samba - Aug 2007 - ldap passwd sync only

Hello

I have exactly the same trouble as described here:
http://www.nabble.com/ldap-passwd-sync-on-3.0.25a-tf4261008.html on
samba-3.0.25b-2.fc7.
When i set "ldap passwd
sync" to "only" and I change password on some ldap samba
user, password in attribute userPassword is never changed by samba daemon
(to update NT and LM password I use smbk5pwd overlay). If i set pwd
sync to "On", both attributes (NT&LM and
userPassword) was updated successfully. (I dont would use ldap passwd sync
to "On", because then I could not create user in usrmgr.exe with not
defined
password (access denied error))

Is that behaviour correct?

thanks

Michal Bruncko

Michal Bruncko napisa?(a):
> Hello
>   
Hi,

In my opinion there is something wrong with "ldap password sync" and 
"unix password sync" as well. In my case I need to update NTLM
passwords
and userPassword but in several different places in LDAP tree. In 
smb.conf I've got something like this:

ldap passwd sync = No
unix password sync = Yes
passwd program = /opt/samba-3.0.23d/bin/spasswd.pl -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n

where spasswd.pl script changes userPassword in many places for 
particular user. The problem is when I have "unix password sync=Yes" I
CAN'T join domain any Linux machines. So to join such machine I need to 
mark "unix password sync" , then add machine and change "unix
password
sync" back. This is workaround but not a solution.

The same situation is with 3.0.25b.

Regards,
Marcin
> I have exactly the same trouble as described here:
> http://www.nabble.com/ldap-passwd-sync-on-3.0.25a-tf4261008.html on
> samba-3.0.25b-2.fc7.
> When i set "ldap passwd
> sync" to "only" and I change password on some ldap samba
> user, password in attribute userPassword is never changed by samba daemon
> (to update NT and LM password I use smbk5pwd overlay). If i set pwd
> sync to "On", both attributes (NT&LM and
> userPassword) was updated successfully. (I dont would use ldap passwd sync
> to "On", because then I could not create user in usrmgr.exe with
not defined
> password (access denied error))
>   
I
> Is that behaviour correct?
>
> thanks
>
> Michal Bruncko
>   

-- 
ARISE M.Giedz, T.?ebru? Sp.j.
http: www.arise.pl
mail: giedz@arise.pl
tel: +48 502 537 157

On Wednesday 15 August 2007 01:59, Michal Bruncko wrote:
> Hello
>
> I have exactly the same trouble as described here:
> http://www.nabble.com/ldap-passwd-sync-on-3.0.25a-tf4261008.html on
> samba-3.0.25b-2.fc7.
> When i set "ldap passwd
> sync" to "only" and I change password on some ldap samba
> user, password in attribute userPassword is never changed by samba daemon
> (to update NT and LM password I use smbk5pwd overlay). If i set pwd
> sync to "On", both attributes (NT&LM and
> userPassword) was updated successfully.
I have not been able to make 3.0.25 change the sambaPwdCanChange and 
sambaPwdMustChange attributes when changing a password from windows.
This may explain the problem with ldap passwd sync = only as demonstrated
by a log level 10:

[2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1784)
  ldapsam_update_sam_account: user lacoste to be modified has dn: 
uid=lacoste,ou=Users,ou=Accounts,o=stars
[2007/08/14 23:45:26, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972)
  init_ldap_from_sam: Setting entry for user: lacoste
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2007/08/14 23:45:26, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(101) : conn_ctx_stack_ndx = 1
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:set_sec_ctx(243)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2007/08/14 23:45:26, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2007/08/14 23:45:26, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2007/08/14 23:45:26, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = ACCT_POL/maximum password age, value = 
4294967295
  , timeout = Tue Aug 14 23:46:25 2007
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:pop_sec_ctx(366)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1797)
  ldapsam_update_sam_account: mods is empty: nothing to update for user: 
lacoste

Here's a log level 10 on 3.0.22:
 [2007/08/14 23:17:31, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1846)
  ldapsam_update_sam_account: user lacoste to be modified has dn: 
uid=lacoste,ou=Users,ou=Accounts,o=stars
[2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1064)
  init_ldap_from_sam: Setting entry for user: lacoste
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454)
  smbldap_make_mod: deleting attribute |sambaPwdCanChange| values |1187126144|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463)
  smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1187126251|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454)
  smbldap_make_mod: deleting attribute |sambaPwdMustChange| values |
1218662144|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463)
  smbldap_make_mod: adding attribute |sambaPwdMustChange| value |2147483647|
[2007/08/14 23:17:31, 5] lib/smbldap.c:smbldap_modify(1254)
  smbldap_modify: dn => [uid=lacoste,ou=Users,ou=Accounts,o=stars]
[2007/08/14 23:17:31, 3] passdb/pdb_ldap.c:ldapsam_modify_entry(1732)
  ldapsam_modify_entry: LDAP Password changed for user lacoste
[2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:ldapsam_update_sam_account(1879)
  ldapsam_update_sam_account: successfully modified uid = lacoste in the LDAP 
database

I tried to play with account policies but with no success.
Did I miss something?
How can I trigger a change of sambaPwdCanChange and sambaPwdMustChange?

Regards,
Thierry.