPLE
ssf=0
> conn=313 op=0 RESULT tag=97 err=0 text> conn=313 op=1 MOD
dn="cn=John Doe,ou=People,o=example,c=xx"
> conn=313 op=1 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaLMPassword
sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet
> conn=313 op=1 RESULT tag=103 err=0 text> conn=313 op=2 UNBIND
> conn=313 fd=26 closed
> conn=314 fd=26 ACCEPT from IP=10.1.2.7:2264 (IP=10.1.2.4:389)
> conn=314 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" method=128
> conn=314 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" mech=SIMPLE
ssf=0
> conn=314 op=0 RESULT tag=97 err=0 text> #
> # why it happens so that there is no id=... like above
> #
> conn=314 op=1 PASSMOD
> #
> conn=314 op=1 RESULT oid= err=0 text> conn=314 op=2 UNBIND
> conn=314 fd=26 closed
>
> Case3: I login to Machine2 and invoke smbpasswd -r Machine1.
> Everything is OK like in the first case. Logs ofcourse look
> also the same.
>
> Please CC, I am not a subscriber.
>
--
Pavan Krishna L
Systems Administrator
Diversity Arrays Technology Pty Ltd
Ph: +61 2 6281 8512
Fax: +61 2 6281 8533
Mob: +61 423 411 281