Re: [Samba] ldap passwd sync not working [solved]
Jerome Tournier escreveu: I tried on CentOS release 4.6 (Final) samba-3.0.25b-1.el4_6.4 openldap-servers-2.2.13-8.el4_6.2 smbldap-tools-0.9.5-pre4 (but changing password work with latest packages) I'm using FreeBSD 6.3 in both samba and openldap servers, Samba 3.0.26a and openldap 2.3.38. Not using PAM. You kind of helped me. Looking at openldap version (2.2) I remembered that I had ldap passwd sync working with this version of LDAP. So I looked for what has changed between 2.2 and 2.3 versions of Openldap. I found password policy, which seems to be mandatory for this whole thing to work with earlier versions of Samba. So, I (re)compiled openldap-server with ppolicy support and inserted this two lines in my slapd.conf: include /path/to/schema/ppolicy.schema overlay ppolicy Thanks for everyone who tried helping. -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap passwd sync not working
hi Fabiano, hi Edmundo, the second problem here ("user has no permission") when using an external passwd program sounds familiar to me: > > Sure enough smbldap-passwd works. I have tried this once ldap passwd > sync was not working. Though, there are two problems: 1) it's too slow > and 2) it shows a message to the user telling he has no permissions to > change password. So it's confusing. I don't feel comfortable using such At least on Solaris this "You do not have permissions to change your password"-behaviour is a known problem. See Bug-ID 5121 for details and a patch for Samba 3.0.28. https://bugzilla.samba.org/show_bug.cgi?id=5121 kind regards, Reinhard -- Reinhard Sojka <[EMAIL PROTECTED]> Parlamentsdirektion A1.5 - EDV / System- & Networkadmin A-1017 Wien - Parlament Tel. +43 1 40110 2824 Fax +43 1 40110 2848 http://www.parlament.gv.at -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap passwd sync not working
Le Wed, Feb 13, 2008 at 11:25:41PM -0200, Fabiano Caixeta Duarte a ecrit: > I assume that your ldap sync passwd is enough (like I wanted to) because > smb.conf tells us that passwd chat is not used if unix password sync is set > to no. > > passwd chat (G) > Note that this parameter only is only used if the unix password sync > parameter is set to yes. You must effectively be right. I'll try this evening to be sure. > and it sort of worked. Both samba and unix passwords were changed, but > users get a message telling they don't have permission to change passwords. > In addition, it takes too long since user try the operation until system > respond. Isn't it related to the workstation ? Have you tried with another ? Have you informations in Samba log ? Have you try 'access to * by * write' in slapd.conf (don't think it come from here as passwords are changed, but maybe users don't have write access to attributes such as shadowLastChange) ? > Could you post (or send me in PVT) your smb.conf. I think this will help a > lot. Please inform either the version of OS, samba and openldap. I tried on CentOS release 4.6 (Final) samba-3.0.25b-1.el4_6.4 openldap-servers-2.2.13-8.el4_6.2 smbldap-tools-0.9.5-pre4 (but changing password work with latest packages) > I'm using FreeBSD 6.3 in both samba and openldap servers, Samba 3.0.26a and > openldap 2.3.38. Not using PAM. Don't think PAM matter here. My smb.conf: # Global parameters [global] workgroup = DOMSMB netbios name = PDC-SRV security = user enable privileges = yes server string = Samba Server %v encrypt passwords = Yes unix password sync = No ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" #passwd chat debug = Yes log level = 0 syslog = 0 log file = /var/log/samba/log.%U max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon script = logon.bat logon drive = H: logon home = logon path = domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=Manager,dc=company,dc=com #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com ldap suffix = dc=company,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers #ldap idmap suffix = ou=Idmap add user script = /usr/sbin/smbldap-useradd -m "%u" #ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" #delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' # printers configuration printer admin = @"Print Operators" load printers = Yes create mask = 0640 directory mask = 0750 #force create mode = 0640 #force directory mode = 0750 nt acl support = No printing = cups printcap name = cups deadtime = 10 guest account = nobody map to guest = Bad User dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes ; to maintain capital letters in shortcuts in any of the profile folders: preserve case = yes short preserve case = yes case sensitive = no template shell = /bin/false winbind use default domain = no [netlogon] path = /home/netlogon/ browseable = No read only = yes -- Jerome Tournier GPG key ID (pgp.mit.edu): 75FE0A51 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap passwd sync not working
Le Thu, Feb 14, 2008 at 09:33:49AM +0100, Jerome Tournier a ecrit: > Le Wed, Feb 13, 2008 at 11:25:41PM -0200, Fabiano Caixeta Duarte a ecrit: > Have you try 'access to * by * write' in slapd.conf (don't think it come > from here as passwords are changed, but maybe users don't have write access > to attributes such as shadowLastChange) ? Oups, users don't need to have write access to shadowLastChange is run as root. But maybe you can try -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap passwd sync not working
Jerome Tournier escreveu: Le Tue, Feb 12, 2008 at 09:44:01AM -0200, Fabiano Caixeta Duarte a ecrit: Hi, there! When my XP users try to change passwords, they get a message saying that password has been changed. That's not true! I can confirmed you that the following configuration work for me: unix password sync = No ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" I assume that your ldap sync passwd is enough (like I wanted to) because smb.conf tells us that passwd chat is not used if unix password sync is set to no. passwd chat (G) Note that this parameter only is only used if the unix password sync parameter is set to yes. So, as I told Edmundo in my last post, I tried using unix passord sync = yes passwd program = /usr/local/sbin/smbldap-passwd -u %u passwd chat = "Changing UNIX password for %u"*New*password:* %n\n "*Retype new password:*" %n\n and it sort of worked. Both samba and unix passwords were changed, but users get a message telling they don't have permission to change passwords. In addition, it takes too long since user try the operation until system respond. Could you post (or send me in PVT) your smb.conf. I think this will help a lot. Please inform either the version of OS, samba and openldap. I'm using FreeBSD 6.3 in both samba and openldap servers, Samba 3.0.26a and openldap 2.3.38. Not using PAM. -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap passwd sync not working
