Hi everybody, I think i need a samba guru to solve this issue, because googling for months did not help and the problem is becoming pressing. I'm facing an annoying problem with samba. In detail, there is something wrong with the password handling. It happens from windows, mac or linux clients. Randomly (probably after $num days), the system asks to the user to change the password. After the user did it, the system keeps asking the same, in a sort of loop. The only option to change it is to manually go on the console and issue the command "smbldap-passwd username". My system: ubuntu lucid 32 bit smb.conf ----cut--- [global] idmap uid = 1000-15000 idmap gid = 1000-15000 workgroup = PORTAVITA netbios name = PSAMBA domain logons = Yes domain master = Yes wins support = true obey pam restrictions = Yes dns proxy = No log level = 2 os level = 35 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d pam password change = Yes # Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del unix password sync = no ldap passwd sync = yes passdb backend = ldapsam:ldap://localhost ldap suffix = dc=pdc ldap admin dn = cn=admin,dc=pdc ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap ssl = no add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u #those scripts are modified so we can create groups also on the system add group script = /usr/sbin/addgroupldap-system '%g' delete group script = /usr/sbin/delgroupldap-system '%g' add user to group script = /usr/sbin/add-user-to-group-ldap-system '%u' '%g' add user to group script = /usr/sbin/add-user-to-group-ldap-system '%u' '%g' delete user from group script = /usr/sbin/del-user-to-group-ldap-system -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '% u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon drive logon home logon path logon script = users/login.bat server signing = auto server schannel = Auto nt acl support = yes [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon admin users = root guest ok = Yes browseable = No logon script = login.bat [Software] comment = Software Folder path = /share/software create mask = 0777 directory mask = 0777 read only = no writable = yes browsable = yes invalid users =guest123 [progr] comment = Prog Folder path = /share/prog create mask = 0777 directory mask = 0777 read only = no writable = yes browsable = yes invalid users =guest123 ----cut---- samba version from package is 3.4.7 ldapadd -V ldapadd: @(#) $OpenLDAP: ldapmodify 2.4.21 (Aug 10 2010 17:07:36) $ buildd at rothera:/build/buildd/openldap-2.4.21/debian/build/clients/tools (LDAP library: OpenLDAP 20421) SASL/DIGEST-MD5 authentication started Any help or suggestion is strongly appreciated. Regards, Fabio
use pdbedit or your web-based ldap manager to update the account flags to [UX]. document the previous value before changing the flags. Use smbldap tools to update the expire time. if none of this fixes it, post an ldif if an affected user account, as well as all the info from smbldap-tools about said user. On 6/16/2011 06:39, Fabio Pardi wrote:> Hi everybody, > > I think i need a samba guru to solve this issue, because googling for > months did not help and the problem is becoming pressing. > I'm facing an annoying problem with samba. In detail, there is something > wrong with the password handling. It happens from windows, mac or linux > clients. > Randomly (probably after $num days), the system asks to the user to > change the password. After the user did it, the system keeps asking the > same, in a sort of loop. > The only option to change it is to manually go on the console and issue > the command "smbldap-passwd username". > > My system: > > ubuntu lucid 32 bit > > smb.conf > > ----cut--- > [global] > idmap uid = 1000-15000 > idmap gid = 1000-15000 > > > workgroup = PORTAVITA > > netbios name = PSAMBA > > domain logons = Yes > domain master = Yes > wins support = true > obey pam restrictions = Yes > dns proxy = No > > log level = 2 > os level = 35 > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > pam password change = Yes > # Allows users on WinXP PCs to change their password when they > press Ctrl-Alt-Del > unix password sync = no > ldap passwd sync = yes > > passdb backend = ldapsam:ldap://localhost > > ldap suffix = dc=pdc > > ldap admin dn = cn=admin,dc=pdc > > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > > ldap ssl = no > > add user script = /usr/sbin/smbldap-useradd -m '%u' > delete user script = /usr/sbin/smbldap-userdel %u > > > #those scripts are modified so we can create groups also on the system > add group script = /usr/sbin/addgroupldap-system '%g' > delete group script = /usr/sbin/delgroupldap-system '%g' > add user to group script > = /usr/sbin/add-user-to-group-ldap-system '%u' '%g' > add user to group script = /usr/sbin/add-user-to-group-ldap-system '%u' > '%g' > delete user from group script > = /usr/sbin/del-user-to-group-ldap-system -x '%u' '%g' > > > > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '% > u' > add machine script = /usr/sbin/smbldap-useradd -w '%u' > logon drive > logon home > logon path > logon script = users/login.bat > server signing = auto > server schannel = Auto > nt acl support = yes > [homes] > comment = Home Directories > valid users = %S > read only = No > browseable = No > > [netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > admin users = root > guest ok = Yes > browseable = No > logon script = login.bat > > [Software] > comment = Software Folder > path = /share/software > create mask = 0777 > directory mask = 0777 > read only = no > writable = yes > browsable = yes > invalid users =guest123 > > [progr] > comment = Prog Folder > path = /share/prog > create mask = 0777 > directory mask = 0777 > read only = no > writable = yes > browsable = yes > invalid users =guest123 > > ----cut---- > > samba version from package is 3.4.7 > ldapadd -V > ldapadd: @(#) $OpenLDAP: ldapmodify 2.4.21 (Aug 10 2010 17:07:36) $ > buildd at rothera:/build/buildd/openldap-2.4.21/debian/build/clients/tools > (LDAP library: OpenLDAP 20421) > SASL/DIGEST-MD5 authentication started > > > > Any help or suggestion is strongly appreciated. > > Regards, > > Fabio > >
Hi Dermot, thanks for your reply. here below you have the output, nothing strange to my eyes, but maybe(hopefully) you know more: pdbedit -P "bad lockout attempt" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off) account policy "bad lockout attempt" value is: 0 --- pdbedit -P "maximum password age" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords) account policy "maximum password age" value is: 4294967295 --- pdbedit -P "min password length" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "min password length" description: Minimal password length (default: 5) account policy "min password length" value is: 5 --- pdbedit -P "lockout duration" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "lockout duration" description: Lockout duration in minutes (default: 30, -1 => forever) account policy "lockout duration" value is: 30 --- pdbedit -P "password history" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "password history" description: Length of Password History Entries (default: 0 => off) account policy "password history" value is: 0 ---- pdbedit -P "user must logon to change password" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "user must logon to change password" description: Force Users to logon for password change (default: 0 => off, 2 => on) account policy "user must logon to change password" value is: 0 ----- pdbedit -P "disconnect time" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "disconnect time" description: Disconnect Users outside logon hours (default: -1 => off, 0 => on) account policy "disconnect time" value is: 4294967295 --- pdbedit -P "bad lockout attempt" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off) account policy "bad lockout attempt" value is: 0 ------ pdbedit -P "minimum password age" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "minimum password age" description: Minimal password age, in seconds (default: 0 => allow immediate password change) account policy "minimum password age" value is: 0 --- pdbedit -P "reset count minutes" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "reset count minutes" description: Reset time after lockout in minutes (default: 30) account policy "reset count minutes" value is: 30 --- then i tried: word age" value is: 4294967295 15:38 root at pdc-portavita:~# pdbedit -P "maximum password age" -C -1 smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(XXXXXXXXXXXXXXXX))] smbldap_open_connection: connection opened account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords) account policy "maximum password age" value was: 4294967295 account policy "maximum password age" value is now: 4294967295 (4294967295 seconds that means 131 years and some days) ------ On Mon, 2011-07-04 at 21:21 +0100, Dermot wrote:> On 4 July 2011 16:37, Fabio Pardi <f.pardi at portavita.eu> wrote: > > > nobody to help? > > I just throwing out ideas here. What is the output from pdbedit -P for > all these policies: minimum password age, reset count minutes, > disconnect time, user must logon to change password, password history, > lockout duration, min password length, maximum password age and bad > lockout attempt. > > Perhaps there are clues there. > Dp.