[Samba] smbpasswd refuses to add a user if the UID exists somewhere in LDAP
All the experts. We have been running samba 3.0.xx (currently at 3.0.28a) on RHEL 4 with LDAP back end for a few years now. It has been working well for us. Now we are having a little problem. I am not sure if the behavior we see is by design or a bug. In smb.conf We have: ldap suffix = o=COMPANY,c=US ldap user suffix = ou=People The LDAP database also has an ou=Terms tree for people who have terminated employment with the company. The entries on the ou=Terms tree has a uid attribute. When we rehire people, we would like to give them the same UID as before. We can add the new user with recycled uid to the ou=People tree. But when we run smbpasswd -a uid to make the user also a Samba user, smbpasswd returns an error saying the UID is already used. The entries in Terms are not of posixAccount class and they do not have the ldap user suffix specified in smb.conf. Is smbpasswd supposed to refuse to make the user a Samba user? It is not a big deal for us. We can just give the rehires a new UID. But it would be nice to know this is a bug or not. Thanks, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba HA issue
David Christensen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Liutauras Adomaitis wrote: On Tue, Aug 4, 2009 at 7:39 PM, David Christensendavid.christen...@viveli.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 With samba configured for high availability using heartbeat, I am not able to join new computers to the domain after a fail over. If I fail back to the main samba instance I can join the computer to the domain. However With samba in a fail over state and running on the backup PDC users can still authenticate and gain access to their shares. I have the two instances of samba configured nearly identical except for having them pointed to the instance of ldap that is running on the server itself (which is being replicated). Is there something else, some tdb file etc, that needs to be shared between the two instances of samba so a fail over appears identical to the ldap backend? Thanks. If you are running PDC+BDC configuration with LDAP backend with replication, then you must have master to master replication. In case of master - slave replication you canot write ot slave while your muster is not accessible. Usual slave has a redirection to master for write operations. Slave is readonly and thats why you can authenticate to BDC, but cannot join new machines to the domain. This may be your case Liutauras Liutauras, I have ldap using master-master replication so writing to either ldap instance is no problem. In addition I have both instances of samba configured as PDC's (the smb.conf file is identical on both PDC's except for two things, the ldap each talks to and the host name of the PDC itself; not using the netbios parameter), however only one of them is running at a time. The issue occurs when the 2nd PDC comes online. Based on the ldap logs the query I am seeing from the 2nd PDC in a failed over state is not the same query that the primary PDC does when I add a new computer successfuly. I never see the lookup for the admin user who has the right to add a computer, along with other missing search strings. Is there some SID or some other serial number etc. that the 2nd PDC is lacking that is causing this symptom? Why would a query from a near identical instance of samba to the same ldap DB be so different? I had the same problem with samba 3.0.28 on rhel 4. I fixed my problem by issuing net rpc grant .. commands on the backup PDC. I never understood why it behaved that way but those commands worked for me. I thought those rights were in the LDAP database but it seemed that those rights are stored on the individual servers somehow. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkp5/W0ACgkQ5B+8XEnAvqsohQCeK6w0icqAS9d2acH0tLf0FphL vpYAn2YVsxoCZ729gDnxsZCVY6TPZwp9 =zlN2 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba HA issue
