Re: [Samba] pdbedit password policy - not updating ldapsam
For anyone who runs into similar problems in the future I updated samba3 and samba3-client and it has solved the password lockout problem. http://www.nabble.com/CentOS-samba-upgrade-tf3178510.html#a8820049 installed latest versions for centos 4.3 from http://ftp.sernet.de/pub/samba/rhel/rhel4-i386/ [EMAIL PROTECTED] ~]# yum list | grep samba Repository base is listed more than once in the configuration samba3.i386 3.0.24-30 installed samba3-client.i386 3.0.24-30 installed samba.i386 3.0.10-1.4E.11 updates-released samba-client.i3863.0.10-1.4E.11 updates-released samba-common.i3863.0.10-1.4E.11 updates-released samba-swat.i386 3.0.10-1.4E.11 updates-released system-config-samba.noarch 1.2.21-1 base -- View this message in context: http://www.nabble.com/pdbedit-password-policy---not-updating-ldapsam-tf3239423.html#a9063162 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pdbedit password policy - not updating ldapsam
I think the problem is part related to me having a wrong version of pdbedit. I need to update samba-client. Now I must see if I can find a source rpm that i can build and install on centos 4.3 [EMAIL PROTECTED] lib]# pdbedit -V Version 3.0.10-1.4E.11 [EMAIL PROTECTED] lib]# which pdbedit /usr/bin/pdbedit [EMAIL PROTECTED] lib]# yum list | grep samba Repository base is listed more than once in the configuration samba.i386 3.0.24-1 installed samba-common.i3863.0.10-1.4E.11 installed samba.i386 3.0.10-1.4E.11 updates-released samba-client.i3863.0.10-1.4E.11 updates-released samba-swat.i386 3.0.10-1.4E.11 updates-released system-config-samba.noarch 1.2.21-1 base -- View this message in context: http://www.nabble.com/pdbedit-password-policy---not-updating-ldapsam-tf3239423.html#a9060254 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pdbedit password policy - not updating ldapsam
I removed version 3.0.22 and installed 3.0.24 (I removed samba files from /etc/samba, /var/lib/samba, /var/cache/samba), but afraid I still experiencing the same problem when I run pdbedit -y -i tdbsam -e ldapsam Found pdb backend guest pdb backend guest has a valid init called with username="(null)" tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No such file or directory Unable to open/create TDB passwd Can't sampwent! I manually updated the password policy settings in sambaDomain=BLAHDEV,dc=example,dc=org ldapmodify -x -D "..." -W dn: sambaDomainName=BLAHDEV,dc=roke,dc=co,dc=uk changeType: modify sambaMinPwdAge: 0 sambaMaxPwdAge: 2592000 sambaPwdHistoryLength: 5 sambaLockoutThreshold: 3 sambaMinPwdLength: 8 sambaLockoutDuration: -1 Samba doesn't appear to recognise these changes. How can I get samba to just look in the ldapsam and not worry about what's in other backends. Any ideas on how to diagnose this problem would also be helpful [global] workgroup = BLAHDEV netbios name = BLAHDEV-PDC security = user server string = Samba Server log level = 2 syslog = 0 log file = /var/log/samba/%m.log max log size = 10 time server = Yes logon home = "" logon path = "" domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes encrypt passwords = Yes # unix password sync = Yes passwd program = /usr/sbin/ldap_userPassword_change %u passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *Result**Success # Crackcheck settings to allow NT style password complexity checks check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict passdb backend = ldapsam:"ldap://ldap-1"; ldap admin dn = cn=Manager,dc=example,dc=org ldap suffix = dc=example,dc=org ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap # idmap backend = ldap:"ldap://ldap-1 ldap://ldap-2"; idmap backend = ldap:"ldap://ldap-1"; add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%u" add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no I'm running on centos 4.3. Is there a Linux file or PAM setting or something that I need to change to make this work? -- View this message in context: http://www.nabble.com/pdbedit-password-policy---not-updating-ldapsam-tf3239423.html#a9043068 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pdbedit password policy - not updating ldapsam
