John Du
2009-Apr-30 21:04 UTC
[Samba] Samba does not change UNIX password after OpenLDAP server upgraded
Hi, I have been running Samba with OpenLDAP for a few years. We recently upgrade the OpenLDAP server from 2.2.13 to 2.4.11. When users change their passwords now, only the Windows password is changed the UNIX password is not changed anymore. Samba server does not log any errors The samba configuration file did not change when the LDAP server was upgraded. I do have "ldap passwd sync =Yes" in smb.conf and it used to work fine. Has anyone seen this? If I use unix password sync = Yes passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" instead of "ldappasswd sync", what access control do I have to add to the slapd.conf file? Thank you very much for your help! John
John Du
2009-Apr-30 22:32 UTC
[Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded
John Du wrote:> Hi, > > I have been running Samba with OpenLDAP for a few years. We recently > upgrade the OpenLDAP server from 2.2.13 to 2.4.11. > > When users change their passwords now, only the Windows password is > changed the UNIX password is not changed anymore. Samba server does > not log any errors The samba configuration file did not change when > the LDAP server was upgraded. > > I do have "ldap passwd sync =Yes" in smb.conf and it used to work fine. > > Has anyone seen this? > > If I use > > unix password sync = Yes > passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u > passwd chat = "Changing password for*\nNew password*" %n\n "*Retype > new password*" %n\n" > > instead of "ldappasswd sync", what access control do I have to add to > the slapd.conf file? > > Thank you very much for your help! > > John > > >I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel 2.6.9-42.0.2.
John Du
2009-May-02 03:30 UTC
[Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded
David Markey wrote:> John Du wrote: > >> David Markey wrote: >> >>> John Du wrote: >>> >>> >>>> David Markey wrote: >>>> >>>> >>>>> I would imagine that you'll need to re-jig your ACLs in slapd.conf, >>>>> >>>>> Please supply logs. >>>>> >>>>> >>>>> >>>> Thank you very much. >>>> >>>> I can use /opt/IDEALX/sbin/smbldap-passwd to change both the Windows >>>> and UNIX password. If the problem is ACL related, wouldn't I have the >>>> same problem with this tool? >>>> >>>> When samba changes passwords, does the process run as root or as the >>>> user making the passwords change? >>>> >>>> >>> If you're using smbldap-passwd and unix password sync, it's done as >>> root. ldap passwd sync is done as the LDAP dn that you've configured in >>> smb.conf. It's much preferable to use ldap passwd sync. >>> >>> >>> >> I did not make myself clear. When I say I can use smbldap-passwd to >> change password, I mean I can run the tool from the command line as >> root. If I use smbldap-passwd and unix passwd sync in smb.conf, I >> get a "you do not have permission to change password" message when >> attempting to change password. >> >> So at this time I am still using ldap passwd sync in smb.conf and that >> is when it only changes the Windows password. >> >> Does the userPassword attribute require different ACL than >> sambaNTPassword? Also the dn I put in smb.conf is the root DN of the >> LDAP database. >> >> > > That is strange, LDAP password updates are done via EXOP, have you > defined a password hash in slapd.conf? > > Re: smbldap-passwd, you need to have a proper passwd chat in smb.conf, > Let us see some logs, smb.conf and maybe slapd.conf and perhaps slapd logs. > > > >My thanks to David and all who have responded to my questions. I have identified where and what the problem is but I am not sure it is a Samba problem or OpenLDAP problem. I am trying to give you a clear picture. 1. unix passwd sync works perfectly. I replaced "ldap passwd sync = Yes" with: unix password sync = Yes passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u passwd chat = "Changing UNIX password for*\nNew password*" %n\n "*Retype new password*" %n\n" No changes on the OpenLDAP side. Users can change their Windows and LDAP password correctly all the time. 2. ldap passwd sync = Yes does not change the LDAP password but it changes the Windows password OK. 2.1 OpenLDAP with some ACLs defined. When the OpenLDAP server has some ACLs defined, the samba server logs the following: 2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590) ldap password change requested, but LDAP server does not support it -- ignoring The LDAP password is not changed. 2.2 When no ACLs are defined in slapd.conf. [2009/04/30 23:43:03, 10] lib/smbldap.c:smbldap_extended_operation(1525) Extended operation failed with error: 80 (Internal (implementation specific) error) (password hash failed) [2009/04/30 23:43:03, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651) ldapsam_modify_entry: LDAP Password could not be changed for user johndu: Internal (implementation specific) error password hash failed Hash is defined in slapd.conf as follows: password-hash {CRYPT} password-crypt-salt-format $1$%.2s The Windows user will get a "the user name or old password is incorrect" message in this case. The LDAP root DN is used all the time everywhere. I can mail the complete log files to you if they can help you to determine the cause of the problem. There seems to be some compatibility issues between the LDAP server and the Samba server. Logically I think if the IDEALX tool works the samba server's internal LDAP functions should work as well. Let me know if you any further information from me. Wish you all to have a good weekend! John> > > >> Thanks! >> >> >>> >>> >>> >>>> Thanks again. >>>> >>>> >>>>> John Du wrote: >>>>> >>>>> >>>>> >>>>>> John Du wrote: >>>>>> >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have been running Samba with OpenLDAP for a few years. We >>>>>>> recently >>>>>>> upgrade the OpenLDAP server from 2.2.13 to 2.4.11. >>>>>>> >>>>>>> When users change their passwords now, only the Windows password is >>>>>>> changed the UNIX password is not changed anymore. Samba server does >>>>>>> not log any errors The samba configuration file did not change >>>>>>> when >>>>>>> the LDAP server was upgraded. >>>>>>> >>>>>>> I do have "ldap passwd sync =Yes" in smb.conf and it used to work >>>>>>> fine. >>>>>>> >>>>>>> Has anyone seen this? >>>>>>> >>>>>>> If I use >>>>>>> >>>>>>> unix password sync = Yes >>>>>>> passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u >>>>>>> passwd chat = "Changing password for*\nNew password*" %n\n "*Retype >>>>>>> new password*" %n\n" >>>>>>> >>>>>>> instead of "ldappasswd sync", what access control do I have to >>>>>>> add to >>>>>>> the slapd.conf file? >>>>>>> >>>>>>> Thank you very much for your help! >>>>>>> >>>>>>> John >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel >>>>>> 2.6.9-42.0.2. >>>>>> >>>>>> >>>>> >>>>> >>> >>> > > >