David Markey wrote: Yup unfortunately rights granted using net sam/rpc and usrmgr are saved locally in a TDB file(account_policy), this should probably be in LDAP, i suppose it sould be possible to rsync the tdb file. On Wed, 5 Aug 2009 17:10:54 -0500, David Christensen david.christen...@viveli.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Du wrote: David Christensen wrote: Liutauras Adomaitis wrote: On Tue, Aug 4, 2009 at 7:39 PM, David Christensendavid.christen...@viveli.commailto:david.christen...@viveli.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 With samba configured for high availability using heartbeat, I am not able to join new computers to the domain after a fail over. If I fail back to the main samba instance I can join the computer to the domain. However With samba in a fail over state and running on the backup PDC users can still authenticate and gain access to their shares. I have the two instances of samba configured nearly identical except for having them pointed to the instance of ldap that is running on the server itself (which is being replicated). Is there something else, some tdb file etc, that needs to be shared between the two instances of samba so a fail over appears identical to the ldap backend? Thanks. If you are running PDC+BDC configuration with LDAP backend with replication, then you must have master to master replication. In case of master - slave replication you canot write ot slave while your muster is not accessible. Usual slave has a redirection to master for write operations. Slave is readonly and thats why you can authenticate to BDC, but cannot join new machines to the domain. This may be your case Liutauras Liutauras, I have ldap using master-master replication so writing to either ldap instance is no problem. In addition I have both instances of samba configured as PDC's (the smb.conf file is identical on both PDC's except for two things, the ldap each talks to and the host name of the PDC itself; not using the netbios parameter), however only one of them is running at a time. The issue occurs when the 2nd PDC comes online. Based on the ldap logs the query I am seeing from the 2nd PDC in a failed over state is not the same query that the primary PDC does when I add a new computer successfuly. I never see the lookup for the admin user who has the right to add a computer, along with other missing search strings. Is there some SID or some other serial number etc. that the 2nd PDC is lacking that is causing this symptom? Why would a query from a near identical instance of samba to the same ldap DB be so different? I had the same problem with samba 3.0.28 on rhel 4. I fixed my problem by issuing net rpc grant .. commands on the backup PDC. I never understood why it behaved that way but those commands worked for me. I thought those rights were in the LDAP database but it seemed that those rights are stored on the individual servers somehow. John, Not familiar with net rpc grant, where is the invoked or added? These commands are documented at http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkp6A20ACgkQ5B+8XEnAvquDfACfZoxcbLHuoVAbqrUQauCbPD8R VDYAn3Tz+0TfwD+Ip2HIKtVj5bG5reMc =25vc -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] folder/users privileges
Surendil wrote: You were right, i can do it easily with setfacl. Thanks for solving my problem. i have another thing going on now. everytime i try to setfacl a user to a folder it gives me an error. r...@s-f141-lx01:/# setfacl -b -k -R prueba/ r...@s-f141-lx01:/# setfacl -R -m u:ale:rw prueba/ setfacl: prueba/: Operation not supported The file system is not mounted with ACL enabled? any idea of why this is happening??? Againg thanks for your help. On Tue, Aug 4, 2009 at 1:40 PM, Robert LeBlanc rob...@leblancnet.us wrote: I've found that you can not change the ugo permissions that are default on Linux systems. You have to use extended ACLs and with Windows you can manage those to your heart's content. Typically, what we do is set permissions that will not ever be changed using the Linux ugo permissions, and then more detailed ones we use extended ACLs. I have not found a way to manage the Linux ugo permissions from Windows. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Tue, Aug 4, 2009 at 10:30 AM, Surendil ale...@gmail.com wrote: I've tried to set ACLs but have the same results as before, definitly i'm doing something wrong. I just thought i could manage privileges like Windows 2003 file server. On Tue, Aug 4, 2009 at 1:29 PM, Surendil ale...@gmail.com wrote: I've tried to set ACLs but have the same results as before, definitly i'm doing something wrong. I just thought i could manage privileges like Windows 2003 file server. On Tue, Aug 4, 2009 at 12:23 PM, Robert LeBlanc rob...@leblancnet.us wrote: Samba respect file system ACLs. We use them all the time. We have our share declarations wide open (relatively speaking) and control all the rest of the permissions by ACLs. We use XFS and usually mount the file system to respect gid bit setting on folders to give a Windows like environment (we also set the umask appropriately in smb.conf) Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Tue, Aug 4, 2009 at 8:47 AM, Surendil ale...