Adam Tauno Williams
2009-Feb-22 19:03 UTC
[Samba] Changing LDAP userPassword fails: Internal (implementation specific) error
openldap-2.3.27-8.el5_2.4,samba3-3.2.8-38 An smbpasswd by root to change a user's password fails with: [root@littleboy samba]# smbpasswd adam New SMB password: Retype new SMB password: ldapsam_modify_entry: LDAP Password could not be changed for user adam: Internal (implementation specific) error password hash failed Failed to modify entry for user adam. Failed to modify password entry for user adam This changes the Samba password but fails to change the user's userPassword (LDAP sync) password. But I can "manually" change the password using the DC's bind DN and password: # ldappasswd -S -H ldapi://%2fvar%2frun%2fldap2.4%2fldapi -vvvvvvvvv -x -W -D "uid=CIFSDC,ou=System,ou=Entities,ou=SAM,o=Morrison Industries,c=US" "cn=Adam Williams,ou=People,ou=Entities,ou=SAM,o=Morrison Industries,c=US" New password: Re-enter new password: Enter LDAP Password: ldap_initialize( ldapi://%2fvar%2frun%2fldap2.4%2fldapi ) Result: Success (0) Samba LDAP configuration: passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldap2.4%2fldapi ldap ssl = no ldap admin dn = uid=CIFSDC,ou=System,ou=Entities,ou=SAM,o=Morrison Industries,c=US ldap suffix = o=Morrison Industries,c=US ldapsam:trusted = yes ldap passwd sync = Yes Oddly, attempting to change the password AS THE USER fails with a different error message, either via smbpasswd or via the password change dialog on a Win32 workstation: bash-3.2$ smbpasswd -U adam Old SMB password: New SMB password: Retype new SMB password: machine 127.0.0.1 rejected the (anonymous) password change: Error was : Wrong Password. Failed to change password for adam It always just says the user's password is wrong, although the user can login, navigate, etc... Is this https://bugzilla.samba.org/show_bug.cgi?id=5886 ?
François Legal
2009-Feb-23 08:21 UTC
[Samba] Changing LDAP userPassword fails: Internal (implementation specific) error
Well, you usually have some specific acl in ldap for the userPassword attribute, that restrict access to only the owner of the entry and an administrator. You should make sure that the dn used by samba to bind the directory (ldap admin dn) has access to the userPassword attribute. Also, you should check that ldap is not setup with smbpasswd overlay, in which case you should change the ldap sync parameter to only. Fran?ois On Sun, 22 Feb 2009 14:02:15 -0500, Adam Tauno Williams <adamtaunowilliams@gmail.com> wrote:> openldap-2.3.27-8.el5_2.4,samba3-3.2.8-38 > > An smbpasswd by root to change a user's password fails with: > > [root@littleboy samba]# smbpasswd adam > New SMB password: > Retype new SMB password: > ldapsam_modify_entry: LDAP Password could not be changed for user adam: > Internal (implementation specific) error > password hash failed > Failed to modify entry for user adam. > Failed to modify password entry for user adam > > This changes the Samba password but fails to change the user's > userPassword (LDAP sync) password. But I can "manually" change the > password using the DC's bind DN and password: > > # ldappasswd -S -H ldapi://%2fvar%2frun%2fldap2.4%2fldapi -vvvvvvvvv -x > -W -D "uid=CIFSDC,ou=System,ou=Entities,ou=SAM,o=Morrison > Industries,c=US" "cn=Adam > Williams,ou=People,ou=Entities,ou=SAM,o=Morrison Industries,c=US" > New password: > Re-enter new password: > Enter LDAP Password: > ldap_initialize( ldapi://%2fvar%2frun%2fldap2.4%2fldapi ) > Result: Success (0) > > Samba LDAP configuration: > passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldap2.4%2fldapi > ldap ssl = no > ldap admin dn = uid=CIFSDC,ou=System,ou=Entities,ou=SAM,o=Morrison > Industries,c=US > ldap suffix = o=Morrison Industries,c=US > ldapsam:trusted = yes > ldap passwd sync = Yes > > Oddly, attempting to change the password AS THE USER fails with a > different error message, either via smbpasswd or via the password change > dialog on a Win32 workstation: > > bash-3.2$ smbpasswd -U adam > Old SMB password: > New SMB password: > Retype new SMB password: > machine 127.0.0.1 rejected the (anonymous) password change: Error was : > Wrong Password. > Failed to change password for adam > > It always just says the user's password is wrong, although the user can > login, navigate, etc... > > Is this https://bugzilla.samba.org/show_bug.cgi?id=5886 ? > >