(...) Sure enough smbldap-passwd works. I have tried this once ldap passwd sync was not working. How? Though, there are two problems: 1) it's too slow and 2) it shows a message to the user telling he has no permissions to change password. Where? How? So it's confusing. I don't feel comfortable using such a thing. Actually, I was hoping for some answer from whom has ldap passwd sync working. Mine is. It doesn't needs anything else. Hints on how to debug and so on. Was suggested one, try smbldap-passwd -u from command line and inside samba and see if it works, if it works alone theres a possibility that your samba config has a problem if it doesn't works even outside samba, it doesn't have anything to do with samba, as it runs alone, its a simple perl script that binds to ldap directly. If you conclude that the problem is with samba you can start to raise the log level, if its not, its useless and maybe you should look at your ldap acls. So, it depends, I didnt understood what works and what doesn't and in which situation now. Thanks again! Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap passwd sync not working
Le Tue, Feb 12, 2008 at 09:44:01AM -0200, Fabiano Caixeta Duarte a ecrit: > Hi, there! > When my XP users try to change passwords, they get a message saying that > password has been changed. That's not true! I can confirmed you that the following configuration work for me: unix password sync = No ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" If you have not set the last directive, you should do: 'smbldap-password' does not prompt you the same way as 'passwd' for example. You sould also be careful to not add space or other caracter. -- Jerome Tournier GPG key ID (pgp.mit.edu): 75FE0A51 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap passwd sync not working
Edmundo Valle Neto escreveu: Fabiano Caixeta Duarte escreveu: Fabiano Caixeta Duarte wrote: Hi, there! When my XP users try to change passwords, they get a message saying that password has been changed. That's not true! NT and LM passwords are changed but unixPassword isn't. Look at this openldap.log lines: Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD dn="uid=teste,ou=Users,dc=domain" Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet See? My smb.conf have this ldap related options: passdb backend = ldapsam:ldap://apolo.domain idmap backend = ldapsam:ldap://apolo.domain ldap suffix = dc=domain ldap admin dn = cn=root,dc=domain ldap ssl = start_tls ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap passwd sync = yes add user script = /usr/local/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/local/sbin/smbldap-userdel "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" > The question may not be related to LDAP since your domain passwords are > changed. You should be looking at why the Unix password isn't being > changed. > - Are you using LDAP for Unix authentication? > - Can you change the Unix password using passwd? > - is your password chat in smb.conf correct for your system? AFAIK when using ldapsam, we must use ldap attributes for storing unix information. So passwd won't work. passwd works partially. passwd uses PAM, and PAM can access LDAP but it only knows about posix attributes. If so, we cannot use "passwd chat" "passwd program" "unix password sync", etc. Instead, we have to use "ldap passwd sync". Well, you can, but yes, ldap passwd sync does the same thing without need to configure anything, so, it works but just doesnt make sense configure both. idealx documentation explain that: http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108 6.8 The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u is not called, or i got a error message when changing the password from windows The directive is called if you also set unix password sync = Yes. Notes: * if you use OpenLDAP, none of those two options are needed. You just need ldap passwd sync = Yes. * the script called here must only update the userPassword attribute. This is the reason of the -u option. Samba passwords will be updated by samba itself. * the passwd chat directive must match what is prompted when using the smbldap-passwd command So..., just -u to change only userPassword and a working passwd chat :) And in: 8.1.3 The samba configuration file : /etc/samba/smb.conf #unix password sync = Yes #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" ldap passwd sync = Yes One OR another. But both approaches works. Am I wrong? Yes. And yes, I'm using also unix authentication for some services. I assume that I missed something on smb.conf because samba doesn't ask for modification on unixPassword ldap attribute as shown on openldap.log Thats funny, I cannot point anything missing in your smb.conf, ldap passwd sync should work alone. but you can try smbldap-passwd as shown at the tree lines above. Make sure it works at the command line first. Thanks for your attention. Regards. Edmundo Valle Neto Sure enough smbldap-passwd works. I have tried this once ldap passwd sync was not working. Though, there are two problems: 1) it's too slow and 2) it shows a message to the user telling he has no permissions to change password. So it's confusing. I don't feel comfortable using such a thing. Actually, I was hoping for some answer from whom has ldap passwd sync working. Hints on how to debug and so on. Thanks again! -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap passwd sync not working
Fabiano Caixeta Duarte escreveu: Fabiano Caixeta Duarte wrote: Hi, there! When my XP users try to change passwords, they get a message saying that password has been changed. That's not true! NT and LM passwords are changed but unixPassword isn't. Look at this openldap.log lines: Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD dn="uid=teste,ou=Users,dc=domain" Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet See? My smb.conf have this ldap related options: passdb backend = ldapsam:ldap://apolo.domain idmap backend = ldapsam:ldap://apolo.domain ldap suffix = dc=domain ldap admin dn = cn=root,dc=domain ldap ssl = start_tls ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap passwd sync = yes add user script = /usr/local/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/local/sbin/smbldap-userdel "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" > The question may not be related to LDAP since your domain passwords are > changed. You should be looking at why the Unix password isn't being > changed. > - Are you using LDAP for Unix authentication? > - Can you change the Unix password using passwd? > - is your password chat in smb.conf correct for your system? AFAIK when using ldapsam, we must use ldap attributes for storing unix information. So passwd won't work. passwd works partially. passwd uses PAM, and