[Samba] ldap passwd sync not working - Samba

This is a discussion on [Samba] ldap passwd sync not working - Samba ; Hi, there! When my XP users try to change passwords, they get a message saying that password has been changed. That's not true! NT and LM passwords are changed but unixPassword isn't. Look at this openldap.log lines: Feb 12 07:50:28 ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: [Samba] ldap passwd sync not working

  1. [Samba] ldap passwd sync not working

    Hi, there!

    When my XP users try to change passwords, they get a message saying that
    password has been changed. That's not true!

    NT and LM passwords are changed but unixPassword isn't.

    Look at this openldap.log lines:

    Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
    dn="uid=teste,ou=Users,dc=domain"
    Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
    attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
    sambaPwdLastSet sambaPwdLastSet

    See?

    My smb.conf have this ldap related options:

    passdb backend = ldapsam:ldap://apolo.domain
    idmap backend = ldapsam:ldap://apolo.domain
    ldap suffix = dc=domain
    ldap admin dn = cn=root,dc=domain
    ldap ssl = start_tls
    ldap group suffix = ou=Groups
    ldap user suffix = ou=Users
    ldap machine suffix = ou=Computers
    ldap idmap suffix = ou=Users
    ldap passwd sync = yes
    add user script = /usr/local/sbin/smbldap-useradd -m "%u"
    ldap delete dn = Yes
    delete user script = /usr/local/sbin/smbldap-userdel "%u"
    add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
    add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
    add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
    set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"

    --
    Fabiano Caixeta Duarte
    Especialista em Redes de Computadores
    Linux User #195299
    Ribeirão Preto - SP
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] ldap passwd sync not working

    The question may not be related to LDAP since your domain passwords are
    changed. You should be looking at why the Unix password isn't being
    changed.
    - Are you using LDAP for Unix authentication?
    - Can you change the Unix password using passwd?
    - is your password chat in smb.conf correct for your system?


    Fabiano Caixeta Duarte wrote:
    > Hi, there!
    >
    > When my XP users try to change passwords, they get a message saying that
    > password has been changed. That's not true!
    >
    > NT and LM passwords are changed but unixPassword isn't.
    >
    > Look at this openldap.log lines:
    >
    > Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
    > dn="uid=teste,ou=Users,dc=domain"
    > Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
    > attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
    > sambaPwdLastSet sambaPwdLastSet
    >
    > See?
    >
    > My smb.conf have this ldap related options:
    >
    > passdb backend = ldapsam:ldap://apolo.domain
    > idmap backend = ldapsam:ldap://apolo.domain
    > ldap suffix = dc=domain
    > ldap admin dn = cn=root,dc=domain
    > ldap ssl = start_tls
    > ldap group suffix = ou=Groups
    > ldap user suffix = ou=Users
    > ldap machine suffix = ou=Computers
    > ldap idmap suffix = ou=Users
    > ldap passwd sync = yes
    > add user script = /usr/local/sbin/smbldap-useradd -m "%u"
    > ldap delete dn = Yes
    > delete user script = /usr/local/sbin/smbldap-userdel "%u"
    > add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
    > add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
    > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
    > set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
    >


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] ldap passwd sync not working

    > Fabiano Caixeta Duarte wrote:
    >> Hi, there!
    >>
    >> When my XP users try to change passwords, they get a message saying that
    >> password has been changed. That's not true!
    >>
    >> NT and LM passwords are changed but unixPassword isn't.
    >>
    >> Look at this openldap.log lines:
    >>
    >> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
    >> dn="uid=teste,ou=Users,dc=domain"
    >> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
    >> attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
    >> sambaPwdLastSet sambaPwdLastSet
    >>
    >> See?
    >>
    >> My smb.conf have this ldap related options:
    >>
    >> passdb backend = ldapsam:ldap://apolo.domain
    >> idmap backend = ldapsam:ldap://apolo.domain
    >> ldap suffix = dc=domain
    >> ldap admin dn = cn=root,dc=domain
    >> ldap ssl = start_tls
    >> ldap group suffix = ou=Groups
    >> ldap user suffix = ou=Users
    >> ldap machine suffix = ou=Computers
    >> ldap idmap suffix = ou=Users
    >> ldap passwd sync = yes
    >> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
    >> ldap delete dn = Yes
    >> delete user script = /usr/local/sbin/smbldap-userdel "%u"
    >> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
    >> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
    >> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
    >> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
    >>

    >
    > The question may not be related to LDAP since your domain passwords are
    > changed. You should be looking at why the Unix password isn't being
    > changed.
    > - Are you using LDAP for Unix authentication?
    > - Can you change the Unix password using passwd?
    > - is your password chat in smb.conf correct for your system?


