Re: [Samba] pdbedit password policy - not updating ldapsam
I think the problem is part related to me having a wrong version of pdbedit. I need to update samba-client. Now I must see if I can find a source rpm that i can build and install on centos 4.3 [EMAIL PROTECTED] lib]# pdbedit -V Version 3.0.10-1.4E.11 [EMAIL PROTECTED] lib]# which pdbedit /usr/bin/pdbedit [EMAIL PROTECTED] lib]# yum list | grep samba Repository base is listed more than once in the configuration samba.i386 3.0.24-1 installed samba-common.i3863.0.10-1.4E.11 installed samba.i386 3.0.10-1.4E.11 updates-released samba-client.i3863.0.10-1.4E.11 updates-released samba-swat.i386 3.0.10-1.4E.11 updates-released system-config-samba.noarch 1.2.21-1 base -- View this message in context: http://www.nabble.com/pdbedit-password-policy---not-updating-ldapsam-tf3239423.html#a9060254 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pdbedit password policy - not updating ldapsam
For anyone who runs into similar problems in the future I updated samba3 and samba3-client and it has solved the password lockout problem. http://www.nabble.com/CentOS-samba-upgrade-tf3178510.html#a8820049 installed latest versions for centos 4.3 from http://ftp.sernet.de/pub/samba/rhel/rhel4-i386/ [EMAIL PROTECTED] ~]# yum list | grep samba Repository base is listed more than once in the configuration samba3.i386 3.0.24-30 installed samba3-client.i386 3.0.24-30 installed samba.i386 3.0.10-1.4E.11 updates-released samba-client.i3863.0.10-1.4E.11 updates-released samba-common.i3863.0.10-1.4E.11 updates-released samba-swat.i386 3.0.10-1.4E.11 updates-released system-config-samba.noarch 1.2.21-1 base -- View this message in context: http://www.nabble.com/pdbedit-password-policy---not-updating-ldapsam-tf3239423.html#a9063162 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pdbedit password policy - not updating ldapsam
I removed version 3.0.22 and installed 3.0.24 (I removed samba files from /etc/samba, /var/lib/samba, /var/cache/samba), but afraid I still experiencing the same problem when I run pdbedit -y -i tdbsam -e ldapsam Found pdb backend guest pdb backend guest has a valid init called with username=(null) tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No such file or directory Unable to open/create TDB passwd Can't sampwent! I manually updated the password policy settings in sambaDomain=BLAHDEV,dc=example,dc=org ldapmodify -x -D ... -W dn: sambaDomainName=BLAHDEV,dc=roke,dc=co,dc=uk changeType: modify sambaMinPwdAge: 0 sambaMaxPwdAge: 2592000 sambaPwdHistoryLength: 5 sambaLockoutThreshold: 3 sambaMinPwdLength: 8 sambaLockoutDuration: -1 Samba doesn't appear to recognise these changes. How can I get samba to just look in the ldapsam and not worry about what's in other backends. Any ideas on how to diagnose this problem would also be helpful [global] workgroup = BLAHDEV netbios name = BLAHDEV-PDC security = user server string = Samba Server log level = 2 syslog = 0 log file = /var/log/samba/%m.log max log size = 10 time server = Yes logon home = logon path = domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes encrypt passwords = Yes # unix password sync = Yes passwd program = /usr/sbin/ldap_userPassword_change %u passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *Result**Success # Crackcheck settings to allow NT style password complexity checks check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict passdb backend = ldapsam:ldap://ldap-1; ldap admin dn = cn=Manager,dc=example,dc=org ldap suffix = dc=example,dc=org ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap # idmap backend = ldap:ldap://ldap-1 ldap://ldap-2; idmap backend = ldap:ldap://ldap-1; add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u delete user script = /opt/IDEALX/sbin/smbldap-userdel %u add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m %u %g delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x %u %g set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no I'm running on centos 4.3. Is there a Linux file or PAM setting or something that I need to change to make this work? -- View this message in context: http://www.nabble.com/pdbedit-password-policy---not-updating-ldapsam-tf3239423.html#a9043068 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pdbedit password policy - not updating ldapsam
hi stefan, I think replikation of password policies to ldap startet of Samba where did you find this information? couldn't find anything in the release notes... micha Stefan Schmitz wrote: Hi Jamurph, I think replikation of password policies to ldap startet of Samba 3.0.23d. Before this version you have to export them from the PDC to the LDAP-Server by pdbedit -y -i tdbsam -e ldapsam and import them on all BDCs with pdbedit -y -i ldapsam -e tdbsam Regards Stefan . jamurph schrieb: I have Samba and LDAP up and running, but I'm having problems editing the password policy using pdbedit. (I'm running 3.0.22) I've had a look at the man page for pdbedit but I don't really fully understand what it does in relation to passwd backends. Does pdbedit update just one backend and expect a user to export the updates to other backends? I think I've set up ldap as my default backend - but pdbedit doesn't update it. It looks like its updating some other backend. I guess my smb.conf (attached) isn't configured correctly? How do I find out which one it's updating?. I can also see a reference to pdbedit backend guest in the logs, but I don't understand why pdbedit is looking for this. I tried the following command: pdbedit -P min password length -C 7 -d 10 This is a