PAM can access LDAP but it only knows about posix attributes. If so, we cannot use "passwd chat" "passwd program" "unix password sync", etc. Instead, we have to use "ldap passwd sync". Well, you can, but yes, ldap passwd sync does the same thing without need to configure anything, so, it works but just doesnt make sense configure both. idealx documentation explain that: http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108 6.8 The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u is not called, or i got a error message when changing the password from windows The directive is called if you also set unix password sync = Yes. Notes: * if you use OpenLDAP, none of those two options are needed. You just need ldap passwd sync = Yes. * the script called here must only update the userPassword attribute. This is the reason of the -u option. Samba passwords will be updated by samba itself. * the passwd chat directive must match what is prompted when using the smbldap-passwd command So..., just -u to change only userPassword and a working passwd chat :) And in: 8.1.3 The samba configuration file : /etc/samba/smb.conf #unix password sync = Yes #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" ldap passwd sync = Yes One OR another. But both approaches works. Am I wrong? Yes. And yes, I'm using also unix authentication for some services. I assume that I missed something on smb.conf because samba doesn't ask for modification on unixPassword ldap attribute as shown on openldap.log Thats funny, I cannot point anything missing in your smb.conf, ldap passwd sync should work alone. but you can try smbldap-passwd as shown at the tree lines above. Make sure it works at the command line first. Thanks for your attention. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap passwd sync not working
Fabiano Caixeta Duarte wrote: Hi, there! When my XP users try to change passwords, they get a message saying that password has been changed. That's not true! NT and LM passwords are changed but unixPassword isn't. Look at this openldap.log lines: Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD dn="uid=teste,ou=Users,dc=domain" Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet See? My smb.conf have this ldap related options: passdb backend = ldapsam:ldap://apolo.domain idmap backend = ldapsam:ldap://apolo.domain ldap suffix = dc=domain ldap admin dn = cn=root,dc=domain ldap ssl = start_tls ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap passwd sync = yes add user script = /usr/local/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/local/sbin/smbldap-userdel "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" > The question may not be related to LDAP since your domain passwords are > changed. You should be looking at why the Unix password isn't being > changed. > - Are you using LDAP for Unix authentication? > - Can you change the Unix password using passwd? > - is your password chat in smb.conf correct for your system? AFAIK when using ldapsam, we must use ldap attributes for storing unix information. So passwd won't work. If so, we cannot use "passwd chat" "passwd program" "unix password sync", etc. Instead, we have to use "ldap passwd sync". Am I wrong? And yes, I'm using also unix authentication for some services. I assume that I missed something on smb.conf because samba doesn't ask for modification on unixPassword ldap attribute as shown on openldap.log Thanks for your attention. -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap passwd sync not working
The question may not be related to LDAP since your domain passwords are changed. You should be looking at why the Unix password isn't being changed. - Are you using LDAP for Unix authentication? - Can you change the Unix password using passwd? - is your password chat in smb.conf correct for your system? Fabiano Caixeta Duarte wrote: Hi, there! When my XP users try to change passwords, they get a message saying that password has been changed. That's not true! NT and LM passwords are changed but unixPassword isn't. Look at this openldap.log lines: Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD dn="uid=teste,ou=Users,dc=domain" Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet See? My smb.conf have this ldap related options: passdb backend = ldapsam:ldap://apolo.domain idmap backend = ldapsam:ldap://apolo.domain ldap suffix = dc=domain ldap admin dn = cn=root,dc=domain ldap ssl = start_tls ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap passwd sync = yes add user script = /usr/local/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/local/sbin/smbldap-userdel "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 'ldap passwd sync' not working
On Tuesday 08 February 2005 02:07, Tony Earnshaw wrote: > I have no gripes with the official Samba docs as included in the Red Hat > 3.0.9 Samba srpm. Either the Terpstra docs or Jerry Carter's O'Reilly > boot. They are very clear, accurate and to the point; much trouble has Thank-you for clarifying this. It removes all doubt. > been taken in compiling them, the English is perfect and there are no > spelling mistakes. Oops. I would not say that. Most spelling mistakes have now been fixed, but I am convinced there are still a few lurking in the books waiting to be found and then squashed. > > I *do* have a problem with Samba (v.3) PDC LDAP howto by Ignacio Coupeau > of CTI, University of Navarra. I've no idea where I got it from in the > first place; it isn't included with the Red Hat release. It is > diametrically the opposite to what I've just written about the official > Samba docs. I shall refer to it as "Navarra" in what follows. Ignacio's HOWTO preceded the Official Samba documentation during the days of Samba-2. Many of us owe a depth of gratitude to him for his work. The fact that it is out of date is not denied. It takes much effort to keep documentation current, particularly when the underlying project changes rapidly - as Samba-3 has done over the past few months. > > I've constantly referred to this document in what I wrote, not to the > official Samba docs.. We need to get the message out more clearly that the Samba-HOWTO-Collection (the book "The Official Samba-3 HOWTO and Reference Guide") is designed to document specific capabilities of Samba with general examples of how to use them. The Samba-Guide (the book "Samba-3 by Example") was designed to demonstrate how to use the capabilities of Samba within a comprehensively documented networking environment. They serve entirely differing purposes: One explains particular features of Samba with minimal reference to deployment context, the other provides a detailed example of usage within a typical context. The Samba Team encourages the development of Unofficial HOWTOs because we are limited in our exposure and experience