@gmail.com wrote: The users ale and jvillar are windows XP users trying to get into samba shared folder will acl work? On Tue, Aug 4, 2009 at 11:31 AM, Eero Volotinen eero.voloti...@iki.fi wrote: I got a folder named BACKUP users ale and jvillar can read/write this folder inside BACKUP is another folder named MAIL BACKUP i want user ale to read/write this folder and user jvillar only read. Even though i tried everything i could think of nothing worked out the way i wanted too. Did anyone solved this? Use acl on filesystem ? -- Eero -- Alejandro Debussy Konexion Urbana Tel: 02322-426468 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Alejandro Debussy Konexion Urbana Tel: 02322-426468 -- Alejandro Debussy Konexion Urbana Tel: 02322-426468 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Very slow transfers to Samba on Ubuntu
Have you looked at adjusting the socket options parameter in smb.conf? I use socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 in my smb.conf and scp and samba take about the same amount of time to transfer files from Windows to the samba server. Raghu A wrote: There is no disk or CPU bottleneck or virus checking (server is latest ubuntu). scp at the same time as this transfer can write 3-4 faster to the same partition. This is an Atom processor but there is more cpu left. To be more specific: Why does XP send only 1KB at a time to the server? I think this is pretty much the culprit. I can send decoded TCP dump of initial SMB handshake if you are interested. There seems to be some configuration mismatch. When I tried a Ubuntu samba client it sends 4KB SMB packets. This helps a lot with the transfer rate. Btw, looks like most of the CPU consumed by smbd is per packet.. so inceasing this packet size reduces CPU as well. Raghu. Ben Tyger wrote: What type of file processors are you running along with samba?. Are you running the virus checking plugin or VFS(recycle bin)? Virus checking is very cpu and disk I/O intensive these can really slow down a samba server. I can't expect VFS is all that cheap either when moving big files. Raghu A wrote: I mounted a samba volume on XP. XP and Ubuntu are connected over 100Mbps ethernet (router). I am writing a 4GB file from XP to Ubuntu and the transfer is extremely slow : only around 1-1.5 MB/s. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Very slow transfers to Samba on Ubuntu
My samba server is 3.0.28a running on RHEL 4. My network is also 100Mbps. I copy a 100MB file from Windows XP to my samba server in about 20 seconds. Scp the same file from a Linux host to the same server takes about the same time. You may take a look at setting the Windows TCP buffer sizes. I did not change mine though. Raghu A wrote: I tried TCP_NODELAY and it didn't make a difference. I haven't tried SO_SNDBUF and RCVBUF, but I will. As the tcpdump shows there is lot of tcp window left. It is not just the server since linux samba client behaves much better. What determines SMB packet size? What is the throughput you get? Is this with an XP/windows client? Raghu. John Du-4 wrote: Have you looked at adjusting the socket options parameter in smb.conf? I use socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 in my smb.conf and scp and samba take about the same amount of time to transfer files from Windows to the samba server. Raghu A wrote: There is no disk or CPU bottleneck or virus checking (server is latest ubuntu). scp at the same time as this transfer can write 3-4 faster to the same partition. This is an Atom processor but there is more cpu left. To be more specific: Why does XP send only 1KB at a time to the server? I think this is pretty much the culprit. I can send decoded TCP dump of initial SMB handshake if you are interested. There seems to be some configuration mismatch. When I tried a Ubuntu samba client it sends 4KB SMB packets. This helps a lot with the transfer rate. Btw, looks like most of the CPU consumed by smbd is per packet.. so inceasing this packet size reduces CPU as well. Raghu. Ben Tyger wrote: What type of file processors are you running along with samba?. Are you running the virus checking plugin or VFS(recycle bin)? Virus checking is very cpu and disk I/O intensive these can really slow down a samba server. I can't expect VFS is all that cheap either when moving big files. Raghu A wrote: I mounted a samba volume on XP. XP and Ubuntu are connected over 100Mbps ethernet (router). I am writing a 4GB file from XP to Ubuntu and the transfer is extremely slow : only around 1-1.5 MB/s. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Users can't login on Samba+Ldap