hi stefan, > I think replikation of password policies to ldap startet of Samba where did you find this information? couldn't find anything in the release notes... micha Stefan Schmitz wrote: Hi Jamurph, I think replikation of password policies to ldap startet of Samba 3.0.23d. Before this version you have to export them from the PDC to the LDAP-Server by pdbedit -y -i tdbsam -e ldapsam and import them on all BDCs with pdbedit -y -i ldapsam -e tdbsam Regards Stefan . jamurph schrieb: I have Samba and LDAP up and running, but I'm having problems editing the password policy using pdbedit. (I'm running 3.0.22) I've had a look at the man page for pdbedit but I don't really fully understand what it does in relation to passwd backends. Does pdbedit update just one backend and expect a user to export the updates to other backends? I think I've set up ldap as my default backend - but pdbedit doesn't update it. It looks like its updating some other backend. I guess my smb.conf (attached) isn't configured correctly? How do I find out which one it's updating?. I can also see a reference to pdbedit backend guest in the logs, but I don't understand why pdbedit is looking for this. I tried the following command: pdbedit -P "min password length" -C 7 -d 10 This is a snippet of the logs: The LDAP server is succesfully connected pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init account_policy_get: min password length:7 account policy value for min password length was 7 account_policy_set: min password length:7 account policy value for min password length is now 7 I'm guessing it's taking these values from /var/lib/samba/account_policy.tdb, it's not taking them from ldap - because it doesn't change sambaMinPwdLength I can see a search happening in the ldap logs, but I don't see any updates - is this expected behaviour? I believe I need to run the following command to update LDAP? pdbedit -y -i tdbsam -e ldapsam -d 10 However, when I do this, I get the following error message (more of log attached - but this is part I think is failing) Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init called with username="(null)" tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No such file or directory Unable to open/create TDB passwd Can't sampwent! When configuring Samba initially, I had some problems, so I followed some instructions and deleted the following rm /etc/samba/*tdb rm /var/lib/samba/*tdb rm /var/lib/samba/*dat rm /var/log/samba/* as a result passdb.tdb is no longer, and didn't get re-created. Is there any way I can recreate this file? Is this the cause of my problems? Any help much appreciated, I've attached more details in case they are needed -- LDAP Entry dn: sambaDomainName=BLAHDEV,dc=example,dc=org sambaDomainName: BLAHDEV sambaMinPwdAge: 0 objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaPwdHistoryLength: 0 sambaNextGroupRid: 67109863 uidNumber: 1005 sambaLogonToChgPwd: 0 sambaLockoutDuration: 30 sambaMaxPwdAge: -1 sambaForceLogoff: -1 sambaLockoutThreshold: 0 gidNumber: 1000 sambaSID: S-1-5-21-317703500-4181503002-770181164 sambaNextUserRid: 67109862 sambaMinPwdLength: 5 sambaRefuseMachinePwdChange: 0 sambaAlgorithmicRidBase: 1000 sambaLockoutObservationWindow: 30 SMB.CONF --- [global] workgroup = BLAHDEV netbios name = BLAHDEV-PDC security = user server string = Samba Server log level = 2 syslog = 0 log file = /var/log/samba/%m.log max log size = 10 time server = Yes logon home = "" logon path = "" domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes encrypt passwords = Yes # unix password sync = Yes passwd program = /usr/sbin/ldap_userPassword_change %u passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *Result**Success # Crackcheck settings to allow NT style password complexity checks check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict passdb backend = ldapsam:"ldap://ldap-1 ldap://ldap-2"; ldap admin dn = cn=Manager,dc=example,dc=org ldap suffix = dc=dc=example,dc=org ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap idmap backend = ldap:"ldap://ldap-1 ldap://ldap-2"; add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%u" add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" add user to group script = /opt/IDEALX/sb
Re: [Samba] pdbedit password policy - not updating ldapsam