and need to capture the experience of others. That is the key reason behind my constant request for updates and contributions to the documentation. Jelmer, Jerry, and I do our best to update and expand the official documentation - often drawing from unofficial HOWTO sources. As much as we can, we validate the information we provide, and we try to keep it current. Criticism of documentation is a good thing! Contriubution to it is even better! > > Unfortunately the official Samba docs do not cover ldapsam in any depth; > as a complete newbie, one can obviously not judge the worth of any doc > until one has followed that doc and attempted to put its content into > practice. Bearing in mind the intended nature of the HOWTO and the Guide, you have touched on an area you can materially contribute to in order to improve the documentation. Please consider providing updates notes/documenation for inclusion in these resources. > Best, and thanks for taking what I wrote seriously :) Your help and input are appreciated. Please keep up the feedback - and documentation patches or contributions. :) Cheers, John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 'ldap passwd sync' not working
John H Terpstra: >>> The Samba-HOWTO-Collection is literally intended to be correct and >>> capable of being followed literally! Please document what sucks and >>> help us to improve our documentation. I encourage you to file a bug >>> report with details of what needs to be fixed. You can file a bug >>> report on https://bugzilla.samba.org >>> >> >> On the basis of what the Samba team has done over the years, its >> availability and quality, it would be my bounden duty to do so. >> >> However, this would mean a complete rewrite, producing a parallel doc >> that omitted all reference to Samba V2 (with which I'm not familiar) > > What in goodness name are you referring to? The current Samba-3 HOWTO > Collection is NOT written around Samba-2. The Samba-3 by Example book > (Samba-Guide on the Samba Web Site) is entirely based on Samba-3. I must > be missing something very seriously and must be completely confused. > Please help > me to understand your point. I have no gripes with the official Samba docs as included in the Red Hat 3.0.9 Samba srpm. Either the Terpstra docs or Jerry Carter's O'Reilly boot. They are very clear, accurate and to the point; much trouble has been taken in compiling them, the English is perfect and there are no spelling mistakes. I *do* have a problem with Samba (v.3) PDC LDAP howto by Ignacio Coupeau of CTI, University of Navarra. I've no idea where I got it from in the first place; it isn't included with the Red Hat release. It is diametrically the opposite to what I've just written about the official Samba docs. I shall refer to it as "Navarra" in what follows. I've constantly referred to this document in what I wrote, not to the official Samba docs.. Unfortunately the official Samba docs do not cover ldapsam in any depth; as a complete newbie, one can obviously not judge the worth of any doc until one has followed that doc and attempted to put its content into practice. > If the documentation is as bad as you say it is we should withdraw it at > once and not release it again until it is fixed. > What are others opinions of this situation? Should we withdraw it at > once? You can't withdraw something you don't publish and for which you aren't responsible. >> My basic point of criticism (I started with Samba 3.0.7, Openldap >> V2.2.20) >> after following the "HOWTO", finding out that it crippled my system and > > If the documentation is causing people to suffer crippled systems please > accept my fullest apologies. That is really bad. Is this a generic > problem? Have others suffered the same crippling because of misleading and > bad documentation? Wow! This blows my mind! I've been a Novell NDS (eDirectory) and Openldap person for years. I know Openldap pretty well, use it for enterprise-size production and can trouble-shoot it effectively. Navarra dictates that I posess that propensity; following Navarra blindly will inevitably lead to crippled systems. >> asking myself how Samba/LDAP should be configured. For all of what >> follows I used GQ 1.0.b1 (jump from www.biot.com), since it gives a >> graphical representation of the DSA, drag'n drop is possible, making >> experimenting a breeze, shows *all* mandatory and optional attributes in >> different colors and gives sensible error reports when you do something >> wrong: >> > > OK. Please give me wording to add to the documentation - or to replace > bad and misleading sections of the existing documentation. All > contributions will be gladly received. I've already pointed out what didn't work and how to correct it. Since you aren't responsible for it, you can't do much about it. >> 1: under ou=smb, *no* groups called (cn=)"Domain Admins", "Domain >> Guests" >> or "Domain Users" should be set up. cns with spaces in are not liked by >> Openldap 2.2 and Samba makes a hash of them; furthermore Linux doesn't >> like them . Anyway, these groups are NT groups and not Posix groups and >> are defined in the *record* for the group, as defined in the >> displayName attribute. Instead, under ou=smb, define 3 Posix groups >> domadm, domguest and domuser. Give them regular, unique gidNumbers. For >> domadm, set attribute displayName to Domain Admins, for domguest set >> displayName to Domain Guests and domuser set displayName to Domain >> Users. Make each group >> an objectClass member of sambaGroupMapping. Get your local SID using >> 'net >> getlocalsid' Give each group its SID as defined in the regular Samba >> HOWTO. > > Is this really necessary? Why? How does this advice affect the greater > picture? I don't understand the question. It's important to use the correct local SID and use system RIDs, as defined in the official Samba docs. > Have you discussed this advice with Idealx? I am sure they would love to > hear from you. My intent so far as documentation goes is to document what > works and how it works. I am not out to write a full LDAP management > system. Idealx are working on that - as are others. I've not discusse
Re: [Samba] 'ldap passwd sync' not working
