David Markey wrote:
2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
ldap password change requested, but LDAP server does not support it --
ignoring
1st, are the ldap libraries samba is compiled with the same as the ldap
server?
The LDAP libraries on the Samba server are OpenLDAP 2.2 while the LDAP
server is OpenLDAP 2.4 Are the 2.2 libraries supposed to work with
the 2.4 server?
2nd, possibly change
password-hash {CRYPT}
to
password-hash {SSHA}
im not sure if password-crypt-salt-format $1$%.2s is needed with {SSHA}
I will setup a test environment to further investigate the problem. I
do not want to mess up the production system. I'll update you with my
findings.
Thanks!
John Du wrote:
David Markey wrote:
John Du wrote:
David Markey wrote:
John Du wrote:
David Markey wrote:
I would imagine that you'll need to re-jig your ACLs in slapd.conf,
Please supply logs.
Thank you very much.
I can use /opt/IDEALX/sbin/smbldap-passwd to change both the Windows
and UNIX password. If the problem is ACL related, wouldn't I have the
same problem with this tool?
When samba changes passwords, does the process run as root or as the
user making the passwords change?
If you're using smbldap-passwd and unix password sync, it's done as
root. ldap passwd sync is done as the LDAP dn that you've configured in
smb.conf. It's much preferable to use ldap passwd sync.
I did not make myself clear. When I say I can use smbldap-passwd to
change password, I mean I can run the tool from the command line as
root. If I use smbldap-passwd and unix passwd sync in smb.conf, I
get a "you do not have permission to change password" message when
attempting to change password.
So at this time I am still using ldap passwd sync in smb.conf and that
is when it only changes the Windows password.
Does the userPassword attribute require different ACL than
sambaNTPassword? Also the dn I put in smb.conf is the root DN of the
LDAP database.
That is strange, LDAP password updates are done via EXOP, have you
defined a password hash in slapd.conf?
Re: smbldap-passwd, you need to have a proper passwd chat in smb.conf,
Let us see some logs, smb.conf and maybe slapd.conf and perhaps slapd logs.
My thanks to David and all who have responded to my questions. I have
identified where and what the problem is but I am not sure it is a
Samba problem or OpenLDAP problem.
I am trying to give you a clear picture.
1. unix passwd sync works perfectly.
I replaced "ldap passwd sync = Yes" with:
unix password sync = Yes
passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
passwd chat = "Changing UNIX password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
No changes on the OpenLDAP side. Users can change their Windows and
LDAP password correctly all the time.
2. ldap passwd sync = Yes does not change the LDAP password but it
changes the Windows password OK.
2.1 OpenLDAP with some ACLs defined.
When the OpenLDAP server has some ACLs defined, the samba server
logs the following:
2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
ldap password change requested, but LDAP server does not support it
-- ignoring
The LDAP password is not changed.
2.2 When no ACLs are defined in slapd.conf.
[2009/04/30 23:43:03, 10]
lib/smbldap.c:smbldap_extended_operation(1525)
Extended operation failed with error: 80 (Internal (implementation
specific) error) (password hash failed)
[2009/04/30 23:43:03, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
ldapsam_modify_entry: LDAP Password could not be changed for user
johndu: Internal (implementation specific) error
password hash failed
Hash is defined in slapd.conf as follows:
password-hash {CRYPT}
password-crypt-salt-format $1$%.2s
The Windows user will get a "the user name or old password is
incorrect" message in this case.
The LDAP root DN is used all the time everywhere.
I can mail the complete log files to you if they can help you to
determine the cause of the problem. There seems to be some
compatibility issues between the LDAP server and the Samba server.
Logically I think if the IDEALX tool works the samba server's internal
LDAP functions should work as well.
Let me know if you any further information from me.
Wish you all to have a good weekend!
John
Thanks!
Thanks again.
John Du wrote:
John Du wrote:
Hi,
I have been running Samba with OpenLDAP for a few years. We
recently
upgrade the OpenLDAP server from 2.2.13 to 2.4.11.
When users change their passwords now, only the Windows password is
changed the UNIX password is not changed anymore. Samba server does
not log any errors The samba configuration file did not change
when
the LDAP server was upgraded.
I do have "ldap passwd sync =Yes" in smb.conf and it used to work
fine.
Has anyone seen this?
If I use
unix password sync = Yes
passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype
new password*" %n\n"
instead of "ldappasswd sync", what access control do I have to
add to
the slapd.conf file?
Thank you very much for your help!
John
I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel
2.6.9-42.0.2.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
