Hi there,
i got into some trouble after updating my samba installation to 3.0.27a.
My installation uses Samba-3.0.27a,OpenLDAP-2.2.13,smbldap-tools-0.9.2
as a PDC NT4-domain.Originally I used the installation-guide from
smbldap-tools and everything worked fine. I also limited the access to
LDAP as told in the installation-guide with no problems.
After updating to 3.0.27a i realized that when using the usrmgr.exe, the
password preferences in policies -> accounts didn't got saved - only the
password-length option got saved.
After doing some research, i managed to solve this by adding the
following LDAP attributes to the access rules in slapd.conf:
sambaMinPwdLength
sambaPwdHistoryLength
sambaLogonToChgPwd
sambaMaxPwdAge
sambaMinPwdAge
sambaLockoutDuration
sambaLockoutObservationWindow
sambaLockoutThreshold
sambaForceLogoff
sambaRefuseMachinePwdChange
But one problem still exists:
If Windows-users change their password via the normal Windows dialog,
the password got changed in LDAP , also the sambaLastChange attribute
got updated , BUT sambaPwdCanChange and sambaPwdMustChange attributes
didn't update and so all the Maximum Password Age stuff, including
remind users of their password expiration and force user to change their
password if expire didn't work anymore.
I can't find any other maybe access right problems within ldap, so why
the sambaPwdMustChange Attribute didn't update ??
The problem also exist when adding a new user. After the user change his
password at first login, the sambaPwdMustChange Attribute didn't update.
slapd.conf digest
----------------------------------------------------------------------------------
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=nssldap,ou=DSA,dc=bel-gmbh,dc=lan" write
by self write
by anonymous auth
by * none
access to
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by * read
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by self write
by * read
access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,
sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,
sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,
sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,
sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,
sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption,sambaMinPwdLength,sambaPwdHistoryLength,
sambaLogonToChgPwd,sambaMaxPwdAge,sambaMinPwdAge,sambaLockoutDuration,sambaLockoutObservationWindow,sambaLockoutThreshold,
sambaForceLogoff,sambaRefuseMachinePwdChange
by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by self read
by * none
access to dn.base="dc=bel-gmbh,dc=lan"
by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by * none
access to dn="ou=Users,dc=bel-gmbh,dc=lan"
by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by * none
access to dn="ou=Groups,dc=bel-gmbh,dc=lan"
by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by * none
access to dn="ou=Computers,dc=bel-gmbh,dc=lan"
by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by * none
access to *
by self read
by * read
----------------------------------------------------------------------------------
Thanks in advance for all hints and suggestions..
Bye,
Markus Kahle
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