Adam Tauno Williams: [...] >> Oh yes - regular (existing or new) Posix group users can be anywhere in >> your DSA, > > I think you mean "anywhere in your Dit"; "anywhere in your DSA" doesn't > make much sense, Yep. >> in any group (though it makes sense to put computer trusts under >> ou=smb). > > I think you mean "in any container". Nope, Posix group - though it can also be a container, I guess. However, leaves in that "container" may have other primary groups than that of the "container" itself - in which Openldap is more flexible than, f.ex. Novell's eDirectory. > And you're wrong, they need to be below the search base used by NSS for > the appropriate object type - groups, person, etc... You can only put > them > anywhere if you are using the root of the Dit as your search base which is > generally inadvisable for a number of reasons. I can only tell you what works for me (remember I write that I hate the word HOWTO and all it implies). What I meant was, that users don't have to be in the smb tree/hierarchy - they may be in any hierarchy in the DIT. >> Simply run smbpasswd or pdbedit (can be done from a script) on each one >> to add them to the domain. Personally I don't use the IDEALX scripts, I >> write my own awk and shell scripts. > > Same, we've written .NET (Mono) 'scripts' for doing this. --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 'ldap passwd sync' not working
On Monday 07 February 2005 03:43, Tony Earnshaw wrote: > John H Terpstra: > > [...] > > > The Samba-HOWTO-Collection is literally intended to be correct and > > capable of being followed literally! Please document what sucks and help > > us to improve our documentation. I encourage you to file a bug report > > with details of what needs to be fixed. You can file a bug report on > > https://bugzilla.samba.org > > On the basis of what the Samba team has done over the years, its > availability and quality, it would be my bounden duty to do so. > > However, this would mean a complete rewrite, producing a parallel doc that > omitted all reference to Samba V2 (with which I'm not familiar) What in goodness name are you referring to? The current Samba-3 HOWTO Collection is NOT written around Samba-2. The Samba-3 by Example book (Samba-Guide on the Samba Web Site) is entirely based on Samba-3. I must be missing something very seriously and must be completely confused. Please help me to understand your point. If the documentation is as bad as you say it is we should withdraw it at once and not release it again until it is fixed. What are others opinions of this situation? Should we withdraw it at once? > > My basic point of criticism (I started with Samba 3.0.7, Openldap V2.2.20) > after following the "HOWTO", finding out that it crippled my system and If the documentation is causing people to suffer crippled systems please accept my fullest apologies. That is really bad. Is this a generic problem? Have others suffered the same crippling because of misleading and bad documentation? Wow! This blows my mind! > asking myself how Samba/LDAP should be configured. For all of what follows > I used GQ 1.0.b1 (jump from www.biot.com), since it gives a graphical > representation of the DSA, drag'n drop is possible, making experimenting a > breeze, shows *all* mandatory and optional attributes in different colors > and gives sensible error reports when you do something wrong: OK. Please give me wording to add to the documentation - or to replace bad and misleading sections of the existing documentation. All contributions will be gladly received. > > 1: under ou=smb, *no* groups called (cn=)"Domain Admins", "Domain Guests" > or "Domain Users" should be set up. cns with spaces in are not liked by > Openldap 2.2 and Samba makes a hash of them; furthermore Linux doesn't > like them . Anyway, these groups are NT groups and not Posix groups and > are defined in the *record* for the group, as defined in the displayName > attribute. Instead, under ou=smb, define 3 Posix groups domadm, domguest > and domuser. Give them regular, unique gidNumbers. For domadm, set > attribute displayName to Domain Admins, for domguest set displayName to > Domain Guests and domuser set displayName to Domain Users. Make each group > an objectClass member of sambaGroupMapping. Get your local SID using 'net > getlocalsid' Give each group its SID as defined in the regular Samba > HOWTO. Is this really necessary? Why? How does this advice affect the greater picture? Have you discussed this advice with Idealx? I am sure they would love to hear from you. My intent so far as documentation goes is to document what works and how it works. I am not out to write a full LDAP management system. Idealx are working on that - as are others. > > Into domadm, put cn=Administrator and cn=root as described in the "HOWTO". Do not use both Administrator and 'root' - The current advice is to use only 'root' or 'Administrator' as the Windows and UNIX local admin account. Having both will result in ambiguous names that will break the ability to administer Samba. i.e.: If both Administrator and root have UID=0 (so both are UNIX admins) then Samba will not be able to resolve who is the real UID=0 owner. > objectClasses top, person, organizationalPerson, inetOrgPerson, > posixAccount and sambaSamAccount, Administrator can have any uidNumber (I > use a Red Hat "system" number, 16( and his gidNumber will be that of > domadm. root has to have uidNumber=0 and domadm's gidNumber. > Administrator's sambaSID is localsid+calculated RID as in the Samba HOWTO > docs, sambaPrimaryGroupSID=localsid+512; root\s sambaSID=localsid+502, > primary group SID=localsid+512. Whatever you call the Windows domain administrator account, it must have the correct RID=500. If it has anything else it will NOT be the domain administrator on the windows client. For the domain administrator on the Windows client to have UNIX admin rights the POSIX account must have UID=0. Translation from UID->SID, from SID->login_name, from login_name->UID, etc. must be unambiguous. New to Samba-3.0.11, it is now possible to assign some administrative rights to users who are not administrator on either platform - but that is not at issue here. > > When following the Navarra "HOWTO", 'net groupmap list' didn't work at > all, nor could I do a 'net rpc join'; that was what started me > experi
Re: [Samba] "ldap passwd sync" not working
On Saturday 05 February 2005 02:17 pm, Alexander Zubkov wrote: > In debug mode smbpasswd say this: > samba 3.0.11 ... > smbldap_check_root_dse: Expected one rootDSE, got 0 > ldap_connect_system: succesful connection to the LDAP server > ldap_connect_system: LDAP server does not support paged results > smbldap_check_root_dse: Expected one rootDSE, got 0 > ldap password change requested, but LDAP server does not support it -- > ignoring > ldapsam_update_sam_account: successfully modified uid = test in the LDAP > database > > > Why samba-3.0.6 can sync password and samba-3.0.11 say that may LDAP > server does not support it? Any ideas? > > > Alexander Zubkov I am guessing that Samba is using a different criteria/mechanism to change the passwords now. Perhaps it has to do with increasing support for non-openLDAP implementations. One thing I noticed is that your rootDSE is not readable. The rootDSE contains information about your LDAP server that some applications (such as addressbooks that need to automatically determine the baseDN) need. Info about the rootDSE can be found at http://www.techgalaxy.net/Docs/Dev/LDAPv3 RootDSE Overview.htm. For OpenLDAP you need an ACL like this: access to attrs=namingcontexts by anonymous read (or lock it down by IP range or some other way to make it more secure) Correcting your LDAP config to include the above may keep Samba from being confused -- just a thought. Misty -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 'ldap passwd sync' not working