Miguel Medalha wrote: nss_base_passwdou=Computers,dc=DOMAIN,dc=IT?one should be nss_base_hostsou=Computers,dc=DOMAIN,dc=IT?one No, it shouldn't. From the point of view of a Windows domain, computers are users too. The Samba manual even makes a joke about that, saying that computers are people too. Some people in fact put the domain computers together with the users under a OU called People or Users. Of course, inside your LDAP database you can choose to put the computers in a OU called hosts. But then the entry above would be: nss_base_passwdou=hosts,dc=DOMAIN,dc=IT?one I am right now using a Samba PDC with the above configuration and it is working perfectly. Are you saying nss_base_hostsou=Computers,dc=DOMAIN,dc=IT?one and nss_base_passwdou=Computers,dc=DOMAIN,dc=IT?one are equivalent or are you saying nss_base_hosts ou=Computers,dc=DOMAIN,dc=IT?one is wrong? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Users can't login on Samba+Ldap
dogb...@infinito.it wrote: Miguel Medalha wrote: Based on your smb.conf, you must have the following entries in /etc/ldap.conf nss_base_passwdou=Users,dc=DOMAIN,dc=IT?one nss_base_passwdou=Computers,dc=DOMAIN,dc=IT?one nss_base_shadowou=Users,dc=DOMAIN,dc=IT?one nss_base_group ou=Groups,dc=DOMAIN,dc=IT?one nss_base_passwdou=Computers,dc=DOMAIN,dc=IT?one should be nss_base_hostsou=Computers,dc=DOMAIN,dc=IT?one Hi, I've tried this configuration and I still have some problems. Trying to connect with a user created only in LDAP (smbldap-useradd) I get the following error in samba log: [2009/05/19 10:59:30, 0] passdb/pdb_get_set.c:pdb_get_group_sid(210) pdb_get_group_sid: Failed to find Unix account for utentest [2009/05/19 10:59:30, 0] auth/auth_sam.c:check_sam_security(355) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' [2009/05/19 10:59:30, 0] passdb/pdb_get_set.c:pdb_get_group_sid(210) pdb_get_group_sid: Failed to find Unix account for utentest If I try to connect with a user that exist in both the LDAP and etc/passwd files I cannot get it to authenticate (error user is invalid or bad password) but I don't get any log in the samba files I can't understand what's wrong with this installation. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Users can't login on Samba+Ldap
Miguel Medalha wrote: or are you saying nss_base_hosts ou=Computers,dc=DOMAIN,dc=IT?one is wrong? I don't know about NFS, but from the point of view of a Samba PDC the above is wrong. Computers are also domain users and as such they must be referred to the nss_base_passwd directive. Quoting from Samba 3 by Example, Chapter 5. Making Happy Users which is dedicated to configuration of a LDAP PDC: « If the container for computer accounts is not the same as that for users (see the |smb.conf| file entry for |ldap machine suffix|), it may be necessary to set the following DIT dn in the |/etc/ldap.conf| file: nss_base_passwd dc=abmas,dc=biz?sub This instructs LDAP to search for machine as well as user entries from the top of the DIT down. This is inefficient, but at least should work. Note: It is possible to specify multiple |nss_base_passwd| entries in the |/etc/ldap.conf| file; they will be evaluated sequentially. Let us consider an example of use where the following DIT has been implemented: - User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz - User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz - Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz The appropriate multiple entry for the |nss_base_passwd| directive in the |/etc/ldap.conf| file may be: nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one » Thank you very much for the information! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded
David Markey wrote:
2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
ldap password change requested, but LDAP server does not support it --
ignoring
1st, are the ldap libraries samba is compiled with the same as the ldap
server?
The LDAP libraries on the Samba server are OpenLDAP 2.2 while the LDAP
server is OpenLDAP 2.4 Are the 2.2 libraries supposed to work with
the 2.4 server?
2nd, possibly change
password-hash {CRYPT}
to
password-hash {SSHA}
im not sure if password-crypt-salt-format $1$%.2s is needed with {SSHA}
I will setup a test environment to further investigate the problem. I
do not want to mess up the production system. I'll update you with my
findings.
Thanks!
John Du wrote:
David Markey wrote:
John Du wrote:
David Markey wrote:
John Du wrote:
David Markey wrote:
I would imagine that you'll need to re-jig your ACLs in slapd.conf,
Please supply logs.
Thank you very much.
