Jörg Spilker
2008-Jul-20 17:07 UTC
[Samba] Error setting initial password for a user when using LDAP as backend and trying to set Samba and Unix password to the same value
Hello,
i?ve some problems setting the initial password for Windows and Unix
User with Samba configured to use LDAP as backend.
I?ve attached the configuration files and the errors.
Creating a new user with net rpc user add "xyz" is working without
problem. Using for example GQ as LDAP browser, i can see the account and
also getent passwd is showing the entry. I?ve activated ldap passwd
sync = yes which should update NT Password and unix password. I?ve set
the password for the ldap admin dn with smbpasswd -W. However when
issuing the command smbpasswd "xyz" i got the attached error message.
I?m not sure why, because i?ve difficulties to read the ldap debug
information. I know that error 50 means insufficient privileges. But
when i remove the passwd sync = yes commandline, smbpasswd updates the
NT Password without problems. What is wrong?
Greetings, Joerg
-------------- next part --------------
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:
access to dn.base=""
by dn="cn=samba,dc=jetsys,dc=de" write
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by dn="cn=samba,dc=jetsys,dc=de" write
by * read
-------------- next part --------------
[global]
log level = all:10
workgroup = JETSYS
security = user
domain logons = yes
domain master = yes
wins support = yes
passdb backend = ldapsam
ldap admin dn = cn=samba,dc=jetsys,dc=de
ldap suffix = dc=jetsys,dc=de
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap idmap suffix = ou=idmaps
ldap passwd sync = yes
ldapsam:trusted = yes
ldapsam:editposix = yes
idmap domains = JETSYS
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=idmap,dc=jetsys,dc=de
idmap alloc config:ldap_user_dn = cn=samba,dc=jetsys,dc=de
idmap alloc config:ldap_url = ldap://localhost
idmap alloc config:range = 50000-500000
-------------- next part --------------
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=3 SRCH
base="dc=jetsys,dc=de" scope=2 deref=0
filter="(&(uid=js)(objectClass=sambaSamAccount))"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=3 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange
sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive
sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp uidNumber
Jul 20 18:35:56 src@xdaolin slapd[3134]: <= bdb_equality_candidates: (uid)
not indexed
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=3 SEARCH RESULT tag=101 err=0
nentries=1 textJul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=4 SRCH
base="sambaDomainName=JETSYS,dc=jetsys,dc=de" scope=0 deref=0
filter="(objectClass=*)"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=4 SRCH
attr=sambaPwdHistoryLength
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=4 SEARCH RESULT tag=101 err=0
nentries=1 textJul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=5 SRCH
base="sambaDomainName=JETSYS,dc=jetsys,dc=de" scope=0 deref=0
filter="(objectClass=*)"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=5 SRCH attr=sambaMaxPwdAge
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=5 SEARCH RESULT tag=101 err=0
nentries=1 textJul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=6 SRCH
base="ou=groups,dc=jetsys,dc=de" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(gidNumber=50000))"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=6 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=6 SEARCH RESULT tag=101 err=0
nentries=1 textJul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=7 SRCH
base="ou=users,dc=jetsys,dc=de" scope=2 deref=0
filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-861600097-4184633116-946623014-513)))"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=7 SRCH attr=uid sambaSid
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=7 SEARCH RESULT tag=101 err=0
nentries=0 textJul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=8 SRCH
base="ou=groups,dc=jetsys,dc=de" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-861600097-4184633116-946623014-513)))"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=8 SRCH attr=cn displayName
sambaSid sambaGroupType
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=8 SEARCH RESULT tag=101 err=0
nentries=1 textJul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=9 MOD
dn="uid=js,ou=users,dc=jetsys,dc=de"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=9 MOD attr=sambaPwdLastSet
sambaPwdLastSet
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=9 RESULT tag=103 err=0
textJul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=10 SRCH base=""
scope=0 deref=0 filter="(objectClass=*)"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=10 SRCH
attr=supportedExtension
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=10 SEARCH RESULT tag=101
err=0 nentries=1 textJul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=11 EXT
oid=1.3.6.1.4.1.4203.1.11.1
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=11 PASSMOD
id="uid=js,ou=users,dc=jetsys,dc=de" new
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=11 RESULT oid= err=50 textJul
20 18:35:56 src@xdaolin slapd[3134]: conn=9 fd=20 closed (connection lost)
-------------- next part --------------
xdaolin:~ # smbpasswd js
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: LDAP Password could not be changed for user js:
Insufficient access
unknown
Failed to modify entry for user js.