> > Hope this helps someone, it cost me enough pain before it worked properly > > for me. > Oh yes - regular (existing or new) Posix group users can be anywhere in > your DSA, I think you mean "anywhere in your Dit"; "anywhere in your DSA" doesn't make much sense, > in any group (though it makes sense to put computer trusts under > ou=smb). I think you mean "in any container". And you're wrong, they need to be below the search base used by NSS for the appropriate object type - groups, person, etc... You can only put them anywhere if you are using the root of the Dit as your search base which is generally inadvisable for a number of reasons. > Simply run smbpasswd or pdbedit (can be done from a script) on each one to > add them to the domain. Personally I don't use the IDEALX scripts, I write > my own awk and shell scripts. Same, we've written .NET (Mono) 'scripts' for doing this. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 'ldap passwd sync' not working
John H Terpstra: [...] > The Samba-HOWTO-Collection is literally intended to be correct and > capable of being followed literally! Please document what sucks and help > us to improve our documentation. I encourage you to file a bug report with > details of what needs to be fixed. You can file a bug report on > https://bugzilla.samba.org On the basis of what the Samba team has done over the years, its availability and quality, it would be my bounden duty to do so. However, this would mean a complete rewrite, producing a parallel doc that omitted all reference to Samba V2 (with which I'm not familiar) My basic point of criticism (I started with Samba 3.0.7, Openldap V2.2.20) after following the "HOWTO", finding out that it crippled my system and asking myself how Samba/LDAP should be configured. For all of what follows I used GQ 1.0.b1 (jump from www.biot.com), since it gives a graphical representation of the DSA, drag'n drop is possible, making experimenting a breeze, shows *all* mandatory and optional attributes in different colors and gives sensible error reports when you do something wrong: 1: under ou=smb, *no* groups called (cn=)"Domain Admins", "Domain Guests" or "Domain Users" should be set up. cns with spaces in are not liked by Openldap 2.2 and Samba makes a hash of them; furthermore Linux doesn't like them . Anyway, these groups are NT groups and not Posix groups and are defined in the *record* for the group, as defined in the displayName attribute. Instead, under ou=smb, define 3 Posix groups domadm, domguest and domuser. Give them regular, unique gidNumbers. For domadm, set attribute displayName to Domain Admins, for domguest set displayName to Domain Guests and domuser set displayName to Domain Users. Make each group an objectClass member of sambaGroupMapping. Get your local SID using 'net getlocalsid' Give each group its SID as defined in the regular Samba HOWTO. Into domadm, put cn=Administrator and cn=root as described in the "HOWTO". objectClasses top, person, organizationalPerson, inetOrgPerson, posixAccount and sambaSamAccount, Administrator can have any uidNumber (I use a Red Hat "system" number, 16( and his gidNumber will be that of domadm. root has to have uidNumber=0 and domadm's gidNumber. Administrator's sambaSID is localsid+calculated RID as in the Samba HOWTO docs, sambaPrimaryGroupSID=localsid+512; root\s sambaSID=localsid+502, primary group SID=localsid+512. When following the Navarra "HOWTO", 'net groupmap list' didn't work at all, nor could I do a 'net rpc join'; that was what started me experimenting. now it works as it should and I can do a 'net rpc join'. Hope this helps someone, it cost me enough pain before it worked properly for me. --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 'ldap passwd sync' not working
Tony Earnshaw: [...] > Hope this helps someone, it cost me enough pain before it worked properly > for me. Oh yes - regular (existing or new) Posix group users can be anywhere in your DSA, in any group (though it makes sense to put computer trusts under ou=smb). Simply run smbpasswd or pdbedit (can be done from a script) on each one to add them to the domain. Personally I don't use the IDEALX scripts, I write my own awk and shell scripts. --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 'ldap passwd sync' not working
On Sunday 06 February 2005 09:55, Tony Earnshaw wrote: > Adam Tauno Williams: > > [...] > > > My guess: the behaviour of 3.0.11 is more correct, and something is > > clearly wrong with your DSA - the client cannot read the rootDSE. > > Possibly you've got an ACL doing something you don't intend; it doesn't > > look like a Samba problem. The rootDSE is used to determine features > > supported by the DSA, included the password-modify extended operation. > > Me too. I've just (couple of weeks) been playing with and implementing > Samba (3.0.7 and 3.0.9). High school has to integrate a Windows > 2000/collection into an already established Linux network, on the basis of > OL 2.2.17. > > What's surprised me, is the utter correlation between what happens and the > Samba crew documentation. However, the only LDAP documentation that I've > found is the CTI, University of Navarra stuff, and whilst helpful, this is > directly misleading in many cases and following it blindly can lead to > misconfigured systems (in general, most HOWTOs suck, if one follows them > literally). The Samba-HOWTO-Collection is literally intended to be correct and capable of being followed literally! Please document what sucks and help us to improve our documentation. I encourage you to file a bug report with details of what needs to be fixed. You can file a bug report on https://bugzilla.samba.org - John T. > > In fact, the ldapsam backend is phantastik; if correctly configured it can > do nothing wrong and the pdbedit (always use rather than smbpasswd) is an > eye-opener. > > Bottom line is, that to run the ldapsam backend with Samba, one has to be > an (open)LDAP guru, long before one tries to run ldapsam. To which extent > kalamazoo helped me, as I've told you before, no end. Keep posting the > links to the unwashed ;) > > --Tonni > > -- > mail: [EMAIL PROTECTED] > http://www.billy.demon.nl -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 'ldap passwd sync' not working