I can use /opt/IDEALX/sbin/smbldap-passwd to change both the Windows
and UNIX password. If the problem is ACL related, wouldn't I have the
same problem with this tool?
When samba changes passwords, does the process run as root or as the
user making the passwords change?
If you're using smbldap-passwd and unix password sync, it's done as
root. ldap passwd sync is done as the LDAP dn that you've configured in
smb.conf. It's much preferable to use ldap passwd sync.
I did not make myself clear. When I say I can use smbldap-passwd to
change password, I mean I can run the tool from the command line as
root. If I use smbldap-passwd and unix passwd sync in smb.conf, I
get a you do not have permission to change password message when
attempting to change password.
So at this time I am still using ldap passwd sync in smb.conf and that
is when it only changes the Windows password.
Does the userPassword attribute require different ACL than
sambaNTPassword? Also the dn I put in smb.conf is the root DN of the
LDAP database.
That is strange, LDAP password updates are done via EXOP, have you
defined a password hash in slapd.conf?
Re: smbldap-passwd, you need to have a proper passwd chat in smb.conf,
Let us see some logs, smb.conf and maybe slapd.conf and perhaps slapd logs.
My thanks to David and all who have responded to my questions. I have
identified where and what the problem is but I am not sure it is a
Samba problem or OpenLDAP problem.
I am trying to give you a clear picture.
1. unix passwd sync works perfectly.
I replaced ldap passwd sync = Yes with:
unix password sync = Yes
passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
passwd chat = Changing UNIX password for*\nNew password* %n\n
*Retype new password* %n\n
No changes on the OpenLDAP side. Users can change their Windows and
LDAP password correctly all the time.
2. ldap passwd sync = Yes does not change the LDAP password but it
changes the Windows password OK.
2.1 OpenLDAP with some ACLs defined.
When the OpenLDAP server has some ACLs defined, the samba server
logs the following:
2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
ldap password change requested, but LDAP server does not support it
-- ignoring
The LDAP password is not changed.
2.2 When no ACLs are defined in slapd.conf.
[2009/04/30 23:43:03, 10]
lib/smbldap.c:smbldap_extended_operation(1525)
Extended operation failed with error: 80 (Internal (implementation
specific) error) (password hash failed)
[2009/04/30 23:43:03, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
ldapsam_modify_entry: LDAP Password could not be changed for user
johndu: Internal (implementation specific) error
password hash failed
Hash is defined in slapd.conf as follows:
password-hash {CRYPT}
password-crypt-salt-format $1$%.2s
The Windows user will get a the user name or old password is
incorrect message in this case.
The LDAP root DN is used all the time everywhere.
I can mail the complete log files to you if they can help you to
determine the cause of the problem. There seems to be some
compatibility issues between the LDAP server and the Samba server.
Logically I think if the IDEALX tool works the samba server's internal
LDAP functions should work as well.
Let me know if you any further information from me.
Wish you all to have a good weekend!
John
Thanks!
Thanks again.
John Du wrote:
John Du wrote:
Hi,
I have been running Samba with OpenLDAP for a few years. We
recently
upgrade the OpenLDAP server from 2.2.13 to 2.4.11.
When users change their passwords now, only the Windows password is
changed the UNIX password
Re: [Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded
David Markey wrote:
John Du wrote:
David Markey wrote:
John Du wrote:
David Markey wrote:
I would imagine that you'll need to re-jig your ACLs in slapd.conf,
Please supply logs.
Thank you very much.
I can use /opt/IDEALX/sbin/smbldap-passwd to change both the Windows
and UNIX password. If the problem is ACL related, wouldn't I have the
same problem with this tool?
When samba changes passwords, does the process run as root or as the
user making the passwords change?
If you're using smbldap-passwd and unix password sync, it's done as
root. ldap passwd sync is done as the LDAP dn that you've configured in
smb.conf. It's much preferable to use ldap passwd sync.
I did not make myself clear. When I say I can use smbldap-passwd to
change password, I mean I can run the tool from the command line as
root. If I use smbldap-passwd and unix passwd sync in smb.conf, I
get a you do not have permission to change password message when
attempting to change password.
