I have 6 domain controllers that were running samba-tng using openldap,
Six months ago I converted one of the controllers to Samba3.0.20 and
exported my ldap information to be compatible with Samba, every works
fine. Specifically I could change passwords at the local windows
machine. Two weeks ago I converted my other 5 controllers to
Samba3.0.21b everything works except changing passwords at the windows
machine. I have found that there has been a schema change from .20 to
21 and am wondering if this could be the problem. I am using Openldap
2.3.11. I am using the schema from Samba3.0.20 in Samba3.0.21b. I know
account policies were/are stored in account_policy.tdb, but several
things I read said that information was moving to LDAP I can't find any
information on how to make that happen. I realize the schema could be
the problem. My domains are purely Samba, and I need the to be able to
change passwords because of Sorbanes-Oxley.
I get these error messages on the domain controller when I try to change
the password
[2006/04/24 21:23:22, 0] lib/debug.c:reopen_logs(597)
Unable to open new log file /var/log/samba/mcauble-lt.log: Permission
denied
[2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
smb_pam_passchange: PAM: Password Change Failed for user mikec!
[2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
smb_pam_passchange: PAM: Password Change Failed for user mikec!
[2006/04/24 21:23:22, 0] lib/debug.c:reopen_logs(597)
Unable to open new log file /var/log/samba/mcauble-lt.log: Permission
denied
[2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
smb_pam_passchange: PAM: Password Change Failed for user mikec!
[2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
smb_pam_passchange: PAM: Password Change Failed for user mikec!
The windows machine says "You don't have permission to change the
password"
Below is my slapd.conf file:
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
#######################################################################
# ldbm database definitions
#######################################################################
database bdb
suffix "dc=lufkin,dc=com"
rootdn "cn=Manager,dc=lufkin,dc=com"
rootpw XXXXXX
directory /var/lib/ldap
loglevel 0
cachesize 100000
idlcachesize 300000
checkpoint 1024 5
limits dn.exact="cn=Replica,dc=lufkin,dc=com" size=unlimited
time=unlimited
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 1000
# Indices to maintain
## required by OpenLDAP
index objectclass eq
index entryUUID eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index uniqueMember eq
index default sub
access to dn.base=""
by self write
by dn.exact="cn=Replica,dc=lufkin,dc=com" write
by * auth
access to attr=userPassword,sambaNTPassword,sambaLMPassword
by self write
by * auth
access to attr=shadowLastChange
by self write
by * read
access to *
by * read
by anonymous auth
Thanks for any help
mikec
Solved I had "unix password sync = yes" apparently "ldap passwd sync = yes" is all that is needed to update passwords. I set "unix password sync = no" and things started to magically work. Not sure why, but it makes sense to let ldap handle the passwords. Sorry for the wasted bandwidth. mikec Mike Cauble wrote:> I have 6 domain controllers that were running samba-tng using > openldap, Six months ago I converted one of the controllers to > Samba3.0.20 and exported my ldap information to be compatible with > Samba, every works fine. Specifically I could change passwords at the > local windows machine. Two weeks ago I converted my other 5 > controllers to Samba3.0.21b everything works except changing passwords > at the windows machine. I have found that there has been a schema > change from .20 to 21 and am wondering if this could be the problem. I > am using Openldap 2.3.11. I am using the schema from Samba3.0.20 in > Samba3.0.21b. I know account policies were/are stored in > account_policy.tdb, but several things I read said that information > was moving to LDAP I can't find any information on how to make that > happen. I realize the schema could be the problem. My domains are > purely Samba, and I need the to be able to change passwords because of > Sorbanes-Oxley. > > I get these error messages on the domain controller when I try to > change the password > [2006/04/24 21:23:22, 0] lib/debug.c:reopen_logs(597) > Unable to open new log file /var/log/samba/mcauble-lt.log: Permission > denied > [2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848) > smb_pam_passchange: PAM: Password Change Failed for user mikec! > [2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848) > smb_pam_passchange: PAM: Password Change Failed for user mikec! > [2006/04/24 21:23:22, 0] lib/debug.c:reopen_logs(597) > Unable to open new log file /var/log/samba/mcauble-lt.log: Permission > denied > [2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848) > smb_pam_passchange: PAM: Password Change Failed for user mikec! > [2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848) > smb_pam_passchange: PAM: Password Change Failed for user mikec! > > The windows machine says "You don't have permission to change the > password" > > > Below is my slapd.conf file: > > # This file should NOT be world readable. > # > include /usr/local/etc/openldap/schema/core.schema > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > include /usr/local/etc/openldap/schema/nis.schema > include /usr/local/etc/openldap/schema/samba.schema > > ####################################################################### > # ldbm database definitions > ####################################################################### > > database bdb > suffix "dc=lufkin,dc=com" > rootdn "cn=Manager,dc=lufkin,dc=com" > rootpw XXXXXX > directory /var/lib/ldap > loglevel 0 > cachesize 100000 > idlcachesize 300000 > checkpoint 1024 5 > > limits dn.exact="cn=Replica,dc=lufkin,dc=com" size=unlimited > time=unlimited > > overlay syncprov > syncprov-checkpoint 100 10 > syncprov-sessionlog 1000 > > # Indices to maintain > ## required by OpenLDAP > index objectclass eq > index entryUUID eq > index cn pres,sub,eq > index sn pres,sub,eq > index uid pres,sub,eq > index displayName pres,sub,eq > index uidNumber eq > index gidNumber eq > index memberUid eq > index sambaSID eq > index sambaPrimaryGroupSID eq > index sambaDomainName eq > index uniqueMember eq > index default sub > > access to dn.base="" > by self write > by dn.exact="cn=Replica,dc=lufkin,dc=com" write > by * auth > > access to attr=userPassword,sambaNTPassword,sambaLMPassword > by self write > by * auth > > access to attr=shadowLastChange > by self write > by * read > > access to * > by * read > by anonymous auth > > > Thanks for any help > mikec >