Adam Tauno Williams: [...] > My guess: the behaviour of 3.0.11 is more correct, and something is > clearly wrong with your DSA - the client cannot read the rootDSE. Possibly > you've got an ACL doing something you don't intend; it doesn't look like > a Samba problem. The rootDSE is used to determine features supported by > the DSA, included the password-modify extended operation. Me too. I've just (couple of weeks) been playing with and implementing Samba (3.0.7 and 3.0.9). High school has to integrate a Windows 2000/collection into an already established Linux network, on the basis of OL 2.2.17. What's surprised me, is the utter correlation between what happens and the Samba crew documentation. However, the only LDAP documentation that I've found is the CTI, University of Navarra stuff, and whilst helpful, this is directly misleading in many cases and following it blindly can lead to misconfigured systems (in general, most HOWTOs suck, if one follows them literally). In fact, the ldapsam backend is phantastik; if correctly configured it can do nothing wrong and the pdbedit (always use rather than smbpasswd) is an eye-opener. Bottom line is, that to run the ldapsam backend with Samba, one has to be an (open)LDAP guru, long before one tries to run ldapsam. To which extent kalamazoo helped me, as I've told you before, no end. Keep posting the links to the unwashed ;) --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "ldap passwd sync" not working - SOLVED
Hi, On Sat, Feb 05, 2005 at 11:33:39PM +0300, Alexander Zubkov wrote: > Yeah! I did it, thanks all, who helped. > Searching for "rootDSE" in Internet showed that it is exported by LDAP > server as other data (in common words) so access control are applied to > it too. And my hands ( lame ;) ) wrote at the end of slapd.conf: > access dn=".*,dc=domain,dc=my" by * read > But rootDSE, of course not subtree of this! And LDAP, honestly, denied > access to it. So the solution was: > access to * by * read It is much better to set access to dn.base="" by * read to prevent to open potential security gap. The above ACL only allows world-read access to the root-dse and not to all other non-matched content of your entire DIT. Thanks, Guenther -- Guenther Deschner Samba Team SerNet GmbH - Goettingen [EMAIL PROTECTED],org [EMAIL PROTECTED] pgpFSezepSgEw.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "ldap passwd sync" not working
Hi, On Sat, Feb 05, 2005 at 03:09:42PM -0500, Adam Tauno Williams wrote: > > You want to say that samba asks LDAP of its possibilities, it returns > > nothing and samba think that it can not do nothing. Am I right? > > Seems to be the case, from very cursory inspection. > > Really an issue with the DSA, it should properly report its > capabilities. Absolutely correct. According to http://www.faqs.org/rfcs/rfc2251.html LDAP v3 Servers MUST have a Root-DSE. The same document says that: -8<--snip--8<-- 3.4. Server-specific Data Requirements An LDAP server MUST provide information about itself and other information that is specific to each server. This is represented as a group of attributes located in the root DSE (DSA-Specific Entry), which is named with the zero-length LDAPDN. These attributes are retrievable if a client performs a base object search of the root with filter "(objectClass=*)", however they are subject to access control restrictions. ->8--snap-->8-- In this sense, anonymous searches for the Root-DSE may be prevented (although this is really rarely seen, e.g. ADS allows anonymous root-dse queries). So in the end, we better point out the fact that at least the "ldap admin dn" in smb.conf should be allowed to read the Root-DSE for proper ldapsam-operation including password change. Guenther -- Guenther Deschner Samba Team SerNet GmbH - Goettingen [EMAIL PROTECTED],org [EMAIL PROTECTED] pgpBjM0vcJHEc.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "ldap passwd sync" not working - SOLVED
Seems to be the case, from very cursory inspection. Really an issue with the DSA, it should properly report its capabilities. Yeah! I did it, thanks all, who helped. Searching for "rootDSE" in Internet showed that it is exported by LDAP server as other data (in common words) so access control are applied to it too. And my hands ( lame ;) ) wrote at the end of slapd.conf: access dn=".*,dc=domain,dc=my" by * read But rootDSE, of course not subtree of this! And LDAP, honestly, denied access to it. So the solution was: access to * by * read Thanks all again! Alexander Zubkov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "ldap passwd sync" not working
> > My guess: the behaviour of 3.0.11 is more correct, and something is > > clearly wrong with your DSA - the client cannot read the rootDSE. > > Possibly you've got an ACL doing something you don't intend; it doesn't > > look like a Samba problem. The rootDSE is used to determine features > > supported by the DSA, included the password-modify extended operation. > You want to say that samba asks LDAP of its possibilities, it returns > nothing and samba think that it can not do nothing. Am I right? Seems to be the case, from very cursory inspection. Really an issue with the DSA, it should properly report its capabilities. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "ldap passwd sync" not working
My guess: the behaviour of 3.0.11 is more correct, and something is clearly wrong with your DSA - the client cannot read the rootDSE. Possibly you've got an ACL doing something you don't intend; it doesn't look like a Samba problem. The rootDSE is used to determine features supported by the DSA, included the password-modify extended operation. You want to say that samba asks LDAP of its possibilities, it returns nothing and samba think that it can not do nothing. Am I right? Alexander Zubkov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "ldap passwd sync" not working
> samba 3.0.11 > [EMAIL PROTECTED] samba]# smbpasswd -D 3 test > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))] > smbldap_open_connection: connection opened > smbldap_check_root_dse: Expected one rootDSE, got 0 > ldap_connect_system: succesful connection to the LDAP server > ldap_connect_system: LDAP server does not support paged results > New SMB password: > Retype new SMB password: > smbldap_open_connection: connection opened > smbldap_check_root_dse: Expected one rootDSE, got 0 > ldap_connect_system: succesful connection to the LDAP server > ldap_connect_system: LDAP server does not support paged results > init_sam_from_ldap: Entry found for user: test > init_ldap_from_sam: Setting entry for user: test > smbldap_open_connection: connection opened > smbldap_check_root_dse: Expected one rootDSE, got 0 > ldap_connect_system: succesful connection to the LDAP server > ldap_connect_system: LDAP server does not support paged results > smbldap_check_root_dse: Expected one rootDSE, got 0 > ldap password change requested, but LDAP server does not support it -- > ignoring > ldapsam_update_sam_account: successfully modified uid = test in the LDAP > database > > Why samba-3.0.6 can sync password and samba-3.0.11 say that may LDAP > server does not support it? Any ideas? My guess: the behaviour of 3.0.11 is more correct, and something is clearly wrong with your DSA - the client cannot read the rootDSE. Possibly you've got an ACL doing something you don't intend; it doesn't look like a Samba problem. The rootDSE is used to determine features supported by the DSA, included the password-modify extended operation. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "ldap passwd sync" not working