So at this time I am still using ldap passwd sync in smb.conf and that
is when it only changes the Windows password.
Does the userPassword attribute require different ACL than
sambaNTPassword? Also the dn I put in smb.conf is the root DN of the
LDAP database.
That is strange, LDAP password updates are done via EXOP, have you
defined a password hash in slapd.conf?
Re: smbldap-passwd, you need to have a proper passwd chat in smb.conf,
Let us see some logs, smb.conf and maybe slapd.conf and perhaps slapd logs.
My thanks to David and all who have responded to my questions. I have
identified where and what the problem is but I am not sure it is a Samba
problem or OpenLDAP problem.
I am trying to give you a clear picture.
1. unix passwd sync works perfectly.
I replaced ldap passwd sync = Yes with:
unix password sync = Yes
passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
passwd chat = Changing UNIX password for*\nNew password* %n\n
*Retype new password* %n\n
No changes on the OpenLDAP side. Users can change their Windows and
LDAP password correctly all the time.
2. ldap passwd sync = Yes does not change the LDAP password but it
changes the Windows password OK.
2.1 OpenLDAP with some ACLs defined.
When the OpenLDAP server has some ACLs defined, the samba server
logs the following:
2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
ldap password change requested, but LDAP server does not support it --
ignoring
The LDAP password is not changed.
2.2 When no ACLs are defined in slapd.conf.
[2009/04/30 23:43:03, 10] lib/smbldap.c:smbldap_extended_operation(1525)
Extended operation failed with error: 80 (Internal (implementation
specific) error) (password hash failed)
[2009/04/30 23:43:03, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
ldapsam_modify_entry: LDAP Password could not be changed for user
johndu: Internal (implementation specific) error
password hash failed
Hash is defined in slapd.conf as follows:
password-hash {CRYPT}
password-crypt-salt-format $1$%.2s
The Windows user will get a the user name or old password is incorrect
message in this case.
The LDAP root DN is used all the time everywhere.
I can mail the complete log files to you if they can help you to
determine the cause of the problem. There seems to be some
compatibility issues between the LDAP server and the Samba server.
Logically I think if the IDEALX tool works the samba server's internal
LDAP functions should work as well.
Let me know if you any further information from me.
Wish you all to have a good weekend!
John
Thanks!
Thanks again.
John Du wrote:
John Du wrote:
Hi,
I have been running Samba with OpenLDAP for a few years. We
recently
upgrade the OpenLDAP server from 2.2.13 to 2.4.11.
When users change their passwords now, only the Windows password is
changed the UNIX password is not changed anymore. Samba server does
not log any errors The samba configuration file did not change
when
the LDAP server was upgraded.
I do have ldap passwd sync =Yes in smb.conf and it used to work
fine.
Has anyone seen this?
If I use
unix password sync = Yes
passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
passwd chat = Changing password for*\nNew password* %n\n *Retype
new password* %n\n
instead of ldappasswd sync, what access control do I have to
add to
the slapd.conf file?
Thank you very much for your help!