Failed to modify password entry for user js
kissg
2008-Jul-20 21:17 UTC
[Samba] Error setting initial password for a user when using LDAP as backend and trying to set Samba and Unix password to the same value
Could you please try what happens if you set admin dn in smb.conf to your LDAP administrator account? In my opinion, it would be better to use the scripts provided by smbldap-tools to change unix account information, and let Samba to handle the rest of the attributes. That way, use of the passwd sync setting would be unnecessary. I'm attaching my config files, try to set up your configuration according to them. I don't have such problems like you, my DC works wonderfully with an LDAP backend. Regards Gergely Kiss, Hungary 2008/7/20 J?rg Spilker <js@jetsys.de>:> Hello, > > i?ve some problems setting the initial password for Windows and Unix User > with Samba configured to use LDAP as backend. > > I?ve attached the configuration files and the errors. > > Creating a new user with net rpc user add "xyz" is working without problem. > Using for example GQ as LDAP browser, i can see the account and also getent > passwd is showing the entry. I?ve activated ldap passwd sync = yes which > should update NT Password and unix password. I?ve set the password for the > ldap admin dn with smbpasswd -W. However when issuing the command smbpasswd > "xyz" i got the attached error message. > > I?m not sure why, because i?ve difficulties to read the ldap debug > information. I know that error 50 means insufficient privileges. But when i > remove the passwd sync = yes commandline, smbpasswd updates the NT Password > without problems. What is wrong? > > Greetings, Joerg > > > # Sample access control policy: > # Root DSE: allow anyone to read it > # Subschema (sub)entry DSE: allow anyone to read it > # Other DSEs: > # Allow self write access to user password > # Allow anonymous users to authenticate > # Allow read access to everything else > # Directives needed to implement policy: > > access to dn.base="" > by dn="cn=samba,dc=jetsys,dc=de" write > by * read > > access to dn.base="cn=Subschema" > by * read > > access to attrs=userPassword,userPKCS12 > by self write > by * auth > > access to attrs=shadowLastChange > by self write > by * read > > access to * > by dn="cn=samba,dc=jetsys,dc=de" write > by * read > > > [global] > log level = all:10 > workgroup = JETSYS > security = user > domain logons = yes > domain master = yes > > wins support = yes > > passdb backend = ldapsam > ldap admin dn = cn=samba,dc=jetsys,dc=de > ldap suffix = dc=jetsys,dc=de > ldap user suffix = ou=users > ldap group suffix = ou=groups > ldap machine suffix = ou=computers > ldap idmap suffix = ou=idmaps > ldap passwd sync = yes > ldapsam:trusted = yes > ldapsam:editposix = yes > > idmap domains = JETSYS > idmap alloc backend = ldap > idmap alloc config:ldap_base_dn = ou=idmap,dc=jetsys,dc=de > idmap alloc config:ldap_user_dn = cn=samba,dc=jetsys,dc=de > idmap alloc config:ldap_url = ldap://localhost > idmap alloc config:range = 50000-500000 > > > > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=3 SRCH > base="dc=jetsys,dc=de" scope=2 deref=0 > filter="(&(uid=js)(objectClass=sambaSamAccount))" > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=3 SRCH attr=uid > uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange > sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn > displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath > description sambaUserWorkstations sambaSID sambaPrimaryGroupSID > sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags > sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime > sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp > uidNumber > Jul 20 18:35:56 src@xdaolin slapd[3134]: <= bdb_equality_candidates: (uid) > not indexed > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=3 SEARCH RESULT tag=101 > err=0 nentries=1 text> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=4 SRCH > base="sambaDomainName=JETSYS,dc=jetsys,dc=de" scope=0 deref=0 > filter="(objectClass=*)" > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=4 SRCH > attr=sambaPwdHistoryLength > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=4 SEARCH RESULT tag=101 > err=0 nentries=1 text> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=5 SRCH > base="sambaDomainName=JETSYS,dc=jetsys,dc=de" scope=0 deref=0 > filter="(objectClass=*)" > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=5 SRCH > attr=sambaMaxPwdAge > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=5 SEARCH RESULT tag=101 > err=0 nentries=1 text> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=6 SRCH > base="ou=groups,dc=jetsys,dc=de" scope=2 deref=0 > filter="(&(objectClass=sambaGroupMapping)(gidNumber=50000))" > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=6 SRCH attr=gidNumber > sambaSID sambaGroupType sambaSIDList description displayName cn objectClass > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=6 SEARCH RESULT tag=101 > err=0 nentries=1 text> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=7 SRCH > base="ou=users,dc=jetsys,dc=de" scope=2 deref=0 > filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-861600097-4184633116-946623014-513)))" > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=7 SRCH attr=uid > sambaSid > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=7 SEARCH RESULT tag=101 > err=0 nentries=0 text> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=8 SRCH > base="ou=groups,dc=jetsys,dc=de" scope=2 deref=0 > filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-861600097-4184633116-946623014-513)))" > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=8 SRCH attr=cn > displayName sambaSid sambaGroupType > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=8 SEARCH RESULT tag=101 > err=0 nentries=1 text> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=9 MOD > dn="uid=js,ou=users,dc=jetsys,dc=de" > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=9 MOD > attr=sambaPwdLastSet sambaPwdLastSet > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=9 RESULT tag=103 err=0 > text> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=10 SRCH base="" scope=0 > deref=0 filter="(objectClass=*)" > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=10 SRCH > attr=supportedExtension > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=10 SEARCH RESULT > tag=101 err=0 nentries=1 text> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=11 EXT > oid=1.3.6.1.4.1.4203.1.11.1 > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=11 PASSMOD > id="uid=js,ou=users,dc=jetsys,dc=de" new > Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=11 RESULT oid= err=50 > text> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 fd=20 closed (connection > lost) > > xdaolin:~ # smbpasswd js > New SMB password: > Retype new SMB password: > ldapsam_modify_entry: LDAP Password could not be changed for user js: > Insufficient access > unknown > Failed to modify entry for user js. > Failed to modify password entry for user js > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
Charlie
2008-Jul-21 15:44 UTC
[Samba] Error setting initial password for a user when using LDAP as backend and trying to set Samba and Unix password to the same value
Herr Spilker, you need to change this part>access to attrs=userPassword,userPKCS12 > by self write > by * authto allow your samba daemon to write the unix password, which is stored in the userPassword attribute. For example, this should work: access to attrs=userPassword,userPKCS12 by self write by dn="cn=samba,dc=jetsys,dc=de" write by * auth I personally would not use these permissions (I don't let samba daemons write passwords to accounts that do not have the sambaSamAccount objectclass) but many people do. You have allowed samba to write your root DSE in this stanza:> access to dn.base="" > by dn="cn=samba,dc=jetsys,dc=de" write > by * readI have never heard of anyone doing this before; is there a reason? --Charlie