Re: [Samba] Samba, email, LDAP and password integration andmanagement
I've finally got samba working with LDAP and keeping the password attributes in LDAP synchronized no matter where the password change comes from. I think this is what you mean. I intend to write a more thorough howto for this sometime in the near future, but if you'd like I could prolly get you up and running sooner. Ross Patterson Programmer/Analyst 831-459-2792 [EMAIL PROTECTED] 1156 High St, Barn G, PP&C Santa Cruz, CA 95064 On Fri, 28 Mar 2003, Brian Johnson wrote: > I set up a test server about a year ago to try this and gave up since it didn't seem > that the processes were quite yet in place to do it .. > > I am evaluating the potential for Samba and Linux accounts (including postfix email > accounts) to share the same passwords and have a process in place to encourage users > to change their passwords and try to prevent esay to crack passwords > > Could someone please confirm whether they have such a system working and how > difficult it was to set up? > > When I looked at it before, it seemed that although Samba could use LDAP, it used a > different schema from the standard system accounts and therefore there was not > really any sharing of password data > > If it matters, my server I'd like to do this on is a Redhat 7.3 system > > -- > Brian Johnson > > This is where my witty signature line would be if I bothered to edit this line :) > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: LDAP Ctrl-Alt-Del Password Change
No one has anything to say about this? Did I not give enough info? Has anyone gotten Ctrl-Alt-Del password change working with LDAP? If so can I please see your smb.conf and pam.d files? Thanks so much for any help. We've been running samba here for a few years and love it, just in case it makes a difference. Ross Patterson Programmer/Analyst 831-459-2792 [EMAIL PROTECTED] 1156 High St, Barn G, PP&C Santa Cruz, CA 95064 On Tue, 4 Mar 2003, [EMAIL PROTECTED] wrote: > One fixed problem, one new problem. > > Okay, I fixed the pam_smbpass problem by upgrading to 2.2.7a. So for > anyone out there, pam_smbpass won't work with ldap (./configure > --with-ldapsam) on 2.2.3a and will work with 2.2.7a. > > Now, onto the next problem, changing passwords by Ctrl-Alt-Del from a > Windows XP Pro machine. > > Logging onto the samba server from a WinXP machine works just fine. > > If I try to Ctrl-Alt-Del Change Password... from a WinXP machine where > the username or password of the currently logged in (WinXP) user is > different from the username or password being used on the samba > server, then the password change fails with "1727: the remote > procedure call failed and did not execute". > > If I try it when the username and password of the currently logged in > user is the same as the current username and password being used on > the samba server, then the password change succeeds. > > From an strace, I verififed what I suspected which is that its only > when samba falls back on the lanman password that authentication > succeeds and the password change can go forward, which, of course, > explains this behavior. > > I suppose it could be that pam is misconfigured on some auth component > somewhere. But the odd thing is that an strace of the samba daemons > while simply connecting to a share shows pam.d files being consulted, > while an strace of the daemons during a failed Ctrl-Alt-Del Change > Password... session shows no pam.d files consulted. > > Can anyone help here? Can anyone at least verify that they were able > to do Ctrl-Alt-Del Change Password... against a samba/LDAP server? > > Thanks. > > Ross Patterson > Programmer/Analyst > 831-459-2792 > [EMAIL PROTECTED] > 1156 High St, Barn G, PP&C > Santa Cruz, CA 95064 > > On Wed, 19 Feb 2003, [EMAIL PROTECTED] wrote: > > > On a Debian 3.0 system with user accounts stored in openldap, I have > > unix and windows auth working just fine through ldap. smbpasswd can > > change the samba passwd attributes, and passwd can change the unix > > password attributes. > > > > I'm trying to get pam_smbpass to work to keep everything in sync, but > > it only says "Failed to find entry for user test0." which indicates to > > me that its looking in the smbpasswd file which has, of course, > > nothing. "ldd /lib/security/pam_smbpass.so" gives libpam and libldap > > among other things. > > > > Can someone tell me if pam_smbpass is using the SAM DB API? If > > pam_smbpass is hardwired for the smbpasswd file, that would explain my > > troubles. > > > > If it is using the SAM DB API, can anyone give me any direction? > > > > Ross Patterson > > Programmer/Analyst > > 831-459-2792 > > [EMAIL PROTECTED] > > 1156 High St, Barn G, PP&C > > Santa Cruz, CA 95064 > > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP Ctrl-Alt-Del Password Change
One fixed problem, one new problem. Okay, I fixed the pam_smbpass problem by upgrading to 2.2.7a. So for anyone out there, pam_smbpass won't work with ldap (./configure --with-ldapsam) on 2.2.3a and will work with 2.2.7a. Now, onto the next problem, changing passwords by Ctrl-Alt-Del from a Windows XP Pro machine. Logging onto the samba server from a WinXP machine works just fine. If I try to Ctrl-Alt-Del Change Password... from a WinXP machine where the username or password of the currently logged in (WinXP) user is different from the username or password being used on the samba server, then the password change fails with "1727: the remote procedure call failed and did not execute". If I try it when the username and password of the currently logged in user is the same as the current username and password being used on the samba server, then the password change succeeds. >From an strace, I verififed what I suspected which is that its only when samba falls back on the lanman password that authentication succeeds and the password change can go forward, which, of course, explains this behavior. I suppose it could be that pam is misconfigured on some auth component somewhere. But the odd thing is that an strace of the samba daemons while simply connecting to a share shows pam.d files being consulted, while an strace of the daemons during a failed Ctrl-Alt-Del Change Password... session shows no pam.d files consulted. Can anyone help here? Can anyone at least verify that they were able to do Ctrl-Alt-Del Change Password... against a samba/LDAP server? Thanks. Ross Patterson Programmer/Analyst 831-459-2792 [EMAIL PROTECTED] 1156 High St, Barn G, PP&C Santa Cruz, CA 95064 On Wed, 19 Feb 2003, [EMAIL PROTECTED] wrote: > On a Debian 3.0 system with user accounts stored in openldap, I have > unix and windows auth working just fine through ldap. smbpasswd can > change the samba passwd attributes, and passwd can change the unix > password attributes. > > I'm trying to get pam_smbpass to work to keep everything in sync, but > it only says "Failed to find entry for user test0." which indicates to > me that its looking in the smbpasswd file which has, of course, > nothing. "ldd /lib/security/pam_smbpass.so" gives libpam and libldap > among other things. > > Can someone tell me if pam_smbpass is using the SAM DB API? If > pam_smbpass is hardwired for the smbpasswd file, that would explain my > troubles. > > If it is using the SAM DB API, can anyone give me any direction? > > Ross Patterson > Programmer/Analyst > 831-459-2792 > [EMAIL PROTECTED] > 1156 High St, Barn G, PP&C > Santa Cruz, CA 95064 > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pam_smbpass and ldap
I upped teh "loge level" in my smb.conf jsut to see if that would give
me anything. Even at log level = 10 the samba logs say nothing when I
do "passwd test0". In my pam.d/passwd file I have one line for
testing, "password required pam_smbpass.so". running "passwd test0"
looks like this:
ppc-test:~# passwd test0
Enter new SMB password:
Retype new SMB password:
Failed to find entry for user test0.
passwd: Authentication token manipulation error
auth.log says:
Feb 20 17:58:00 ppc-test PAM_smbpass[513]: username [test0] obtained
Feb 20 17:58:00 ppc-test PAM_smbpass[513]: username [test0] obtained
Feb 20 17:58:03 ppc-test PAM_smbpass[513]: password change failed for
user test0
and the samba logs with log level at 10 say nothing.
Do I need auth or other lines in pam.d/passwd? If so, why cause
debian comes with only password lines in pam.d/passwd? Straces show
pam.d/other being opened. other in configured only with pam_unix.so
which goes through nss which is configred for LDAP. Do I need
pam_smbpass.so in there? If so, why?
I've been pouring over straces, but I just can't figure it out. I can
see it try to open /etc/passwd at one point. I have straces of both
the successful "smbpasswd test0" call and the unsuccessful "passwd
test0" call. I can e-mail cleaned up full straces, but until
requested, I'll just include the open() lines:
--- smbpasswd test0
open("/etc/ld.so.preload", O_RDONLY)= -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/usr/lib/libldap.so.2", O_RDONLY) = 3
open("/usr/lib/liblber.so.2", O_RDONLY) = 3
open("/lib/libresolv.so.2", O_RDONLY) = 3
open("/usr/lib/libcups.so.2", O_RDONLY) = 3
open("/lib/libdl.so.2", O_RDONLY) = 3
open("/lib/libnsl.so.1", O_RDONLY) = 3
open("/lib/libpam.so.0", O_RDONLY) = 3
open("/lib/libc.so.6", O_RDONLY)= 3
open("/lib/libcrypt.so.1", O_RDONLY)= 3
open("/usr/lib/libsasl.so.7", O_RDONLY) = 3
open("/usr/lib/i686/cmov/libssl.so.0.9.7", O_RDONLY) = 3
open("/usr/lib/i686/cmov/libcrypto.so.0.9.7", O_RDONLY) = 3
open("/lib/libdb2.so.2", O_RDONLY) = 3
open("/etc/localtime", O_RDONLY)= 3
open("/etc/samba/smb.conf", O_RDONLY|O_LARGEFILE) = 3
open("/usr/share/samba/codepages/codepage.850", O_RDONLY|O_LARGEFILE)
= 3
open("/usr/share/samba/codepages/unicode_map.850",
O_RDONLY|O_LARGEFILE) = 3
open("/usr/share/samba/codepages/unicode_map.ISO8859-1",
O_RDONLY|O_LARGEFILE) = 3
open("/var/lib/samba/secrets.tdb", O_RDWR|O_CREAT|O_LARGEFILE, 0600) =
3
open("/dev/tty", O_RDWR|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4
open("/dev/tty", O_RDWR|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4
open("/etc/resolv.conf", O_RDONLY) = 4
open("/etc/nsswitch.conf", O_RDONLY)= 4
open("/etc/ld.so.cache", O_RDONLY) = 4
open("/lib/libnss_files.so.2", O_RDONLY) = 4
open("/etc/host.conf", O_RDONLY)= 4
open("/etc/hosts", O_RDONLY)= 4
open("/etc/ldap/ldap.conf", O_RDONLY|O_LARGEFILE) = 4
open("/root/ldaprc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file
or directory)
open("/root/.ldaprc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file
or directory)
open("ldaprc", O_RDONLY|O_LARGEFILE)= -1 ENOENT (No such file or
directory)
open("/dev/null", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = -1 ENOTDIR (Not a
directory)
open("/usr/lib/sasl", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) =
-1 ENOENT (No such file or directory)
open("/etc/hosts", O_RDONLY)= 4
open("/etc/hosts", O_RDONLY)= 4
open("/etc/ld.so.cache", O_RDONLY) = 4
open("/lib/libnss_dns.so.2", O_RDONLY) = 4
open("/etc/hosts", O_RDONLY)= 5
open("/etc/ld.so.cache", O_RDONLY) = 5
open("/lib/libnss_ldap.so.2", O_RDONLY) = 5
open("/etc/libnss-ldap.conf", O_RDONLY) = 5
open("/etc/ldap.secret", O_RDONLY) = 5
open("/etc/hosts", O_RDONLY)= 4
open("/etc/hosts", O_RDONLY)= 4
open("/etc/hosts", O_RDONLY)= 6
open("/etc/hosts", O_RDONLY)= 4
open("/etc/hosts", O_RDONLY)= 4
open("/etc/hosts", O_RDONLY)= 6
--- passwd test0
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/libcrypt.so.1", O_RDONLY)= 3
open("/lib/libpam.so.0", O_RDONLY) = 3
open("/lib/libpam_misc.so.0", O_RDONLY) = 3
open("/lib/libdl.so.2", O_RDONLY) = 3
open("/lib/libc.so.6", O_RDONLY)= 3
open("/var/run/utmp", O_RDWR) = 3
open("/etc/nsswitch.conf", O_RDONLY)= 3
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/libnss_ldap.so.2", O_RDONLY) = 3
open("/usr/lib/libldap.so.2", O_RDONLY) = 3
open("/usr/lib/liblber.so.2", O_RDONLY) = 3
open("/lib/libnsl.so.1", O_RDONLY) = 3
open("/lib/libresolv.so.2", O_RDONLY) = 3
open("/usr/lib/libsasl.so.7", O_RDONLY) = 3
open("/usr/lib/i686/cmov/libssl.so.0.9.7", O_RDONLY) = 3
open("/usr/lib/i686/cmov/libcrypto.so.0.9.7", O_RDONLY) = 3
open("/lib/libdb2.so.2", O_RDONLY) = 3
open("/etc/libnss-ldap.conf", O_RDONLY) = 3
open("/etc/ldap.secret", O_RD
[Samba] pam_smbpass and ldap
On a Debian 3.0 system with user accounts stored in openldap, I have unix and windows auth working just fine through ldap. smbpasswd can change the samba passwd attributes, and passwd can change the unix password attributes. I'm trying to get pam_smbpass to work to keep everything in sync, but it only says "Failed to find entry for user test0." which indicates to me that its looking in the smbpasswd file which has, of course, nothing. "ldd /lib/security/pam_smbpass.so" gives libpam and libldap among other things. Can someone tell me if pam_smbpass is using the SAM DB API? If pam_smbpass is hardwired for the smbpasswd file, that would explain my troubles. If it is using the SAM DB API, can anyone give me any direction? Ross Patterson Programmer/Analyst 831-459-2792 [EMAIL PROTECTED] 1156 High St, Barn G, PP&C Santa Cruz, CA 95064 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