John
I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel
2.6.9-42.0.2.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba does not change UNIX password after OpenLDAP server upgraded
Hi, I have been running Samba with OpenLDAP for a few years. We recently upgrade the OpenLDAP server from 2.2.13 to 2.4.11. When users change their passwords now, only the Windows password is changed the UNIX password is not changed anymore. Samba server does not log any errors The samba configuration file did not change when the LDAP server was upgraded. I do have ldap passwd sync =Yes in smb.conf and it used to work fine. Has anyone seen this? If I use unix password sync = Yes passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n instead of ldappasswd sync, what access control do I have to add to the slapd.conf file? Thank you very much for your help! John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded
John Du wrote: Hi, I have been running Samba with OpenLDAP for a few years. We recently upgrade the OpenLDAP server from 2.2.13 to 2.4.11. When users change their passwords now, only the Windows password is changed the UNIX password is not changed anymore. Samba server does not log any errors The samba configuration file did not change when the LDAP server was upgraded. I do have ldap passwd sync =Yes in smb.conf and it used to work fine. Has anyone seen this? If I use unix password sync = Yes passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n instead of ldappasswd sync, what access control do I have to add to the slapd.conf file? Thank you very much for your help! John I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel 2.6.9-42.0.2. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded
David Markey wrote: I would imagine that you'll need to re-jig your ACLs in slapd.conf, Please supply logs. Thank you very much. I can use /opt/IDEALX/sbin/smbldap-passwd to change both the Windows and UNIX password. If the problem is ACL related, wouldn't I have the same problem with this tool? When samba changes passwords, does the process run as root or as the user making the passwords change? Thanks again. John Du wrote: John Du wrote: Hi, I have been running Samba with OpenLDAP for a few years. We recently upgrade the OpenLDAP server from 2.2.13 to 2.4.11. When users change their passwords now, only the Windows password is changed the UNIX password is not changed anymore. Samba server does not log any errors The samba configuration file did not change when the LDAP server was upgraded. I do have ldap passwd sync =Yes in smb.conf and it used to work fine. Has anyone seen this? If I use unix password sync = Yes passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n instead of ldappasswd sync, what access control do I have to add to the slapd.conf file? Thank you very much for your help! John I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel 2.6.9-42.0.2. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded
David Markey wrote: John Du wrote: David Markey wrote: I would imagine that you'll need to re-jig your ACLs in slapd.conf, Please supply logs. Thank you very much. I can use /opt/IDEALX/sbin/smbldap-passwd to change both the Windows and UNIX password. If the problem is ACL related, wouldn't I have the same problem with this tool? When samba changes passwords, does the process run as root or as the user making the passwords change? If you're using smbldap-passwd and unix password sync, it's done as root. ldap passwd sync is done as the LDAP dn that you've configured in smb.conf. It's much preferable to use ldap passwd sync. I did not make myself clear. When I say I can use smbldap-passwd to change password, I mean I can run the tool from the command line as root. If I use smbldap-passwd and unix passwd sync in smb.conf, I get a you do not have permission to change password message when attempting to change password. So at this time I am still using ldap passwd sync in smb.conf and that is when it only changes the Windows password. Does the userPassword attribute require different ACL than sambaNTPassword? Also the dn I put in smb.conf is the root DN of the LDAP database. Thanks! Thanks again. John Du wrote: John Du wrote: Hi, I have been running Samba with OpenLDAP for a few years. We recently upgrade the OpenLDAP server from 2.2.13 to 2.4.11. When users change their passwords now, only the Windows password is changed the UNIX password is not changed anymore. Samba server does not log any errors The samba configuration file did not change when the LDAP server was upgraded. I do have ldap passwd sync =Yes in smb.conf and it used to work fine. Has anyone seen this? If I use unix password sync = Yes passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n instead of ldappasswd sync, what access control do I have to add to the slapd.conf file? Thank you very much for your help! John I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel 2.6.9-42.0.2. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] some question about BDCs
Tamás Pisch wrote: Hi, I want to set up SaMBa PDC and BDC with LDAP. I read the TOSHARG2, but don't understand something: Samba-3 cannot participate in true SAM replication and is therefore not able to employ precisely the same protocols used by MS Windows NT4. A Samba-3 BDC will not create SAM update delta files. Ok, I understand until that, but: It will not interoperate with a PDC (NT4 or Samba) to synchronize the SAM from delta files that are held by BDCs. The BDC is said to hold a read-only of the SAM from which it is able to process network logon requests and authenticate users. The BDC can continue to provide this service, particularly while, for example, the wide-area network link to the PDC is down. So, when I have SaMBa PDC (with master LDAP) and BDC (with slave LDAP), can BDC update machine and/or user information or not? As I understood, only the LDAP solution is suitable for a PDC-BDC setup, because domain member servers and workstations periodically change the Machine Trust Account password, so BDC has to update some data. As I understood, BDC can change at least Machine Trust Account passwords. Additional question: can a user change his/her login password, when he/she connected to the BDC (in case PDC is available and in case PDC is temporarily unavailable)? I read in TOSHARG2 too that in the BDC's smb.conf, I don't need user/group modification scripts, so I guess, I cannot add/modify them from the BDC. I have the exact same questions. I had a PDC usisng a master LDAP server and a few BDCs using slave LDAP servers. Now, I upgraded LDAP to replicate in multi-master mode and set PDC and BDCs point to these LDAP servers. In my current setup, what is the difference between the PDC and a BDC? When an administrator add a computer or user to the domain from a Windows machine, how does the Windows machine decides which DC to contact? I have read the Samba-How-To many times but have never understood this part. Thanks for clarifying... John Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Change a Samba PDC to BDC on the fly?
