Hi Stephane, That worked! No more password sync problems. I commented out the password program and the password chat on the BDCs. I tested the password change on a XP and Win 98 several times then checked the replicas. All the paswords are in sync as well as the posix account passwords.
Thanks again Kent N > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I think simply that with the parameter ldap passwd sync, the passwd > chat is not called. > The only question that I ask to me is : why changing a passwd on a BDC ? > A BDC is a backup DC, if the PDC is down, a BDC can provide > authentification. > > But, you can modifiy the smb.conf of BDC to > > passdb backend = ldapsam:"ldap://127.0.0.1 ldap://172.16.0.24" > > kent a écrit : > >> Hi, Thanks for getting back to me so fast. >> >> >> Stéphane_Purnelle <[EMAIL PROTECTED]> wrote: >> >> > >> The LDAP server in 172.16.0.24 is the master ldap server, but on >> smb.conf of BDC, the ldap server is on localhost. If the IP adresse >> of BDC is 172.16.0.24, you must have no problem. Now, if different, >> you must configure ldap for replication. Because changing password >> on the PDC is not replicated to BDC. >> >>> PDC: 172.16.0.13 However the master ldap server is on >>> 172.16.0.24. We use LDAP for mail authentication as well as >>> OpenGoupware etc. There is no local copy >> of LDAP >>> directory on the PDC. Everthing including the operating system >> points to >>> 172.16.0.24. >> >>> All of the BDCs have replicas. I realize that authentication to a >>> >> BDC on a >>> subnet uses the pass backend which in all of my BDCs is >>> localhost. >> My problem >>> with the BDCs is the password program that I believe is changing >> the LDAP >>> replica on the BDC and not the PDC. So I end up with a password >> mismatch. >> >>> If I disable the password chat on all BDCs will password chat be >> passed on to >>> the PDC? >> >>> Thank you for your help. >> >>> Kent N >> >> The BDC not verify password with the PDC, but with the passwd >> backend only. You can disable these lines : passwd program = >> /usr/bin/smbpasswd %u passwd chat = *Enter\snew\sUNIX\spassword:* >> %n\n*Retype\snew\sUnix\spassword:* %n\n >> >> On BDC >> >> kent a écrit : >> >>> Have you used the -r option for smbpasswd to connect to the PDC >>> in smb.conf? Just wondering what the password chat would be. I >>> can test it out and see what works. >> >>> Kent N >> >>> Bruno Guerreiro <[EMAIL PROTECTED]> wrote: >> >>>> Hi there, The best (only?) way to go is with a LDAP >>>> Master+slave architecture. All changes must be done at the LDAP >>>> Master server which automatically replicates them to all slave >>>> ldap servers. So, yes, the BDC MUST talk to the PDC, or at >>>> least the master ldap server to change the password. >> >>>> Best Regards. Bruno Guerreiro >> >>>> -----Original Message----- From: kent >>>> [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 31 de >>>> Agosto de 2005 11:15 To: [EMAIL PROTECTED]; Samba >>>> Subject: Re: [Samba] BDC and password change program >> >> >>>> Hello, How are you doing? I just switched this summer from >>>> RedHat 8.0 with compiled versions of Samba, OpenLDAP and >>>> Berkeley DB to Fedora Core 4 with precompiled Samba, OpenLDAP >>>> and BerkeleyDB. Here is the smb.conf from one school that is a >>>> BDC: [global] workgroup = WarehamPS encrypt passwords = Yes >>>> time offset = 60 time server = Yes # log level = 5 socket >>>> options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>>> security = user username map = /etc/samba/smbusers logon script >>>> = whs1.bat writable = Yes interfaces = eth0 eth1 directory mask >>>> = 02770 preferred master = yes netbios name = whs1 server >>>> string = Fedora Core 4 SAMBA server passdb backend = >>>> ldapsam:ldap://127.0.0.1 ldap passwd sync = Yes machine >>>> password timeout = 604800 passwd program = /usr/bin/smbpasswd >>>> %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >>>> *Retype\snew\sUnix\spassword:* %n\n log file = >>>> /var/log/samba/%m.log debug level = 2 max log size = 50 add >>>> machine script = /usr/sbin/addmachine.sh "%u" logon path = >>>> logon drive = H: logon home = domain logons = Yes os level = 64 >>>> domain master = No dns proxy = no admin users = @domain_admins >>>> wins support = no wins server = 172.16.0.13 wins proxy = yes >>>> local master = yes name resolve order = hosts wins bcast ldap >>>> suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap >>>> user suffix = ou=Users ldap group suffix = ou=Groups ldap admin >>>> dn = cn=admin,dc=tow,dc=net ldap ssl = no >> >>>> [homes] comment = Home Directories read only = no browseable = >>>> no writable = yes path = %H # valid users = %S >> >>>> [netlogon] root preexec = /accounts/netlogon/prelogon.pl %U >>>> path = /accounts/netlogon comment = Netlogon share locking = no >>>> browseable = yes valid users = @whsstaff, @whsstudent, >>>> @whs-cafe, navinstall, kent read only = yes hide files = >>>> /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/ write list = >>>> @domain_admins [staff] comment = Staff directory path = >>>> /accounts/common create mode = 0660 browseable = no write list >>>> = @whsstaff valid users = @whsstaff [programs] comment = >>>> Applications path = /accounts/programs browseable = no create >>>> mode = 0660 write list = @whsstaff valid users = @whsstaff >> >>>> [cafeteria] path = /accounts/cafeteria/data browseable = no >>>> valid users = @whs-cafe, dperry force group = whs-cafe create >>>> mode = 0660 directory mode = 0770 >> >>>> Here is the smb.conf for the PDC: [global] workgroup = >>>> WarehamPS encrypt passwords = Yes time server = Yes socket >>>> options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 security = >>>> user writable = Yes interfaces = eth0 eth1 directory mask = >>>> 02770 preferred master = yes local master = Yes username map = >>>> /etc/samba/smbusers netbios name = wms1 server string = Fedora >>>> Core 4 SAMBA Server passdb backend = ldapsam:ldap://172.16.0.24 >>>> ldap passwd sync = Yes machine password timeout = 604800 >>>> passwd program = /usr/bin/smbpasswd %u passwd chat = >>>> *Enter\snew\sUNIX\spassword:* %n\n >>>> *Retype\snew\sUnix\spassword:* %n\n log file = >>>> /var/log/samba/%m.log debug level = 2 max log size = 30 # add >>>> machine script = /usr/bin/smbpasswd -m %u add machine script = >>>> /usr/sbin/addmachine.sh "%u" logon script = wms1.bat logon path >>>> = logon drive = H: logon home = domain logons = Yes os level = >>>> 255 domain master = Yes dns proxy = Yes admin users = >>>> @domain_admins wins support = Yes remote browse sync = >>>> 172.16.0.3 172.16.0.19 172.16.0.15 172.16.0.26 172.16.0.20 >>>> 172.16.80.1 name resolve order = hosts wins bcast ldap suffix = >>>> dc=tow,dc=net ldap machine suffix = ou=Computers ldap user >>>> suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = >>>> cn=admin,dc=tow,dc=net ldap ssl = no >> >>>> [homes] comment = Home Directories read only = no browseable = >>>> no writable = yes path = %H hide files = /.*/ [netlogon] >>>> comment = Netlogon share root preexec = >>>> /accounts/netlogon/prelogon.pl %U path = /accounts/netlogon >>>> valid users = @wmsstaff, @wmsstudent, @domain_users, @wms-cafe, >>>> navinstall locking = no browseable = no read only = yes write >>>> list = @domain_admins hide files = >>>> /*.dll/*.rap/*.kix/*.bat/*.pl/ >> >>>> [cafeteria] path = /accounts/cafeteria/data browseable = yes >>>> valid users = @wms-cafe, dperry force group = wms-cafe create >>>> mode = 0660 directory mode = 0770 >> >>>> [staff] path = /accounts/common browseable = no valid users = >>>> @wmsstaff force group = wmsstaff write list = @domain_admins, >>>> @wmsstaff create mode = 0660 directory mode = 0770 [programs] >>>> path = /accounts/programs browseable = no valid users = >>>> @wmsstaff, @techstaff create mode = 0660 [tech] path = >>>> /accounts/tech browseable = no valid users = @techstaff force >>>> group = techstaff write list = @techstaff create mode = 0660 >>>> directory mode = 0770 >> >>>> The addmachine.sh script is my own version of an add machine. >>>> All users, groups, computers have corresponding posix accounts >>>> in LDAP as well as Samba objectClass and attributes. I don't >>>> use any Windows utilities to manipulate user group information >>>> in LDAP, I have my own set of routines tailored to our system >>>> that allows individual control of LDAP info or we can batch >>>> add/delete accounts and user attributes by interactive shell >>>> scripts. >> >>>> My question to the Samba community is still: should the >>>> password program on the BDC talk to the PDC by smbpasswd -r >>>> <PDC address>? I'm having a little password out of sync >>>> problem. >> >>>> Kent N. >> >>>> Marcio Luciano Donada <[EMAIL PROTECTED]> >>>> wrote: >> >>> kent wrote: >> >>> | Hello, Just wondering what I should be using for the password | >>> change program on a BDC. Should it be: passwd program = | >>> /usr/bin/smbpasswd -r <PDC address> %u | | I'm having a problem >>> with passwords not staying in sync between the | PDC and BDC with >>> pass backend ldap. | | The systems are all Fedora Core 4, Samba >>> 3.0.14a, openldap 2.2.23 | | Kent N | Ola, I am trying to >>> configure the BDC. How voce this making to add them you scheme in >>> the base ldap? Voce can supply its configures (smb.conf) for me >>> to give one analyzed and smbldap.conf? >> >>> thank's >> >>> -- Márcio Luciano Donada T.I. Aurora Alimentos Chapecó(SC) >>> Cooperativa Central Oeste Catarinense mdonada at auroraalimentos >>> dot com dot br >> >> >>>> -- To unsubscribe from this list go to the following URL and >>>> read the instructions: >>>> https://lists.samba.org/mailman/listinfo/samba -- To >>>> unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/listinfo/samba >> >> >> >> -- Stéphane Purnelle <[EMAIL PROTECTED]> Site Web : >> http://www.linuxplusvalue.be > > > - -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > > > - -- > Stéphane Purnelle <[EMAIL PROTECTED]> > Site Web : http://www.linuxplusvalue.be > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFDFajc8tswkE3d0ecRAvPFAJ9JmEd41uoSN6oQ7yiawYAILf0ztgCeKTD1 > vk0qCgQjf+B62H4r6fcPGKc= > =xEzS > -----END PGP SIGNATURE----- > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba