search for: sambapasswordhistory

We would like to have password history working in our setup which is samba with Sun Directory Services 7.0 on the backend. Everything else seems to be working ok, but I notice that the sambapasswordhistory entry for any particular user is filled with 0's. If I set the password for the account, then it's 16 0's, followed by a copy of the password hash, and the rest 0's. If I change the password to something else, the history entry stays the same. If I change the password back to the...

I installed samba 3.0.6 today. I had to upgrade samba.schema in openldap as well to include sambaPasswordHistory and sambaLoginTime, otherwise certain things would not work (e.g. smbpasswd or users changing passwords) openldap failed to start because both attributes have the same OID, ...2.1.50. In order to get started anyway, I changed the sambaPasswordHistory OID to ...2.1.52 (which, in my schema, is yet u...

Hello samba users, Samba 3.0.6 comes with new samba.schema with new attributies but attributetype sambaPasswordHistory have the same OID with attributetype sambaLogonHours and slapd failed to start attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) attributet...

I am trying to turn on password history using an ldap backend. I can see the sambaPasswordHistory entry set to all "0"s in Ldap. I tried to turn on password history with pdbedit -P "password history" -C 3 and get back that it was set: [root]# pdbedit -P "password history" account policy value for password history is 3 However, when I try to reset a user passwo...

...ot; on a windows client, however i was getting errors saying i didnt have permission even tho sambaPwdCanChange was set to 1, so i looked in the log.smb and found the error was a object class violation. Then i looked at my LDAP error logs and found samba was trying to update an antribute called sambaPasswordHistory which didnt exist in the schema, i added the atrribute with syntax "binary" and now i can change passwords :) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X-ORIGIN 'user defined' ) then made...

...ys old. Please type a different password. Type a password that meets these requirements in both text boxes." Where is this text/requirement list coming from? And, how can I configure Samba such that it returns the desired errors (above) to the user? In the same vein, instead of having the sambaPasswordHistory attribute in LDAP reflect the old hashed passwords, I just get one entry which reads: sambaPasswordHistory: 0000000000000000000000000000000000000000000000000000000000000000 I would very much appreciate any advice you folks might be able to offer. Thanks, Ryan

...e sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount sambabadpasswordtime sambapasswordhistory modifyTimestamp sambalogonhours modifyTimestamp" [16/Nov/2004:10:36:50 -0500] conn=157 op=2 msgId=3 - RESULT err=0 tag=101 nentries=0 etime=0 [16/Nov/2004:10:36:50 -0500] conn=158 op=-1 msgId=-1 - fd=59 slot=59 LDAP connection from 172.16.59.205 to 172.16.59.50 [16/Nov/2004:10:36:50 -0500]...

...opensuse13, samba 4.1.16 + bind, full sync (ad/gpo/netlogon), ~1k users, ~700 computers. We migrated to samba4 from the classic samba3/ldap backend without any big issue. We have the possibility to reset the password to the default one using a web form. On samba3/ldap we used the attribute "sambaPasswordHistory" to store this default password and restore it on request. This default password is stored as plaintext. How can I do this in Samba4 and AD schema? I digged a little bit in password history in AD but the comparison is done with hashes. I don't want to store this in a third party datab...

...ffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp conn=327 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= # #conn=328 is made via nss_ldap # conn=328 fd=27 ACCEPT from PATH=/var//run/ldapi (PATH=/var//run/ldapi) conn=328 op=0 BIND dn="cn=Authenticate,o=example,c=xx" method=128 conn=3...

...ime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos slapd[2332]: <= bdb_equality_candidates: (uid) not indexed slapd[2332]: conn=1090 op=12 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[2332]: conn=1090 op=13 SRCH base="dc=mydomain" s...

...erson > entryUUID: fdc5834c-f9da-1029-8b52-823807df0058 > creatorsName: cn=Manager,dc=capriolobike,dc=com > createTimestamp: 20051205130127Z > sambaPwdCanChange: 1133787703 > sambaLMPassword: 8540236CBC8AD7364207FD0DF35A59A8 > sambaNTPassword: 8F82C6BCFD826B95532C25AA1A9C2DC5 > sambaPasswordHistory: > 00000000000000000000000000000000000000000000000000000000 > 00000000 > sambaPwdLastSet: 1133787703 > userPassword:: e1NNRDV9UVZmUjJhSWpxeDlzMFVwOU11QTcyV1lIdWdzPQ== > entryCSN: 20051205130143Z#000002#00#000000 > modifiersName: cn=Manager,dc=capriolobike,dc=com > modifyTimesta...