Hi the list, I am in a process of converting a Samba PDC to BDC and a BDC to PDC am running into some issues. 1. For each of the samba servers, I have two configuration files. One is for PDC and the other for BDC. I make a symbolic link from one of the two files to /etc/samba/smb.conf. Then I do service smb reload. The problem I have is that Windows clients do not see the role change. Is it supposed to work? In other words, can the samba server role be changed on the fly? 2. Can I have more than one samba server acting as Preferred Master in a domain? 3. The PDC machine has some samba shares and they are working fine. But if I make the PDC machine a BDC and make a BDC a PDC, the samba share definitions will be added to the new PDC which does not have the shares. This may be confusing. Before: Host 1 as PDC exporting shares A, B and C Host 2 as BDC exporting share D After: Change Host 1 as BDC still exporting shares A, B and C, reload the configuration. Change Host 2 as PDC still exporting share D, reload the configuration. After some time, testparm on host 2 shows that it exports shares A,B,C and D but in fact it does not have shares A, B and C on the host. Thank you for your help! John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] usrmgr.exe does not show any Samba groups
Hi, We are running samba 3.0.28 on RHEL 5 as a PDC serving around 1000 active users . This domain was vampired from aWindows NT 4 domain a few years ago. OpenLDAP 2.2.13 is used as the back end user database. One of the problems we have is that usrmgr.exe does not display any groups. I can use usrmgr to create users, delete users and create groups. But I cannot use it to delete groups or add users to groups. I am running usrmgr.exe version 5.1 Service Pack 3 on Windows XP SP3. On the server, net groupmap list lists the groups correctly. If I select a user from the usgmgr panel, it shows the user's primary group correctly but it does not list any groups to make this user a member of. I have googled around but did not find any thing helpful. I can post my configuration if that is needed. Thanks! John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba does not work unless nscd is running
Hi, I recently added a Samba server to an existing domain as a BDC. It gave the following error for each authentication request: [2009/02/06 04:59:55, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211) pdb_get_group_sid: Failed to find Unix account for ditas [2009/02/06 04:59:55, 1] auth/auth_util.c:make_server_info_sam(589) User ditas in passdb, but getpwnam() fails! [2009/02/06 04:59:55, 0] auth/auth_sam.c:check_sam_security(353) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER I googled and found a post with the same errors. The poster said running ncsd fixed his problem. I started nscd on the host the new Samba server is running on and the errors went away. Samba version: 3.0.33 OS: RHEL5, kernel 2.6.18-128.el5. Other samba servers in the domain are 3.0.28 and they do not have this problem. Is this (requiring running nscd) expected behavior? I do not see it mentioned anywhere in the Samba documentation. Thanks for help! John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Usrmgr.exe does not list all the domain users
Hi, We are running samba 3.0.28 with Openldap 2.2.13 as a Windows PDC. The OS is Red Hat RHEL5. We also have some VMWare servers. A VMWare management toolqueries the PDC for users. For some reason, it cannot find some users even given the complete uid. To diagnose the problem, I ran the Windows NT domain user manager, Usrmgr.exe. It has the same problem as the VMWare tool. It does not show those users the VMWare tool cannot find. The users have no problem to login to the domain and use the resources in the domain. The Windows Explorer can see these users too. I have googled around but have not found anything helpful. Thank you for your help. John Du -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
