Hello List I am working on upgrading a older Samba 3.0.16 setup that uses openldap as its back-end for passwords and users. I built a clone of our setup using CentOS 5.6 and Openldap 2.4.20 , with Samba 3.6.1 . My issue. After successfully building and install Samba users can not authenticate to the server. They are prompted with errors about Needing to change their password. Looking at my user info on the samba server I see the following issue. # pdbedit -vu msaad Unix username: msaad NT username: msaad Account Flags: [U ] User SID: S-1-5-21-64374432-364290046-3597965222-2970 Primary Group SID: S-1-5-21-3988802677-3356876598-2018608366-513 Full Name: Mark Saad Home Directory: \\nycifs3\msaad HomeDir Drive: Logon Script: Profile Path: \\nycifs3\msaad\profile Domain: NYCIFS3 Account desc: hardluck Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Thu, 01 Jan 1970 00:00:10 GMT Password can change: Thu, 01 Jan 1970 00:00:10 GMT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF So I tried to set the max password age to -1 # pdbedit -P "maximum password age" -C -1 valid account policy, but unable to fetch value! account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords) account policy "maximum password age" value was: 4294967295 valid account policy, but unable to set value! Does anyone know what the root issue is ? -- mark saad | nonesuch at longcount.org
From: Mark Saad <nonesuch at longcount.org> Date: Tue, 27 Dec 2011 11:03:53 -0500> I am working on upgrading a older Samba 3.0.16 setup that uses > openldap as its back-end for passwords and users. > I built a clone of our setup using CentOS 5.6 and Openldap 2.4.20 , > with Samba 3.6.1 . > > My issue. > > After successfully building and install Samba users can not > authenticate to the server. They are prompted with errors about > Needing to change their password.(snip)> So I tried to set the max password age to -1 > > # pdbedit -P "maximum password age" -C -1 > valid account policy, but unable to fetch value! > account policy "maximum password age" description: Maximum password > age, in seconds (default: -1 => never expire passwords) > account policy "maximum password age" value was: 4294967295 > valid account policy, but unable to set value! > > Does anyone know what the root issue is ?After Samba 3.0.21, those policies are stored in LDAP, but before 3.0.21, they were always stored in local tdb file. I guess that you have to manually create those account policies on your LDAP directory. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>
On Tue, Dec 27, 2011 at 11:54 AM, TAKAHASHI Motonobu <monyo at monyo.com> wrote:> From: Mark Saad <nonesuch at longcount.org> > Date: Tue, 27 Dec 2011 11:03:53 -0500 > >> ? I am working on upgrading a older Samba 3.0.16 setup that uses >> openldap as its back-end for passwords and users. >> I built a clone of our setup using CentOS 5.6 and Openldap 2.4.20 , >> with Samba 3.6.1 . >> >> My issue. >> >> After successfully building and install Samba users can not >> authenticate to the server. They are prompted with errors about >> Needing to change their password. > (snip) > >> So I tried to set the max password age to -1 >> >> # pdbedit -P "maximum password age" -C -1 >> valid account policy, but unable to fetch value! >> account policy "maximum password age" description: Maximum password >> age, in seconds (default: -1 => never expire passwords) >> account policy "maximum password age" value was: 4294967295 >> valid account policy, but unable to set value! >> >> Does anyone know what the root issue is ? > > After Samba 3.0.21, those policies are stored in LDAP, but before > 3.0.21, they were always stored in local tdb file. > > I guess that you have to manually create those account policies on > your LDAP directory.Do you know if there was anything created to migrate the tdb files to ldap ?> > --- > TAKAHASHI Motonobu <monyo at samba.gr.jp>-- mark saad | nonesuch at longcount.org