Re: [Samba] Samba3 + smbldap-tools smbpasswd
On Thu, 2004-09-16 at 00:10, rruegner wrote: have you set time server = yes you should post yor whole smb.conf I should :) [global] netbios name = TESTDOM-PDC workgroup = TESTDOM server string = TESTDOM Domain Controller wins support = yes time server = yes dns proxy = no name resolve order = lmhosts host wins bcast interfaces = 10.10.10.99 domain master = yes domain logons = yes preferred master = yes local master = yes os level = 64 log file = /var/log/samba/log.%m max log size = 1000 syslog only = no syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = ldapsam:ldap://localhost obey pam restrictions = yes guest account = nobody invalid users = root load printers = yes printing = cups printcap name = cups printer admin = @ntadmin preserve case = yes short preserve case = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ldap suffix = dc=testdom,dc=com ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap machine suffix = ou=Computers #ldap admin dn = cn=samba,ou=DSA,dc=testdom,dc=com ldap admin dn = cn=Manager,dc=testdom,dc=com ldap ssl = no ldap delete dn = no ldap passwd sync = Yes ldap ssl = start tls add user script = /usr/local/sbin/smbldap-useradd -m %u delete user script = /usr/local/sbin/smbldap-userdel %u add machine script = /usr/local/sbin/smbldap-useradd -w %u add group script = /usr/local/sbin/smbldap-groupadd -p %g delete group script = /usr/local/sbin/smbldap-groupdel %g add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u [homes] comment = Home Directories browseable = no writable = yes create mask = 0600 directory mask = 0700 [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = no writable = yes browsable = no share modes = no [profiles] comment = User Profiles path = /home/samba/profiles read only = no create mode = 0600 directory mode = 0700 browseable = no guest ok = Yes profile acls = Yes csc policy = disable # next line is a great way to secure the profiles force user = %U # next line allows administrator to access all profiles valid users = %U @Domain Admins ; this stops w2k fucking up it's logon veto oplock files = /prf*.tmp/ [printers] comment = All Printers browseable = yes path = /tmp printable = yes public = no writable = no create mode = 0700 -- Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + smbldap-tools smbpasswd - Figured out!
On Thu, 2004-09-16 at 12:46, rruegner wrote: load printers = yes printing = cups printcap name = cups is there a group ntadmin in ldap? usally it only in passwd printer admin = @ntadmin I haven't gotten round to doing anything with printing yet. I think that's the next challenge. see my parameters and compare Well, I think I can actually spot something wrong with your config, while discovering mine was never broken to the degree I thought! You have the -a (add samba attributes) and -P (invoke smbldap-passwd) switches to the adduser script, which seem unnecessary. The penny's dropped and I've realised the scripts are only for taking care of managing the posix account side of things - samba adds the samba attributes to the LDAP record, so -a is not needed. Indeed, adding it broke things for me as both script and samba try to add the same attributes. -P doesn't seem needed either. I can add accounts perfectly via usermgr.exe without these attributes. I realised my sambaPwdMustChange value was being set two days ahead, because that's set by default in the policy config part of usermgr.exe! So, that was actually working fine, user error. Samba *doesn't* need to run smbldap-passwd.pl for password changes at all. It will update the samba related attributes itself, AND update the userPassword (posix) field if you have ldap passwd sync = Yes set in smb.conf So, basically, it was all working fine to begin with. Gah! ldap ssl = no makes no sense if you say ldap ssl no above ldap ssl = start tls Well, TLS is different to using old SSL as I understand it. TLS works over usual port 389 while SSL is over 636. This much does work. The 'net time' thing I mentioned before isn't a problem, I realised the wrong time was being plucked from a random windows box on the network, not the samba server :) Hurrah for caffine. -- Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + smbldap-tools smbpasswd - Figured out!
On Thu, 2004-09-16 at 15:52, rruegner wrote: uff , this was a long way good, you have figured it out regards Yes, and thanks for your help! :) -- Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba3 + smbldap-tools smbpasswd
I've been fiddling lately with Samba 3 coupled with openldap, nss_ldap, pam_ldap and the smbldap-tools to create a PDC. Following various examples, most things work, but I have an issue with changing passwords from Windows. If I manually change a password with smbldap-passwd, the script correctly adjusts the sambaPwdMustChange attribute according to what defaultMaxPasswordAge is set to. If I change the password through Windows, Samba presumably uses smbpasswd, because the sambaPwdMustChange attribute is then somehow set to only 2 days into the future. The same thing happens if I run smbpasswd manually. As a simple hack I even tried symlinking /usr/bin/smbpasswd to /use/local/sbin/smbldap-passwd, but samba *still* used it's own mechanism, which always ends up in sambaPwdMustChange being just a couple of days ahead. Meaning of course, if users will ever change their own passwords, the ldap record will manually need fixing. Is there a way I can get samba to use only the smbldap-passwd script or otherwise fix this so sambaPwdMustChange is set to defaultMaxPasswordAge from the smbldap-tools conf file, or at least something further ahead in the future than two days? -- Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + smbldap-tools smbpasswd
Hi dan which version samba do you use? a microsoft patch broke password change before samba 3.04 so use the last samba version 3.07 maybe this is short answer Regards Dan Slatford schrieb: I've been fiddling lately with Samba 3 coupled with openldap, nss_ldap, pam_ldap and the smbldap-tools to create a PDC. Following various examples, most things work, but I have an issue with changing passwords from Windows. If I manually change a password with smbldap-passwd, the script correctly adjusts the sambaPwdMustChange attribute according to what defaultMaxPasswordAge is set to. If I change the password through Windows, Samba presumably uses smbpasswd, because the sambaPwdMustChange attribute is then somehow set to only 2 days into the future. The same thing happens if I run smbpasswd manually. As a simple hack I even tried symlinking /usr/bin/smbpasswd to /use/local/sbin/smbldap-passwd, but samba *still* used it's own mechanism, which always ends up in sambaPwdMustChange being just a couple of days ahead. Meaning of course, if users will ever change their own passwords, the ldap record will manually need fixing. Is there a way I can get samba to use only the smbldap-passwd script or otherwise fix this so sambaPwdMustChange is set to defaultMaxPasswordAge from the smbldap-tools conf file, or at least something further ahead in the future than two days? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + smbldap-tools smbpasswd
On Wed, 2004-09-15 at 14:44, rruegner wrote: Hi dan which version samba do you use? a microsoft patch broke password change before samba 3.04 so use the last samba version 3.07 maybe this is short answer Hmm, I'm using 3.0.6-3 in Debian Sarge. I could try massaging in 3.0.7 from Sid just to try, although I hoped not to have to do this, being the renound 'stable' Debian :) When changing passwords through Windows with an ldap backend, how does samba know what the sambaPwdMustChange value be set to? I don't know if this value comes from windows somewhere, smb.conf or hard-coded in someplace. I've noticed something else odd too. Hardware clock and system time are correct on the Samba server, yet if I have a look at 'net time', the output is almost three days in the past! How the heck? wulfen:~# date Wed Sep 15 14:57:41 BST 2004 wulfen:~# net time Sun Sep 12 21:59:07 2004 -- Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + smbldap-tools smbpasswd
Hi Dan, passwd program = /usr/local/sbin/smbldap-passwd.pl %u should do the job ( password change ) i am not sure if sambaPwdMustChange works , but if it does it works only with ldap this value can be changed by usrmgr, which writes to the ldap attribute in the directory. Regards Dan Slatford schrieb: On Wed, 2004-09-15 at 14:44, rruegner wrote: Hi dan which version samba do you use? a microsoft patch broke password change before samba 3.04 so use the last samba version 3.07 maybe this is short answer Hmm, I'm using 3.0.6-3 in Debian Sarge. I could try massaging in 3.0.7 from Sid just to try, although I hoped not to have to do this, being the renound 'stable' Debian :) When changing passwords through Windows with an ldap backend, how does samba know what the sambaPwdMustChange value be set to? I don't know if this value comes from windows somewhere, smb.conf or hard-coded in someplace. I've noticed something else odd too. Hardware clock and system time are correct on the Samba server, yet if I have a look at 'net time', the output is almost three days in the past! How the heck? wulfen:~# date Wed Sep 15 14:57:41 BST 2004 wulfen:~# net time Sun Sep 12 21:59:07 2004 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + smbldap-tools smbpasswd