In debug mode smbpasswd say this: samba 3.0.6 # smbpasswd -D 4 test Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesfully connected New SMB password: Retype new SMB password: init_sam_from_ldap: Entry found for user: test ldapsam_update_sam_account: user test to be modified has dn: cn=test, ou=People, dc=domain,dc=my init_ldap_from_sam: Setting entry for user: test ldapsam_modify_entry: LDAP Password changed for user test ldapsam_update_sam_account: successfully modified uid = test in the LDAP database samba 3.0.11 [EMAIL PROTECTED] samba]# smbpasswd -D 3 test Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened smbldap_check_root_dse: Expected one rootDSE, got 0 ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does not support paged results New SMB password: Retype new SMB password: smbldap_open_connection: connection opened smbldap_check_root_dse: Expected one rootDSE, got 0 ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does not support paged results init_sam_from_ldap: Entry found for user: test init_ldap_from_sam: Setting entry for user: test smbldap_open_connection: connection opened smbldap_check_root_dse: Expected one rootDSE, got 0 ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does not support paged results smbldap_check_root_dse: Expected one rootDSE, got 0 ldap password change requested, but LDAP server does not support it -- ignoring ldapsam_update_sam_account: successfully modified uid = test in the LDAP database Why samba-3.0.6 can sync password and samba-3.0.11 say that may LDAP server does not support it? Any ideas? Alexander Zubkov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "ldap passwd sync" not working
> >>I've samba as PDC with LDAP backend some time ago when user changes > >>password in windows or when password chenged with smbpasswd - LDAP > >>password of this user was changed too. Now LDAP passwords remains the > >>same as it was. > >>I've searched this list a while and found only one mail, said that it > >>was broken there when upgrading from 3.0.7 to 3.0.9, > > We are on SuSe's 3.0.9 and "ldap passwd sync" works. I don't believe it > > is broken. > I can't understand too, because if it was totally broken many people > should note it, There would be ALLOT of noise I think. > but there was only one note I found. :( Perhaps you have some other issue. Have you tried increasing the log level on your LDAP server, changing your password and see if the change request ever hits the server? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "ldap passwd sync" not working
I've samba as PDC with LDAP backend some time ago when user changes password in windows or when password chenged with smbpasswd - LDAP password of this user was changed too. Now LDAP passwords remains the same as it was. I've searched this list a while and found only one mail, said that it was broken there when upgrading from 3.0.7 to 3.0.9, We are on SuSe's 3.0.9 and "ldap passwd sync" works. I don't believe it is broken. I can't understand too, because if it was totally broken many people should note it, but there was only one note I found. :( Zubkov Alexander -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "ldap passwd sync" not working
I've found only samba 3.0.6 and 3.0.9 - 3.0.11 versions downloaded at my server. When reverting samba to 3.0.6 version sync works ok, but with 3.0.9 it is bad. I'll search through for 3.0.7, 3.0.8 versions in Internet and will tell more when I'll check them. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "ldap passwd sync" not working
> I've samba as PDC with LDAP backend some time ago when user changes > password in windows or when password chenged with smbpasswd - LDAP > password of this user was changed too. Now LDAP passwords remains the > same as it was. > I've searched this list a while and found only one mail, said that it > was broken there when upgrading from 3.0.7 to 3.0.9, We are on SuSe's 3.0.9 and "ldap passwd sync" works. I don't believe it is broken. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "ldap passwd sync" not working
>>Hi. >>I've samba-3.0.11 now, installed from rpm on Redhat 9.0. Problem was >>with 3.0.10 too. I don't exactly know when it was broken, because I >>found it week ago. >>I've samba as PDC with LDAP backend some time ago when user changes >>password in windows or when password chenged with smbpasswd - LDAP >>password of this user was changed too. Now LDAP passwords remains the >>same as it was. >>Configure files wasn't changed - only adding/removing some shares, >>testparm shows "ldap passwd sync = yes". > > > whats your passwd program= (say) In the case of LDAP password sync You need no passwd program as far as i know. Samba should chancge it through LDAP interface and it was doing it till some date... I'll try at days to set up older versions of samba an will post the results. > and are you using the IDEALX to add users and so on...? > No, I'm not using it. I add users to LDAP and then do "smbpasswd -a". PS. (to Mark Sarria) I've replied to my e-mail because I haven't see your at list. May be because You CC it to me and list ignored it. Zubkov Alexander -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "ldap passwd sync" not working
> Hi. > I've samba-3.0.11 now, installed from rpm on Redhat 9.0. Problem was > with 3.0.10 too. I don't exactly know when it was broken, because I > found it week ago. > I've samba as PDC with LDAP backend some time ago when user changes > password in windows or when password chenged with smbpasswd - LDAP > password of this user was changed too. Now LDAP passwords remains the > same as it was. > Configure files wasn't changed - only adding/removing some shares, > testparm shows "ldap passwd sync = yes". whats your passwd program= (say) and are you using the IDEALX to add users and so on...? > I've searched this list a while and found only one mail, said that it > was broken there when upgrading from 3.0.7 to 3.0.9, but there was no > answer: http://lists.samba.org/archive/samba/2005-January/098466.html > Any ideas what is broken? > > > Alexander Zubkov > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba