samba - Sep 2009 - After migrating users to ldap, passwords still stored in passdb.tdb

I am running Samba ver 3.0.33 on Solaris 10 (sparc.)   Initially I had
the server configured as a domain controller with the "passdb backend
= tdbsam" option.  The underlying unix accounts were stored in LDAP
(Sun Directory Server.)   Those accounts are also used for non-Samba
services.

Since I have domain trusts with NT domains, I am using winbind and
idmapping.  The idmap data was also stored in ldap (under
ou=idmap,ou=mydomain.com.)

Since I wanted to eventually configured add a BDC controller I changed
my PDC configuration to use LDAP backend with the following steps:
   Tried running "pdbedit -e ldapsam:ldap://ldap1.mydomain.com "  -
but that didn't seem to work.

  Used "pdbedit -L -w" to dump the NT account info to a text file
   Ran some custom perl scripts to read that file and update
add/modify samba attributes (including sambaLMPassword,
sambaNTPassword, objectClass=NTUser, sambaSID) to my ldap accounts.
   The  SambaSID value for the LDAP account was copied from the
output of "wbinfo -n username"
   Set the ldap admin passwd with "smbpasswd -w thepassword"
    Changed smb.conf to use ldap as the backend


smb.conf includes

       passdb backend = ldapsam:ldap://ldap1.mydomain.com
      ldap suffix=o=mydomain.com
      ldap user suffix=ou=people
      ldap group suffix=ou=smb_groups
      ldap machine suffix=ou=machines
      ldap admin dn="cn=Directory Manager"
      ldap ssl = no
      ldap passwd sync = no
      ldap idmap suffix=ou=idmap




If I use pdbedit to add or delete a samba user, it will appropriately
add or remove samba attributes to the existing ldap account.  (It
won't actually create or delete the accounts.)      And it does look
like it tries to set the SambaNTPassword and SambaLMPassword fields.
However, when I try to login, I can not login until I reset the
password with smbpasswd.   And when I change the password with
smbpassword it does not update the ldap fields.      I am not sure
what is getting updated.

The /etc/samba/private/passdb.tdb  file -  which I would expect to
never change-  shows that it was modified last at 10 am this morning.
 Even tho thet last password change was at 3 pm this afternoon.

ls -  /etc/samba/private/passdb.tdb
Sep 22 10:10 passdb.tdb


I had unix password sync enabled in smb.conf so that when user's
changed password with smbpasswd, it would also change the ldap
password.    And this did work-  at least from the user perspective-
both the "Samba/Windows" and "LDAP/UNIX" password would
change.
Although the where the Samba password was being changed I am not sure.

 If I turn it off, it looks like smbpasswd will update the
SambaNTPassword field in ldap.     So is Samba caching the password
changes somewhere locally if it can't update the SambaNTPassword in
ldap?    Even prior to the LDAP switch over, it seemed that the date
stamp on passdb.tdb didn't update when I changed passwords.

Thanks

Apparently I forgot to restart samba after making the backend change.

Also, the pdbedit command did not import samba info for all accounts.
Which means that after I restarted samba some people (and machines)
could not login.   However, I could use "pdbedit -Lv" and "pbedit
-Lw"
in cojunction with the old smb.conf file to extract the user SID an
NTpassword entries.





On Tue, Sep 22, 2009 at 8:59 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com> wrote:
> I am running Samba ver 3.0.33 on Solaris 10 (sparc.) ? Initially I had
> the server configured as a domain controller with the "passdb backend
> = tdbsam" option. ?The underlying unix accounts were stored in LDAP
> (Sun Directory Server.) ? Those accounts are also used for non-Samba
> services.
>
> Since I have domain trusts with NT domains, I am using winbind and
> idmapping. ?The idmap data was also stored in ldap (under
> ou=idmap,ou=mydomain.com.)
>
> Since I wanted to eventually configured add a BDC controller I changed
> my PDC configuration to use LDAP backend with the following steps:
> ? Tried running "pdbedit -e ldapsam:ldap://ldap1.mydomain.com "
?-
> but that didn't seem to work.
>
> ?Used "pdbedit -L -w" to dump the NT account info to a text file
> ? Ran some custom perl scripts to read that file and update
> add/modify samba attributes (including sambaLMPassword,
> sambaNTPassword, objectClass=NTUser, sambaSID) to my ldap accounts.
> ? The ?SambaSID value for the LDAP account was copied from the
> output of "wbinfo -n username"
> ? Set the ldap admin passwd with "smbpasswd -w thepassword"
> ? ?Changed smb.conf to use ldap as the backend
>
>
> smb.conf includes
>
> ? ? ? passdb backend = ldapsam:ldap://ldap1.mydomain.com
> ? ? ?ldap suffix=o=mydomain.com
> ? ? ?ldap user suffix=ou=people
> ? ? ?ldap group suffix=ou=smb_groups
> ? ? ?ldap machine suffix=ou=machines
> ? ? ?ldap admin dn="cn=Directory Manager"
> ? ? ?ldap ssl = no
> ? ? ?ldap passwd sync = no
> ? ? ?ldap idmap suffix=ou=idmap
>
>
>
>
> If I use pdbedit to add or delete a samba user, it will appropriately
> add or remove samba attributes to the existing ldap account. ?(It
> won't actually create or delete the accounts.) ? ? ?And it does look
> like it tries to set the SambaNTPassword and SambaLMPassword fields.
> However, when I try to login, I can not login until I reset the
> password with smbpasswd. ? And when I change the password with
> smbpassword it does not update the ldap fields. ? ? ?I am not sure
> what is getting updated.
>
> The /etc/samba/private/passdb.tdb ?file - ?which I would expect to
> never change- ?shows that it was modified last at 10 am this morning.
> ?Even tho thet last password change was at 3 pm this afternoon.
>
> ls - ?/etc/samba/private/passdb.tdb
> Sep 22 10:10 passdb.tdb
>
>
> I had unix password sync enabled in smb.conf so that when user's
> changed password with smbpasswd, it would also change the ldap
> password. ? ?And this did work- ?at least from the user perspective-
> both the "Samba/Windows" and "LDAP/UNIX" password would
change.
> Although the where the Samba password was being changed I am not sure.
>
> ?If I turn it off, it looks like smbpasswd will update the
> SambaNTPassword field in ldap. ? ? So is Samba caching the password
> changes somewhere locally if it can't update the SambaNTPassword in
> ldap? ? ?Even prior to the LDAP switch over, it seemed that the date
> stamp on passdb.tdb didn't update when I changed passwords.
>
> Thanks
>