...e sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp Mar 18 17:08:50 mastok slapd[5569]: conn=131 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Mar 18 17:09:00 mastok slapd[5569]: conn=131 fd=8 closed Mar 18 17:09:01 mastok slapd[5569]: conn=132 fd=8 ACCEPT from IP=127.0.0.1:33004 (IP=0.0.0.0:389...

...ibutetype > grep 1.3.6.1.4.1.7165.2.1.50 /usr/local/etc/openldap/schema/* /usr/local/etc/openldap/schema/samba.schema.new:attributetype ( 1.3.6.1.4.1.7165 .2.1.50 NAME 'sambaLogonHours' /usr/local/etc/openldap/schema/samba.schema.new:attributetype ( 1.3.6.1.4.1.7165 .2.1.50 NAME 'sambaPasswordHistory' Does anyone happen to know, which of those is wrong and to what value it should be changed? Thanks in advance, Alexei.

...the case when passwords could no longer be changed... Searching the web revealed that the only thing to do was to "copy over samba.schema" and everything would be fine. So I backed up the previous copy of samba.schema, copied the new version over (and I see it contains the definition for sambaPasswordHistory, which is what I need) and then restarted openldap. When I browse the directory, however, I don't see the that the changes appear to have taken hold. Nor can I edit a user entry directly to add the attribute. Do I need to perform some sort of compilation on the schemas before restarting openld...

...for every user because I don't know their passwords. What could be the solution to convert all my ldap users as samba users? Simply adding the corresponding objectClass and samba attributes to the users ldap entries would be enough? If this is true, what value should I use for sambaNTPassword, sambaPasswordHistory, sambaSID, among other samba attributes? I hope some can help me a bit :( Thanks :)

..., ~1k users, ~700 computers. >> We migrated to samba4 from the classic samba3/ldap backend >> without any big issue. >> >> We have the possibility to reset the password to the default >> one using a web >> form. On samba3/ldap we used the attribute >> "sambaPasswordHistory" to store this >> default password and restore it on request. This default >> password is stored as >> plaintext. >> >> How can I do this in Samba4 and AD schema? I digged a little >> bit in password >> history in AD but the comparison is done with has...

...lass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: jslittl sn: jslittl uid: jslittl uidNumber: 1004 homeDirectory: /home/jslittl loginShell: /bin/bash gecos: System User sambaSID: S-1-5-21-1418864132-1159184377-506600700-3008 description: domain admin sambaKickoffTime: 0 sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF sambaAcctFlags: [U ] gidNumber: 512 sambaPrimaryGroupSID: S-1-5-21-1418864132-1159184377-506600700-512 sambaPwdMustChange: 2147483647 sambaPwdCanChange: 111635839...

...00 sambaPrimaryGroupSID: S-1-5-21-3527759599-3696857034-3584459987-512 displayName: root sambaAcctFlags: [U ] objectClass: account objectClass: sambaSamAccount sambaPwdMustChange: 2147483647 sambaLMPassword: 63D2114DE42F744B30A84C4AFE5AFFFF sambaNTPassword: 5460FB29D247C383F63E1E3A417FC39B sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaPwdCanChange: 1118395221 sambaPwdLastSet: 1118395221 # win2k$, Computers, example.com dn: uid=win2k$,ou=Computers,dc=example,dc=com uid: win2k$ sambaSID: S-1-5-21-3527759599-3696857034-3584459987-3022 sambaPrimaryGroupSID: S-...

...le,dc=com uid: ldap10 sambaSID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1012 objectClass: sambaSamAccount objectClass: account objectClass: posixAccount cn: ldap10 uidNumber: 10008 gidNumber: 10000 homeDirectory: /home/ldap10 loginShell: /bin/bash sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaPwdLastSet: 1457275169 sambaAcctFlags: [U ] and 'cat /etc/passwd | grep ldap10' returns nothing ?????? Rowland

Hi, I'm trying to use the sambaUserWorkstations option to allow users to log on certain computers only. This option looks great... In fact it looks now a lot better than the 'ldap filter' one than was deprecated with samba 3.0.20... The fact is, if the sambaUserWorkstations option works well with machine names, it doesn't seem to work when specifying groups of machines.