Sorry to self reply, but I ommitted an important detail: winbind cache time is configured to be 0. Thus, I think the caching must likely be happening in the smbd side. BTW: If you're interested, you can visit http://briefcase.yahoo.com/ldrivera in the "My Documents" folder you should find two files whose names are kinda-self explanatory: one for RH 7.2, one for Mandrake 8.2.
These files contain all the configs I use to achieve password sync. An explanatory document is there as well (README), so give that a read as well. Best Diego On Wed, 2002-11-27 at 13:31, Diego Rivera wrote: > Hi all, > > I've run into what I believe to be a funky bug in Samba 2.2.7. Here's > the scenario description (all Linux, all Samba 2.2.7, all same versions > of LDAP software, etc.): > > Environment: > 1 Samba PDC w/LDAP backend > 2 Samba Clients joined to the PDC w/valid mach. accounts, etc. > > Clients are configured as follows: > > - PAM auth and password changes are done using winbind through PDC > (thus affecting SSH, login, etc.) > - account info is fetched through LDAP (getent goes through LDAP) > (to avoid winbind non-deterministic uid assignments) > > PDC Server is configured as follows: > > - PAM auth is done through LDAP > - account info is fetched through LDAP (getent goes through LDAP) > - Samba syncs passwords through PAM, which in turn updates LDAP > and /etc/shadow if applicable (pam_ldap, pam_unix) > - All non-Samba password changes change LDAP (pam_ldap), /etc/shadow > if applicable (pam_unix) and Samba (pam_smbpass) (can't use > pam_winbind from the same machine which is a PDC) > > Here's the test Scenario: > > 1) All machines are up, passwords are "reset" (to initial, known > and controlled values) > 2) Log in to both clients as a regular user using PASSWORD-1 > 3) use passwd to change the password on Client-1 > - Authenticate using the active password (PASSWORD-1) when > asked to, and change to PASSWORD-2 > 4) use passwd to change the password on Client-2 > - Authenticate using the active password (PASSWORD-2) when > asked to, and change to PASSWORD-3 (this one takes a while, > but is successful in the end) > 5) logon to either client with PASSWORD-3 fails (this is WRONG, > as this is the last value set for the password in the PDC) > 6) logon to either client with PASSWORD-2 succeeds (this is WRONG, > as the last password value set in the PDC is PASSWORD-3) > > **** BUT **** > > 7) Do one of: > > - Re-start WINBIND on both clients > - Re-start Samba on the PDC > > 8) logon to either client now works with PASSWORD-3 (the correct > behavior) > > So, is WINBIND caching passwords? Maybe the Samba processed @ PDC? > Maybe this is LDAP-related? > > Anybody want to track this down? Do you want me to produce logs? What > settings should I use to produce logs that would be useful? > > I realize this is a kind of extreme example (i.e., in the real world, > users will likely NOT be logged in to multiple machines AND changing > their passwords in this manner). > > But still, we should kill bugs as they appear! > > Best > > Diego > > PS/ The PDC/PDC-client related conf's I've come up with are pretty much > cookie-cutter by now, so I'm probably going to post them as an RPM > somewhere with instructions. Using this, it's possible to achieve > transparent password sync between Unix (LDAP) and Samba passwords (thus > affecting Windows clients as well). I'll keep interested parties posted > on this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba