Re: [Samba] changing password on samba bdc

Thu, 09 Mar 2006 01:25:45 -0800
I am not a Samba Guru, But I have done a similar purpose for testing before, as the problem is caused when you are changing the password on the Machine 2, which is a slave, it is READ ONLY and the changes what you do will not be updated or reflected on the original copy. And the ldap credentials of the slave will not be written to the database.All the changes have to be passed on from the Master database. 

Lukasz Stelmach wrote:

Greetings All.

First let me introduce my situation

Machine1: Pdc Samba + OpenLDAP(master)

Machine2: Bdc Samba + OpenLDAP(slave)

LDAP stores Samba and POSIX information for each user.

Case1: I login to Machine1 and invoke smbpasswd. I change
my passwords (samba and posix without any problem). In next
few seconds they get propagated to Machin2 wher I can login
with new credentials.

ldap log says


conn=327 fd=26 ACCEPT from PATH=/var//run/ldapi (PATH=/var//run/ldapi) 
conn=327 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" method=128 
conn=327 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" mech=SIMPLE ssf=0 
conn=327 op=0 RESULT tag=97 err=0 text= 
conn=327 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" 
conn=327 op=1 SRCH attr=supportedControl 
conn=327 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 
conn=327 op=2 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(uid=jdoe)(objectClass=sambaSamAccount))" 
conn=327 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp 
conn=327 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 
#

#conn=328 is made via nss_ldap
#

conn=328 fd=27 ACCEPT from PATH=/var//run/ldapi (PATH=/var//run/ldapi) 
conn=328 op=0 BIND dn="cn=Authenticate,o=example,c=xx" method=128 
conn=328 op=0 BIND dn="cn=Authenticate,o=example,c=xx" mech=SIMPLE ssf=0 
conn=328 op=0 RESULT tag=97 err=0 text= 
conn=328 op=1 SRCH base="ou=People,o=example,c=xx" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=jdoe))" 
conn=328 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass 
conn=328 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 
conn=328 op=2 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=jdoe))" 
conn=328 op=2 SRCH attr=gidNumber 
conn=328 op=2 SEARCH RESULT tag=101 err=0 nentries=2 text= 
conn=328 op=3 ABANDON msg=3 

conn=327 op=3 SRCH base="ou=Groups,o=example,c=xx" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=1000))" 
conn=327 op=3 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass 
conn=327 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= 
conn=327 op=5 SRCH base="ou=Groups,o=example,c=xx" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=1001))" 
conn=327 op=5 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass 
conn=327 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text= 
conn=327 op=6 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(uid=jdoe)(objectClass=sambaSamAccount))" 
conn=327 op=6 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp 
conn=327 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text= 
conn=328 op=4 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=jdoe))" 
conn=328 op=4 SRCH attr=gidNumber 
conn=328 op=4 SEARCH RESULT tag=101 err=0 nentries=2 text= 
conn=328 op=5 ABANDON msg=5 
conn=327 op=7 SRCH base="o=example,c=xx" scope=2 deref=0 filter="(&(uid=jdoe)(objectClass=sambaSamAccount))" 
conn=327 op=7 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp 
conn=327 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text= 
#

#it seems to be here where the modifications start
#

conn=327 op=8 MOD dn="cn=John Doe,ou=People,o=example,c=xx" 
conn=327 op=8 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet 
conn=327 op=8 RESULT tag=103 err=0 text= 
conn=327 op=9 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" 
conn=327 op=9 SRCH attr=supportedExtension 
conn=327 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text= 
conn=327 op=10 PASSMOD id="cn=John Doe,ou=People,o=example,c=xx" new 
conn=327 op=10 RESULT oid= err=0 text= 
conn=327 fd=26 closed (connection lost) 
conn=328 fd=27 closed (connection lost) 


Case2: I login to Machine2 and invoke smbpasswd. However I get
"Password changed for user jdoe", but quite havy problems emerge.
 From now on I can't login to Machine1 and Machine2 neither with
smbclient nor with ssh (which uses POSIX data).

Case2, the answer: Ldap debug logs claim that samba gives invalid
credentials while trying to bind. Everything calms down when
I "refresh" Sambaroot's (that is the user I put as "ldap admin dn"
in smb.conf) password with ldappasswd using the value sotred in
/etc/samba/private/secrets.tdb. It looks like instead of changing
my password samba changes its own :-( When I fix it I can login to
Machines with smbclient but...  I discover that my POSIX password
(userPassword) hasn't changed.  I have to use the old one.

ldap log says:
conn=313 fd=26 ACCEPT from IP=10.1.2.7:2263 (IP=10.1.2.4:389)
conn=313 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" method=128
conn=313 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" mech=SIMPLE ssf=0
conn=313 op=0 RESULT tag=97 err=0 text=
conn=313 op=1 MOD dn="cn=John Doe,ou=People,o=example,c=xx"
conn=313 op=1 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaLMPassword 
sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet
conn=313 op=1 RESULT tag=103 err=0 text=
conn=313 op=2 UNBIND
conn=313 fd=26 closed
conn=314 fd=26 ACCEPT from IP=10.1.2.7:2264 (IP=10.1.2.4:389)
conn=314 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" method=128
conn=314 op=0 BIND dn="cn=Sambaroot,o=example,c=xx" mech=SIMPLE ssf=0
conn=314 op=0 RESULT tag=97 err=0 text=
#
# why it happens so that there is no id=... like above
#
conn=314 op=1 PASSMOD
#
conn=314 op=1 RESULT oid= err=0 text=
conn=314 op=2 UNBIND
conn=314 fd=26 closed

Case3: I login to Machine2 and invoke smbpasswd -r Machine1.
Everything is OK like in the first case. Logs ofcourse look
also the same.

Please CC, I am not a subscriber.

  



--
Pavan Krishna L
Systems Administrator
Diversity Arrays Technology Pty Ltd
Ph:  +61 2 6281 8512
Fax: +61 2 6281 8533
Mob: +61 423 411 281


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






















					Reply via email to