snippet of the logs: The LDAP server is succesfully connected pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init account_policy_get: min password length:7 account policy value for min password length was 7 account_policy_set: min password length:7 account policy value for min password length is now 7 I'm guessing it's taking these values from /var/lib/samba/account_policy.tdb, it's not taking them from ldap - because it doesn't change sambaMinPwdLength I can see a search happening in the ldap logs, but I don't see any updates - is this expected behaviour? I believe I need to run the following command to update LDAP? pdbedit -y -i tdbsam -e ldapsam -d 10 However, when I do this, I get the following error message (more of log attached - but this is part I think is failing) Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init called with username=(null) tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No such file or directory Unable to open/create TDB passwd Can't sampwent! When configuring Samba initially, I had some problems, so I followed some instructions and deleted the following rm /etc/samba/*tdb rm /var/lib/samba/*tdb rm /var/lib/samba/*dat rm /var/log/samba/* as a result passdb.tdb is no longer, and didn't get re-created. Is there any way I can recreate this file? Is this the cause of my problems? Any help much appreciated, I've attached more details in case they are needed -- LDAP Entry dn: sambaDomainName=BLAHDEV,dc=example,dc=org sambaDomainName: BLAHDEV sambaMinPwdAge: 0 objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaPwdHistoryLength: 0 sambaNextGroupRid: 67109863 uidNumber: 1005 sambaLogonToChgPwd: 0 sambaLockoutDuration: 30 sambaMaxPwdAge: -1 sambaForceLogoff: -1 sambaLockoutThreshold: 0 gidNumber: 1000 sambaSID: S-1-5-21-317703500-4181503002-770181164 sambaNextUserRid: 67109862 sambaMinPwdLength: 5 sambaRefuseMachinePwdChange: 0 sambaAlgorithmicRidBase: 1000 sambaLockoutObservationWindow: 30 SMB.CONF --- [global] workgroup = BLAHDEV netbios name = BLAHDEV-PDC security = user server string = Samba Server log level = 2 syslog = 0 log file = /var/log/samba/%m.log max log size = 10 time server = Yes logon home = logon path = domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes encrypt passwords = Yes # unix password sync = Yes passwd program = /usr/sbin/ldap_userPassword_change %u passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *Result**Success # Crackcheck settings to allow NT style password complexity checks check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict passdb backend = ldapsam:ldap://ldap-1 ldap://ldap-2; ldap admin dn = cn=Manager,dc=example,dc=org ldap suffix = dc=dc=example,dc=org ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://ldap-1 ldap://ldap-2; add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u delete user script = /opt/IDEALX/sbin/smbldap-userdel %u add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g add user to group script = /opt/IDEALX/sbin/smbldap-groupmod
[Samba] pdbedit password policy - not updating ldapsam
I have Samba and LDAP up and running, but I'm having problems editing the password policy using pdbedit. (I'm running 3.0.22) I've had a look at the man page for pdbedit but I don't really fully understand what it does in relation to passwd backends. Does pdbedit update just one backend and expect a user to export the updates to other backends? I think I've set up ldap as my default backend - but pdbedit doesn't update it. It looks like its updating some other backend. I guess my smb.conf (attached) isn't configured correctly? How do I find out which one it's updating?. I can also see a reference to pdbedit backend guest in the logs, but I don't understand why pdbedit is looking for this. I tried the following command: pdbedit -P min password length -C 7 -d 10 This is a snippet of the logs: The LDAP server is succesfully connected pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init account_policy_get: min password length:7 account policy value for min password length was 7 account_policy_set: min password length:7 account policy value for min password length is now 7 I'm guessing it's taking these values from /var/lib/samba/account_policy.tdb, it's not taking them from ldap - because it doesn't change sambaMinPwdLength I can see a search happening in the ldap logs, but I don't see any updates - is this expected behaviour? I believe I need to run the following command to update LDAP? pdbedit -y -i tdbsam -e ldapsam -d 10 However, when I do this, I get the following error message (more of log attached - but this is part I think is failing) Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init called with username=(null) tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No such file or directory Unable to open/create TDB passwd Can't sampwent! When configuring Samba initially, I had some problems, so I followed some instructions and deleted the following rm /etc/samba/*tdb rm /var/lib/samba/*tdb rm /var/lib/samba/*dat rm /var/log/samba/* as a result passdb.tdb is no longer, and didn't get re-created. Is there any way I can recreate this file? Is this the cause of my problems? Any help much appreciated, I've attached more details in case they are needed -- LDAP Entry dn: sambaDomainName=BLAHDEV,dc=example,dc=org sambaDomainName: BLAHDEV sambaMinPwdAge: 0 objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaPwdHistoryLength: 0 sambaNextGroupRid: 67109863 uidNumber: 1005 sambaLogonToChgPwd: 0 sambaLockoutDuration: 30 sambaMaxPwdAge: -1 sambaForceLogoff: -1 sambaLockoutThreshold: 