samba - Apr 2009 - Samba does not change UNIX password after OpenLDAP server upgraded

Hi,

I have been running Samba with OpenLDAP for a few years.  We recently 
upgrade the OpenLDAP server from 2.2.13 to 2.4.11.

When users change their passwords now, only the Windows password is 
changed the UNIX password is not changed anymore.  Samba server does not 
log any errors   The samba configuration file did not change when the 
LDAP server was upgraded.

I do have "ldap passwd sync =Yes" in smb.conf and it used to work
fine.

Has anyone seen this?

If I use

unix password sync = Yes
passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype new
password*" %n\n"

instead of "ldappasswd sync", what access control do I have to add to 
the slapd.conf file?

Thank you very much for your help!

John

John Du wrote:
> Hi,
>
> I have been running Samba with OpenLDAP for a few years.  We recently 
> upgrade the OpenLDAP server from 2.2.13 to 2.4.11.
>
> When users change their passwords now, only the Windows password is 
> changed the UNIX password is not changed anymore.  Samba server does 
> not log any errors   The samba configuration file did not change when 
> the LDAP server was upgraded.
>
> I do have "ldap passwd sync =Yes" in smb.conf and it used to work
fine.
>
> Has anyone seen this?
>
> If I use
>
> unix password sync = Yes
> passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
> passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype
> new password*" %n\n"
>
> instead of "ldappasswd sync", what access control do I have to
add to
> the slapd.conf file?
>
> Thank you very much for your help!
>
> John
>
>
>
I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel 
2.6.9-42.0.2.

David Markey wrote:
> John Du wrote:
>   
>> David Markey wrote:
>>     
>>> John Du wrote:
>>>  
>>>       
>>>> David Markey wrote:
>>>>    
>>>>         
>>>>> I would imagine that you'll need to re-jig your ACLs in
slapd.conf,
>>>>>
>>>>> Please supply logs.
>>>>>
>>>>>         
>>>>>           
>>>> Thank you very much.
>>>>
>>>> I can use /opt/IDEALX/sbin/smbldap-passwd to change both the
Windows
>>>> and UNIX password.  If the problem is ACL related, wouldn't
I have the
>>>> same problem with this tool?
>>>>
>>>> When samba changes passwords, does the process run as root or
as the
>>>> user making the passwords change?
>>>>     
>>>>         
>>> If you're using smbldap-passwd and unix password sync, it's
done as
>>> root. ldap passwd sync is done as the LDAP dn that you've
configured in
>>> smb.conf. It's much preferable to use ldap passwd sync.
>>>
>>>   
>>>       
>> I did not make myself clear. When I say I can use  smbldap-passwd to
>> change password, I mean I can run the tool from the command line as
>> root.  If I use smbldap-passwd  and unix passwd sync in smb.conf, I
>> get a "you do not have permission to change password" message
when
>> attempting to change password.
>>
>> So at this time I am still using ldap passwd sync in smb.conf and that
>> is when it only changes the Windows password.
>>
>> Does the userPassword attribute require different ACL than
>> sambaNTPassword?  Also the dn I put in smb.conf is the root DN of the
>> LDAP database.
>>
>>     
>
> That is strange, LDAP password updates are done via EXOP, have you
> defined a password hash in slapd.conf?
>
> Re: smbldap-passwd, you need to have a proper passwd chat in smb.conf,
> Let us see some logs, smb.conf and maybe slapd.conf and perhaps slapd logs.
>
>
>
>   
My thanks to David and all who have responded to my questions.  I have 
identified where and what the problem is but I am not sure it is a Samba 
problem or OpenLDAP problem.

I am trying to give you a clear picture.

1. unix passwd sync works perfectly.

I replaced "ldap passwd sync = Yes" with:

   unix password sync = Yes
   passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
   passwd chat = "Changing UNIX password for*\nNew password*" %n\n 
"*Retype new password*" %n\n"

No changes on the OpenLDAP side.  Users can change their Windows and 
LDAP password correctly all the time.

2. ldap passwd sync = Yes does not change the LDAP password but it 
changes the Windows password OK. 

   2.1  OpenLDAP with some ACLs defined.
   
   When the OpenLDAP server has some ACLs defined,   the samba server 
logs the following:

  2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
  ldap password change requested, but LDAP server does not support it -- 
ignoring
 
  The LDAP password is not changed.

   2.2 When no ACLs  are defined in slapd.conf.

   [2009/04/30 23:43:03, 10] lib/smbldap.c:smbldap_extended_operation(1525)
   Extended operation failed with error: 80 (Internal (implementation 
specific) error) (password hash failed)
  [2009/04/30 23:43:03, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
  ldapsam_modify_entry: LDAP Password could not be changed for user 
johndu: Internal (implementation specific) error
        password hash failed

Hash is defined in slapd.conf as follows:

password-hash {CRYPT}
password-crypt-salt-format $1$%.2s

The Windows user will get a "the user name or old password is
incorrect"
message in this case.
   
The LDAP root DN is used all the time everywhere.

I can mail the complete log files to you if they can help you to 
determine the cause of the problem.  There seems to be some 
compatibility issues between the LDAP server and the Samba server.  
Logically I think if the IDEALX tool works the samba server's internal 
LDAP functions should work as well.

Let me know if you any further information from me.

Wish you all to have a good weekend!

John
>
>
>   
>> Thanks!
>>
>>     
>>>  
>>>  
>>>       
>>>> Thanks again.
>>>>    
>>>>         
>>>>> John Du wrote:
>>>>>  
>>>>>      
>>>>>           
>>>>>> John Du wrote:
>>>>>>           
>>>>>>             
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have been running Samba with OpenLDAP for a few
years.  We
>>>>>>> recently
>>>>>>> upgrade the OpenLDAP server from 2.2.13 to 2.4.11.
>>>>>>>
>>>>>>> When users change their passwords now, only the
Windows password is
>>>>>>> changed the UNIX password is not changed anymore. 
Samba server does
>>>>>>> not log any errors   The samba configuration file
did not change
>>>>>>> when
>>>>>>> the LDAP server was upgraded.
>>>>>>>
>>>>>>> I do have "ldap passwd sync =Yes" in
smb.conf and it used to work
>>>>>>> fine.
>>>>>>>
>>>>>>> Has anyone seen this?
>>>>>>>
>>>>>>> If I use
>>>>>>>
>>>>>>> unix password sync = Yes
>>>>>>> passwd program = /opt/IDEALX/sbin/smbldap-passwd -u
%u
>>>>>>> passwd chat = "Changing password for*\nNew
password*" %n\n "*Retype
>>>>>>> new password*" %n\n"
>>>>>>>
>>>>>>> instead of "ldappasswd sync", what access
control do I have to
>>>>>>> add to
>>>>>>> the slapd.conf file?
>>>>>>>
>>>>>>> Thank you very much for your help!
>>>>>>>
>>>>>>> John
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>                 
>>>>>>>               
>>>>>> I forgot to mention that the Samba version is 3.0.28 on
EHEL4 kernel
>>>>>> 2.6.9-42.0.2.
>>>>>>             
>>>>>>             
>>>>>         
>>>>>           
>>>   
>>>       
>
>
>