Hi Jamurph, I think replikation of password policies to ldap startet of Samba 3.0.23d. Before this version you have to export them from the PDC to the LDAP-Server by pdbedit -y -i tdbsam -e ldapsam and import them on all BDCs with pdbedit -y -i ldapsam -e tdbsam Regards Stefan . jamurph schrieb: > I have Samba and LDAP up and running, but I'm having problems editing the > password policy using pdbedit. > > (I'm running 3.0.22) > > I've had a look at the man page for pdbedit but I don't really fully > understand what it does in relation to passwd backends. Does pdbedit update > just one backend and expect a user to export the updates to other backends? > > I think I've set up ldap as my default backend - but pdbedit doesn't update > it. It looks like its updating some other backend. I guess my smb.conf > (attached) isn't configured correctly? How do I find out which one it's > updating?. I can also see a reference to pdbedit backend guest in the logs, > but I don't understand why pdbedit is looking for this. > > I tried the following command: > pdbedit -P "min password length" -C 7 -d 10 > > This is a snippet of the logs: > The LDAP server is succesfully connected > pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init > Attempting to find an passdb backend to match guest (guest) > Found pdb backend guest > pdb backend guest has a valid init > account_policy_get: min password length:7 > account policy value for min password length was 7 > account_policy_set: min password length:7 > account policy value for min password length is now 7 > > I'm guessing it's taking these values from > /var/lib/samba/account_policy.tdb, it's not taking them from ldap - because > it doesn't change sambaMinPwdLength > > I can see a search happening in the ldap logs, but I don't see any updates - > is this expected behaviour? > > I believe I need to run the following command to update LDAP? > pdbedit -y -i tdbsam -e ldapsam -d 10 > > However, when I do this, I get the following error message (more of log > attached - but this is part I think is failing) > > Attempting to find an passdb backend to match guest (guest) > Found pdb backend guest > pdb backend guest has a valid init > called with username="(null)" > tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No > such file or directory > Unable to open/create TDB passwd > Can't sampwent! > > > When configuring Samba initially, I had some problems, so I followed some > instructions and deleted the following > > rm /etc/samba/*tdb > rm /var/lib/samba/*tdb > rm /var/lib/samba/*dat > rm /var/log/samba/* > > as a result passdb.tdb is no longer, and didn't get re-created. Is there any > way I can recreate this file? Is this the cause of my problems? > > Any help much appreciated, I've attached more details in case they are > needed > > > -- LDAP Entry > > dn: sambaDomainName=BLAHDEV,dc=example,dc=org > sambaDomainName: BLAHDEV > sambaMinPwdAge: 0 > objectClass: top > objectClass: sambaDomain > objectClass: sambaUnixIdPool > sambaPwdHistoryLength: 0 > sambaNextGroupRid: 67109863 > uidNumber: 1005 > sambaLogonToChgPwd: 0 > sambaLockoutDuration: 30 > sambaMaxPwdAge: -1 > sambaForceLogoff: -1 > sambaLockoutThreshold: 0 > gidNumber: 1000 > sambaSID: S-1-5-21-317703500-4181503002-770181164 > sambaNextUserRid: 67109862 > sambaMinPwdLength: 5 > sambaRefuseMachinePwdChange: 0 > sambaAlgorithmicRidBase: 1000 > sambaLockoutObservationWindow: 30 > > > > SMB.CONF --- > [global] >workgroup = BLAHDEV >netbios name = BLAHDEV-PDC >security = user >server string = Samba Server >log level = 2 >syslog = 0 >log file = /var/log/samba/%m.log >max log size = 10 >time server = Yes >logon home = "" >logon path = "" >domain logons = Yes >domain master = Yes >os level = 65 >preferred master = Yes >wins support = yes >encrypt passwords = Yes ># unix password sync = Yes >passwd program = /usr/sbin/ldap_userPassword_change %u >passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n > *Result**Success ># Crackcheck settings to allow NT style password complexity checks >check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict >passdb backend = ldapsam:"ldap://ldap-1 ldap://ldap-2"; >ldap admin dn = cn=Manager,dc=example,dc=org >ldap suffix = dc=dc=example,dc=org >ldap group suffix = ou=Groups >ldap user suffix = ou=Users >ldap machine suffix = ou=Computers >ldap idmap suffix = ou=Idmap >idmap backend = ldap:"ldap://ldap-1 ldap://ldap-2"; >add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" >delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" >add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%u" >add group script = /opt/IDEALX/sbin/smbldap-g