Solved
I had "unix password sync = yes" apparently "ldap passwd sync =
yes"
is all that is needed to update passwords. I set "unix password sync =
no" and things started to magically work. Not sure why, but it makes
sense to let ldap handle the passwords. Sorry for the wasted bandwidth.
mikec
Mike Cauble wrote:
> I have 6 domain controllers that were running samba-tng using
> openldap, Six months ago I converted one of the controllers to
> Samba3.0.20 and exported my ldap information to be compatible with
> Samba, every works fine. Specifically I could change passwords at the
> local windows machine. Two weeks ago I converted my other 5
> controllers to Samba3.0.21b everything works except changing passwords
> at the windows machine. I have found that there has been a schema
> change from .20 to 21 and am wondering if this could be the problem. I
> am using Openldap 2.3.11. I am using the schema from Samba3.0.20 in
> Samba3.0.21b. I know account policies were/are stored in
> account_policy.tdb, but several things I read said that information
> was moving to LDAP I can't find any information on how to make that
> happen. I realize the schema could be the problem. My domains are
> purely Samba, and I need the to be able to change passwords because of
> Sorbanes-Oxley.
>
> I get these error messages on the domain controller when I try to
> change the password
> [2006/04/24 21:23:22, 0] lib/debug.c:reopen_logs(597)
> Unable to open new log file /var/log/samba/mcauble-lt.log: Permission
> denied
> [2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
> smb_pam_passchange: PAM: Password Change Failed for user mikec!
> [2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
> smb_pam_passchange: PAM: Password Change Failed for user mikec!
> [2006/04/24 21:23:22, 0] lib/debug.c:reopen_logs(597)
> Unable to open new log file /var/log/samba/mcauble-lt.log: Permission
> denied
> [2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
> smb_pam_passchange: PAM: Password Change Failed for user mikec!
> [2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
> smb_pam_passchange: PAM: Password Change Failed for user mikec!
>
> The windows machine says "You don't have permission to change the
> password"
>
>
> Below is my slapd.conf file:
>
> # This file should NOT be world readable.
> #
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/samba.schema
>
> #######################################################################
> # ldbm database definitions
> #######################################################################
>
> database bdb
> suffix "dc=lufkin,dc=com"
> rootdn "cn=Manager,dc=lufkin,dc=com"
> rootpw XXXXXX
> directory /var/lib/ldap
> loglevel 0
> cachesize 100000
> idlcachesize 300000
> checkpoint 1024 5
>
> limits dn.exact="cn=Replica,dc=lufkin,dc=com" size=unlimited
> time=unlimited
>
> overlay syncprov
> syncprov-checkpoint 100 10
> syncprov-sessionlog 1000
>
> # Indices to maintain
> ## required by OpenLDAP
> index objectclass eq
> index entryUUID eq
> index cn pres,sub,eq
> index sn pres,sub,eq
> index uid pres,sub,eq
> index displayName pres,sub,eq
> index uidNumber eq
> index gidNumber eq
> index memberUid eq
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index uniqueMember eq
> index default sub
>
> access to dn.base=""
> by self write
> by dn.exact="cn=Replica,dc=lufkin,dc=com" write
> by * auth
>
> access to attr=userPassword,sambaNTPassword,sambaLMPassword
> by self write
> by * auth
>
> access to attr=shadowLastChange
> by self write
> by * read
>
> access to *
> by * read
> by anonymous auth
>
>
> Thanks for any help
> mikec
>