0 gidNumber: 1000 sambaSID: S-1-5-21-317703500-4181503002-770181164 sambaNextUserRid: 67109862 sambaMinPwdLength: 5 sambaRefuseMachinePwdChange: 0 sambaAlgorithmicRidBase: 1000 sambaLockoutObservationWindow: 30 SMB.CONF --- [global] workgroup = BLAHDEV netbios name = BLAHDEV-PDC security = user server string = Samba Server log level = 2 syslog = 0 log file = /var/log/samba/%m.log max log size = 10 time server = Yes logon home = logon path = domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes encrypt passwords = Yes # unix password sync = Yes passwd program = /usr/sbin/ldap_userPassword_change %u passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *Result**Success # Crackcheck settings to allow NT style password complexity checks check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict passdb backend = ldapsam:ldap://ldap-1 ldap://ldap-2; ldap admin dn = cn=Manager,dc=example,dc=org ldap suffix = dc=dc=example,dc=org ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://ldap-1 ldap://ldap-2; add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u delete user script = /opt/IDEALX/sbin/smbldap-userdel %u add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m %u %g delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x %u %g set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no FULL LOG FILE FOR PDBEDIT [EMAIL PROTECTED] samba]# pdbedit -y -i tdbsam -e ldapsam -d 10 INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers:
Re: [Samba] pdbedit password policy - not updating ldapsam
Hi Jamurph, I think replikation of password policies to ldap startet of Samba 3.0.23d. Before this version you have to export them from the PDC to the LDAP-Server by pdbedit -y -i tdbsam -e ldapsam and import them on all BDCs with pdbedit -y -i ldapsam -e tdbsam Regards Stefan . jamurph schrieb: I have Samba and LDAP up and running, but I'm having problems editing the password policy using pdbedit. (I'm running 3.0.22) I've had a look at the man page for pdbedit but I don't really fully understand what it does in relation to passwd backends. Does pdbedit update just one backend and expect a user to export the updates to other backends? I think I've set up ldap as my default backend - but pdbedit doesn't update it. It looks like its updating some other backend. I guess my smb.conf (attached) isn't configured correctly? How do I find out which one it's updating?. I can also see a reference to pdbedit backend guest in the logs, but I don't understand why pdbedit is looking for this. I tried the following command: pdbedit -P min password length -C 7 -d 10 This is a snippet of the logs: The LDAP server is succesfully connected pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init account_policy_get: min password length:7 account policy value for min password length was 7 account_policy_set: min password length:7 account policy value for min password length is now 7 I'm guessing it's taking these values from /var/lib/samba/account_policy.tdb, it's not taking them from ldap - because it doesn't change sambaMinPwdLength I can see a search happening in the ldap logs, but I don't see any updates - is this expected behaviour? I believe I need to run the following command to update LDAP? pdbedit -y -i tdbsam -e ldapsam -d 10 However, when I do this, I get the following error message (more of log attached - but this is part I think is failing) Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init called with username=(null) tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No such file or directory Unable to open/create TDB passwd Can't sampwent! When configuring Samba initially, I had some problems, so I followed some instructions and deleted the following rm /etc/samba/*tdb rm /var/lib/samba/*tdb rm /var/lib/samba/*dat rm /var/log/samba/* as a result passdb.tdb is no longer, and didn't get re-created. Is there any way I can recreate this file? Is this the cause of my problems? Any help much appreciated, I've attached more details in case they are needed -- LDAP Entry dn: sambaDomainName=BLAHDEV,dc=example,dc=org sambaDomainName: BLAHDEV sambaMinPwdAge: 0 objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaPwdHistoryLength: 0 sambaNextGroupRid: 67109863 uidNumber: 1005 sambaLogonToChgPwd: 0 sambaLockoutDuration: 30 sambaMaxPwdAge: -1 sambaForceLogoff: -1 sambaLockoutThreshold: 0 gidNumber: 1000 sambaSID: S-1-5-21-317703500-4181503002-770181164 sambaNextUserRid: 67109862 sambaMinPwdLength: 5 sambaRefuseMachinePwdChange: 0 sambaAlgorithmicRidBase: 1000 sambaLockoutObservationWindow: 30 SMB.CONF --- [global] workgroup = BLAHDEV netbios name = BLAHDEV-PDC security = user server string = Samba Server log level = 2 syslog = 0 log file = /var/log/samba/%m.log max log size = 10 time server = Yes logon home = logon path = domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes encrypt passwords = Yes # unix password sync = Yes passwd program = /usr/sbin/ldap_userPassword_change %u passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *Result**Success # Crackcheck settings to allow NT style password complexity checks check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict passdb backend = ldapsam:ldap://ldap-1 ldap://ldap-2; ldap admin dn = cn=Manager,dc=example,dc=org ldap suffix = dc=dc=example,dc=org ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://ldap-1 ldap://ldap-2; add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u delete user script = /opt/IDEALX/sbin/smbldap-userdel %u add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m %u %g delete user from group script =