On Wed, 2004-09-15 at 15:14, rruegner wrote: Hi Dan, passwd program = /usr/local/sbin/smbldap-passwd.pl %u should do the job ( password change ) Ahh. This is what I thought, so tried that too. However, it seems 'passwd program' is only for changing the unix password, not the windows passwords. It has no effect if 'unix password sync' is disabled, which I'm not using since 'ldap passwd sync = Yes' does the same thing with ldap. If I enable unix password sync along with your suggestion, I can't change passwords at all then. Windows moans that You do not have permission to change your password. I don't know why, samba calls as root the smbldap-passwd script as root just fine yet the password isn't updated. If I run it manually in just the same way it works! I presume it has something to do with samba also trying to change the windows passwords in ldap it's own way in addition to the script it runs. Anyway, it seems password program wasn't intended to be used in his way, but for changing unix passwords only. i am not sure if sambaPwdMustChange works , but if it does it works only with ldap this value can be changed by usrmgr, which writes to the ldap attribute in the directory. This gets interesting too. If I set the password to not expire, I see the X appear in that users record: sambaAcctFlags: [UX ] Yet Windows (XP SP2) still prompts for a password change in one day when I log in. If I set the account expiration date in usermgr.exe then sambaPwdMustChange is not updated. (But I don't know if that's suppose to work). It all seems so horribly broken :( -- Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + smbldap-tools smbpasswd
On Wed, 2004-09-15 at 16:26, rruegner wrote: I sometimes noticed in former versions of samba 3 that usrmgr must be started from a win machine which is in the domain, but for sure it has to be run as a user account in role of Domain Admin to have permission to change anything Regards All of which I'm doing. Most things it changes fine, if a bit quirky (such as needing to be refreshed after making changes to see them). In short my situation is this: * users can't change theirldap stored passwords without manual intervention to prevent them from being prompted for another change within two days * passwords can't be made unchangeable despite the X bit appearing in the ldap record * password expiration can't be set from user manager * 'net time' is three days slower than system clock Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + smbldap-tools smbpasswd
Hi Dan all i can say , it works for me net time will be the time of the server so which is the time of the server? did you really use samba schema from 3.07 , cause it was broken in 3.06 password expiration i dont use so i cant talk bout that Regards Dan Slatford schrieb: On Wed, 2004-09-15 at 16:26, rruegner wrote: I sometimes noticed in former versions of samba 3 that usrmgr must be started from a win machine which is in the domain, but for sure it has to be run as a user account in role of Domain Admin to have permission to change anything Regards All of which I'm doing. Most things it changes fine, if a bit quirky (such as needing to be refreshed after making changes to see them). In short my situation is this: * users can't change theirldap stored passwords without manual intervention to prevent them from being prompted for another change within two days * passwords can't be made unchangeable despite the X bit appearing in the ldap record * password expiration can't be set from user manager * 'net time' is three days slower than system clock Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + smbldap-tools smbpasswd
On Wed, 2004-09-15 at 17:24, rruegner wrote: Hi Dan all i can say , it works for me *sigh* Yeah, samba seems to bring new meaning to 'YMMV' :( net time will be the time of the server so which is the time of the server? The two differing times I quoted earlier are both from the same server. Hence I'm confused, why is samba time ('net time' on the samba server) three days or so slower than the servers system clock? I can't figure out anything about the server that might cause that. did you really use samba schema from 3.07 , cause it was broken in 3.06 I used this: http://us3.samba.org/samba/ftp/samba.schema Which I believed was the corrected schema for 3.0.6 according to the front page of samba.org -- Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba