Hi everybody,
I think i need a samba guru to solve this issue, because googling for
months did not help and the problem is becoming pressing.
I'm facing an annoying problem with samba. In detail, there is something
wrong with the password handling. It happens from windows, mac or linux
clients.
Randomly (probably after $num days), the system asks to the user to
change the password. After the user did it, the system keeps asking the
same, in a sort of loop.
The only option to change it is to manually go on the console and issue
the command "smbldap-passwd username".
My system:
ubuntu lucid 32 bit
smb.conf
----cut---
[global]
idmap uid = 1000-15000
idmap gid = 1000-15000
workgroup = PORTAVITA
netbios name = PSAMBA
domain logons = Yes
domain master = Yes
wins support = true
obey pam restrictions = Yes
dns proxy = No
log level = 2
os level = 35
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
pam password change = Yes
# Allows users on WinXP PCs to change their password when they
press Ctrl-Alt-Del
unix password sync = no
ldap passwd sync = yes
passdb backend = ldapsam:ldap://localhost
ldap suffix = dc=pdc
ldap admin dn = cn=admin,dc=pdc
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap ssl = no
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
#those scripts are modified so we can create groups also on the system
add group script = /usr/sbin/addgroupldap-system '%g'
delete group script = /usr/sbin/delgroupldap-system '%g'
add user to group script
= /usr/sbin/add-user-to-group-ldap-system '%u' '%g'
add user to group script = /usr/sbin/add-user-to-group-ldap-system '%u'
'%g'
delete user from group script
= /usr/sbin/del-user-to-group-ldap-system -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%
u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon drive logon home logon path logon script =
users/login.bat
server signing = auto
server schannel = Auto
nt acl support = yes
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root
guest ok = Yes
browseable = No
logon script = login.bat
[Software]
comment = Software Folder
path = /share/software
create mask = 0777
directory mask = 0777
read only = no
writable = yes
browsable = yes
invalid users =guest123
[progr]
comment = Prog Folder
path = /share/prog
create mask = 0777
directory mask = 0777
read only = no
writable = yes
browsable = yes
invalid users =guest123
----cut----
samba version from package is 3.4.7
ldapadd -V
ldapadd: @(#) $OpenLDAP: ldapmodify 2.4.21 (Aug 10 2010 17:07:36) $
buildd at rothera:/build/buildd/openldap-2.4.21/debian/build/clients/tools
(LDAP library: OpenLDAP 20421)
SASL/DIGEST-MD5 authentication started
Any help or suggestion is strongly appreciated.
Regards,
Fabio
use pdbedit or your web-based ldap manager to update the account flags to [UX]. document the previous value before changing the flags. Use smbldap tools to update the expire time. if none of this fixes it, post an ldif if an affected user account, as well as all the info from smbldap-tools about said user. On 6/16/2011 06:39, Fabio Pardi wrote:> Hi everybody, > > I think i need a samba guru to solve this issue, because googling for > months did not help and the problem is becoming pressing. > I'm facing an annoying problem with samba. In detail, there is something > wrong with the password handling. It happens from windows, mac or linux > clients. > Randomly (probably after $num days), the system asks to the user to > change the password. After the user did it, the system keeps asking the > same, in a sort of loop. > The only option to change it is to manually go on the console and issue > the command "smbldap-passwd username". > > My system: > > ubuntu lucid 32 bit > > smb.conf > > ----cut--- > [global] > idmap uid = 1000-15000 > idmap gid = 1000-15000 > > > workgroup = PORTAVITA > > netbios name = PSAMBA > > domain logons = Yes > domain master = Yes > wins support = true > obey pam restrictions = Yes > dns proxy = No > > log level = 2 > os level = 35 > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > pam password change = Yes > # Allows users on WinXP PCs to change their password when they > press Ctrl-Alt-Del > unix password sync = no > ldap passwd sync = yes > > passdb backend = ldapsam:ldap://localhost > > ldap suffix = dc=pdc > > ldap admin dn = cn=admin,dc=pdc > > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > > ldap ssl = no > > add user script = /usr/sbin/smbldap-useradd -m '%u' > delete user script = /usr/sbin/smbldap-userdel %u > > > #those scripts are modified so we can create groups also on the system > add group script = /usr/sbin/addgroupldap-system '%g' > delete group script = /usr/sbin/delgroupldap-system '%g' > add user to group script > = /usr/sbin/add-user-to-group-ldap-system '%u' '%g' > add user to group script = /usr/sbin/add-user-to-group-ldap-system '%u' > '%g' > delete user from group script > = /usr/sbin/del-user-to-group-ldap-system -x '%u' '%g' > > > > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '% > u' > add machine script = /usr/sbin/smbldap-useradd -w '%u' > logon drive > logon home > logon path > logon script = users/login.bat > server signing = auto > server schannel = Auto > nt acl support = yes > [homes] > comment = Home Directories > valid users = %S > read only = No > browseable = No > > [netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > admin users = root > guest ok = Yes > browseable = No > logon script = login.bat > > [Software] > comment = Software Folder > path = /share/software > create mask = 0777 > directory mask = 0777 > read only = no > writable = yes > browsable = yes > invalid users =guest123 > > [progr] > comment = Prog Folder > path = /share/prog > create mask = 0777 > directory mask = 0777 > read only = no > writable = yes > browsable = yes > invalid users =guest123 > > ----cut---- > > samba version from package is 3.4.7 > ldapadd -V > ldapadd: @(#) $OpenLDAP: ldapmodify 2.4.21 (Aug 10 2010 17:07:36) $ > buildd at rothera:/build/buildd/openldap-2.4.21/debian/build/clients/tools > (LDAP library: OpenLDAP 20421) > SASL/DIGEST-MD5 authentication started > > > > Any help or suggestion is strongly appreciated. > > Regards, > > Fabio > >
Hi Dermot, thanks for your reply. here below you have the output, nothing strange to my eyes, but maybe(hopefully) you know more: pdbedit -P "bad lockout attempt" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off) account policy "bad lockout attempt" value is: 0 --- pdbedit -P "maximum password age" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords) account policy "maximum password age" value is: 4294967295 --- pdbedit -P "min password length" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "min password length" description: Minimal password length (default: 5) account policy "min password length" value is: 5 --- pdbedit -P "lockout duration" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "lockout duration" description: Lockout duration in minutes (default: 30, -1 => forever) account policy "lockout duration" value is: 30 --- pdbedit -P "password history" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "password history" description: Length of Password History Entries (default: 0 => off) account policy "password history" value is: 0 ---- pdbedit -P "user must logon to change password" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "user must logon to change password" description: Force Users to logon for password change (default: 0 => off, 2 => on) account policy "user must logon to change password" value is: 0 ----- pdbedit -P "disconnect time" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "disconnect time" description: Disconnect Users outside logon hours (default: -1 => off, 0 => on) account policy "disconnect time" value is: 4294967295 --- pdbedit -P "bad lockout attempt" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off) account policy "bad lockout attempt" value is: 0 ------ pdbedit -P "minimum password age" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "minimum password age" description: Minimal password age, in seconds (default: 0 => allow immediate password change) account policy "minimum password age" value is: 0 --- pdbedit -P "reset count minutes" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "reset count minutes" description: Reset time after lockout in minutes (default: 30) account policy "reset count minutes" value is: 30 --- then i tried: word age" value is: 4294967295 15:38 root at pdc-portavita:~# pdbedit -P "maximum password age" -C -1 smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(XXXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords) account policy "maximum password age" value was: 4294967295 account policy "maximum password age" value is now: 4294967295 (4294967295 seconds that means 131 years and some days) ------ On Mon, 2011-07-04 at 21:21 +0100, Dermot wrote:> On 4 July 2011 16:37, Fabio Pardi <f.pardi at portavita.eu> wrote: > > > nobody to help? > > I just throwing out ideas here. What is the output from pdbedit -P for > all these policies: minimum password age, reset count minutes, > disconnect time, user must logon to change password, password history, > lockout duration, min password length, maximum password age and bad > lockout attempt. > > Perhaps there are clues there. > Dp.