jayendren anand maduray
2007-Nov-27 14:21 UTC
[Samba] Unable to change password in windows - SAMBA_LDAP_PDC
Hi All.
I have a SAMBA PDC that uses LDAP as its back end.
The OS, is UBUNTU 6.10 Server.
SAMBA Version is 3.022
The problem is, when a client logs onto the Domain, he presses
Control+Alt+Del, and chooses Change Password.
He types in the old password, then the new one, and confirms this.
When he clicks on OK, it thinks for a bit (about 30 seconds) and then says:
"The system cannot change your password now because the domain
RIVONINGO.HIVSA is not available"
This used to work before, and works fine on another server, with the
identical settings.
The log file for the computer says:
[2007/11/27 16:00:11, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(2171)
ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
(No such object)
or sometimes
Unable to open new log file /var/log/samba/log.computername: Permission
denied
My smb.conf looks like this:
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = RIVONINGO.HIVSA
netbios name = SOUL-CALIBUR
# server string is the equivalent of the NT Description field
server string = PHRU Domain Control
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
;printcap name = /etc/printcap
load printers = no
;utmp = yes
#Jay Added (disable printing)
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
; printing = cups
# This option tells cups that the data has already been rasterized
; cups options = raw
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# Put a capping on the size of the log files (in Kb).
max log size = 100000
# Security mode. Most people will want user level security. See
# security_level.txt for details.
# Use password server option only with security = server
; password server = <NT-Server-Name>
security = user
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
; smb passwd file = /etc/samba/smbpasswd
encrypt passwords = true
#PAM,LDAP, TIME_Server settings
#Jay added:
obey pam restrictions = no
ldap passwd sync = yes
time server = yes
enable privileges = yes
# The following are needed to allow password changing from Windows to
# update the Linux system password also.
# noTE: Use these with 'encrypt passwords' and 'smb passwd file'
above.
# noTE2: You do noT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
; passwd program = /usr/bin/passwd %u
; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
;passwd chat = *Enter*password* %n\n *Retype*password* %n\n *success*
passwd program = /usr/sbin/smbldap-passwd -s %u
; /usr/sbin//smbldap-passwd %u
unix password sync = no
#Logging
# This tells Samba to use a separate log file for each machine
# that connects all log information in one file
#Jay added:
log level = 0
syslog = 0
; log file = /var/log/samba/smbd.log
log file = /var/log/samba/log.%m
mangling method = hash2
dos charset = 850
unix charset = ISO8859-1
# Unix users can map to different SMB User names
username map = /etc/samba/smbusers
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
interfaces = eth0
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = yes
preferred master = yes
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
os level = 100
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
preferred master = yes
# Enable this if you want Samba to be a domain logon server for
# Windows workstations.
domain logons = yes
#Automatic homes, LDAP Backend
#Jay added:
logon drive = U:
logon home = \\soul-calibur\%U
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=manager,dc=rivoningo,dc=hivsa
ldap suffix = dc=rivoningo,dc=hivsa
ldap group suffix =
ou=smbGroups,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa
ldap user suffix =
ou=smbUsers,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa
ldap machine suffix =
ou=smbComputers,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa
ldap idmap suffix =
ou=smbUsers,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa
idmap backend = ldap://127.0.0.1
;ldap port = 636
ldap ssl = off
;ldap ssl = start_tls
ldap delete dn = yes
#Use the smbldap-tools scripts
#Jay added:
add user script = /usr/sbin//smbldap-useradd -m "%u"
delete user script = /usr/sbin//smbldap-userdel "%u"
add machine script = /usr/sbin//smbldap-useradd -w "%u"
add group script = /usr/sbin//smbldap-groupadd -p "%g"
delete group script = /usr/sbin//smbldap-groupdel "%g"
add user to group script = /usr/sbin//smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin//smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin//smbldap-usermod -g "%g"
"%u"
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
wins support = yes
#Testing csc policy, acls, hide dot files
#Jay added:
; acl compatibility = yes
; nt acl support = yes
; nt pipe support = yes
; nt status support = yes
; kernel oplocks = yes
; lock spin count = 3
; lock spin time = 10
; oplock break wait time = 0
; inherit permissions = yes
; inherit acls = yes
; csc policy = manual
; fake oplocks = no
; locking = yes
; oplocks = yes
; level2 oplocks = yes
; oplock contention limit = 2
; posix locking = yes
; strict locking = yes
; hide dot files = yes
#============================ Share Definitions
=============================#IDMAP/Shell/Winbind Settings:
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
[homes]
comment = Home Directories
valid users = %S
browseable = yes
writable = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
#This prevents users from browsing other peoples' files
#Jay added:
create mask = 0600
directory mask = 0700
#ACL/OPLOCKS
#Jay added:
nt acl support = yes
nt pipe support = yes
nt status support = yes
;kernel oplocks = yes
;lock spin count = 3
;lock spin time = 10
;oplock break wait time = 0
inherit permissions = yes
inherit acls = yes
;fake oplocks = no
;locking = yes
;oplocks = yes
level2 oplocks = no
;oplock contention limit = 2
;posix locking = yes
;strict locking = yes
hide dot files = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
#Jay Added:
#Real_Time Antivirus Scanning
vfs object = recycle
;vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
recycle:repository = .deleted
recycle:keeptree = Yes
recycle:versions = Yes
# Un-comment the following and create the netlogon directory for Domain Logons
[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
writelist = root jayendren
#Jay Added:
#Real_Time Antivirus Scanning
;vfs object = vscan-clamav
;vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
[profiles]
path = /srv/samba/file-server/staff/%U/profile
;valid users = %S
writeable = yes
browseable = no
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
#Jay Added:
#Real_Time Antivirus Scanning
vfs object = recycle
;vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
recycle:repository = .deleted
recycle:keeptree = Yes
recycle:versions = Yes
#This prevents users from browsing other peoples' profiles
#Jay added:
create mode = 0600
directory mode = 0700
#ACL/OPLOCKS
#Jay added:
nt acl support = yes
nt pipe support = yes
nt status support = yes
inherit permissions = yes
inherit acls = yes
level2 oplocks = no
acl compatibility = auto
[wallpaper]
path = /srv/samba/file-server/wallpaper
;valid users = %S
;public = yes
writeable = no
browseable = yes
#Jay Added:
#Real_Time Antivirus Scanning
;vfs object = vscan-clamav
;vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
Any help regarding this will greatly appreciated, as I have set the
accounts to expire their passwds after 45 days.
All hells gonna break loose in 10 days time!
God bless.
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
Senior IT Administrator
Perinatal HIV Research Unit
Wits Health Consortium
University of the Witwatersrand
Alternate email address: jayendren@mweb.co.za
Fax Number: 0866857317
...There are 10 types of people,
those who understand binary
and those who do not...
Edmundo Valle Neto
2007-Nov-27 22:37 UTC
[Samba] Unable to change password in windows - SAMBA_LDAP_PDC
jayendren anand maduray escreveu:> Hi All. > > I have a SAMBA PDC that uses LDAP as its back end. > The OS, is UBUNTU 6.10 Server. > SAMBA Version is 3.022 > > The problem is, when a client logs onto the Domain, he presses > Control+Alt+Del, and chooses Change Password. > He types in the old password, then the new one, and confirms this. > When he clicks on OK, it thinks for a bit (about 30 seconds) and then > says: > "The system cannot change your password now because the domain > RIVONINGO.HIVSA is not available" > > This used to work before, and works fine on another server, with the > identical settings. > > The log file for the computer says: > [2007/11/27 16:00:11, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(2171) > ldapsam_search_one_group: Problem during the LDAP search: LDAP error: > (No such object)This says that something wasn't found in LDAP, but doesn't say what or where it was looked for. (...)> ldap suffix = dc=rivoningo,dc=hivsa > ldap group suffix = > ou=smbGroups,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa > ldap user suffix = > ou=smbUsers,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa > ldap machine suffix = > ou=smbComputers,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa > ldap idmap suffix = > ou=smbUsers,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsaI didn't understood why did you crated your DIT that way, but ... From smb.conf man page: ldap suffix (G) Specifies the base for all ldap suffixes and for storing the sambaDomain object. The ldap suffix will be appended to the values specified for the ldap user suffix, ldap group suffix, ldap machine suffix, and the ldap idmap suffix. Each of these should be given only a DN relative to the ldap suf- fix. Default: ldap suffix Example: ldap suffix = dc=samba,dc=org ldap user suffix (G) This parameter specifies where users are added to the tree. If this parameter is unset, the value of ldap suf- fix will be used instead. The suffix string is pre-pended to the ldap suffix string SO USE A PARTIAL DN. Default: ldap user suffix Example: ldap user suffix = ou=people (...) So take a look at the "SO USE A PARTIAL" part, it worth for all organizational units suffixes. Regards. Edmundo Valle Neto