    AFAIK when using ldapsam, we must use ldap attributes for storing unix
    information. So passwd won't work.

    If so, we cannot use "passwd chat" "passwd program" "unix password
    sync", etc. Instead, we have to use "ldap passwd sync".

    Am I wrong?

    And yes, I'm using also unix authentication for some services.

    I assume that I missed something on smb.conf because samba doesn't ask
    for modification on unixPassword ldap attribute as shown on openldap.log

    Thanks for your attention.

    --
    Fabiano Caixeta Duarte
    Especialista em Redes de Computadores
    Linux User #195299
    Ribeirão Preto - SP
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] ldap passwd sync not working

    Fabiano Caixeta Duarte escreveu:
    >> Fabiano Caixeta Duarte wrote:
    >>> Hi, there!
    >>>
    >>> When my XP users try to change passwords, they get a message saying
    >>> that
    >>> password has been changed. That's not true!
    >>>
    >>> NT and LM passwords are changed but unixPassword isn't.
    >>>
    >>> Look at this openldap.log lines:
    >>>
    >>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
    >>> dn="uid=teste,ou=Users,dc=domain"
    >>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
    >>> attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
    >>> sambaPwdLastSet sambaPwdLastSet
    >>>
    >>> See?
    >>>
    >>> My smb.conf have this ldap related options:
    >>>
    >>> passdb backend = ldapsam:ldap://apolo.domain
    >>> idmap backend = ldapsam:ldap://apolo.domain
    >>> ldap suffix = dc=domain
    >>> ldap admin dn = cn=root,dc=domain
    >>> ldap ssl = start_tls
    >>> ldap group suffix = ou=Groups
    >>> ldap user suffix = ou=Users
    >>> ldap machine suffix = ou=Computers
    >>> ldap idmap suffix = ou=Users
    >>> ldap passwd sync = yes
    >>> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
    >>> ldap delete dn = Yes
    >>> delete user script = /usr/local/sbin/smbldap-userdel "%u"
    >>> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
    >>> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
    >>> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
    >>> "%g"
    >>> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
    >>>

    >>
    > > The question may not be related to LDAP since your domain passwords are
    > > changed. You should be looking at why the Unix password isn't being
    > > changed.
    > > - Are you using LDAP for Unix authentication?
    > > - Can you change the Unix password using passwd?
    > > - is your password chat in smb.conf correct for your system?

    >
    > AFAIK when using ldapsam, we must use ldap attributes for storing unix
    > information. So passwd won't work.


    passwd works partially. passwd uses PAM, and PAM can access LDAP but it
    only knows about posix attributes.

    > If so, we cannot use "passwd chat" "passwd program" "unix password
    > sync", etc. Instead, we have to use "ldap passwd sync".


    Well, you can, but yes, ldap passwd sync does the same thing without
    need to configure anything, so, it works but just doesnt make sense
    configure both.


    idealx documentation explain that:

    http://sourceforge.net/docman/displa...roup_id=166108

    6.8 The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u
    is not called, or i got a error message when changing the password from
    windows
    The directive is called if you also set unix password sync = Yes. Notes:

    * if you use OpenLDAP, none of those two options are needed. You just
    need ldap passwd sync = Yes.
    * the script called here must only update the userPassword attribute.
    This is the reason of the -u option. Samba passwords will be updated by
    samba itself.
    * the passwd chat directive must match what is prompted when using the
    smbldap-passwd command

    So..., just -u to change only userPassword and a working passwd chat

    And in: 8.1.3 The samba configuration file : /etc/samba/smb.conf

    #unix password sync = Yes
    #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
    #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new
    password*" %n\n"
    ldap passwd sync = Yes

    One OR another. But both approaches works.

    > Am I wrong?


    Yes.

    > And yes, I'm using also unix authentication for some services.
    >
    > I assume that I missed something on smb.conf because samba doesn't ask
    > for modification on unixPassword ldap attribute as shown on openldap.log


    Thats funny, I cannot point anything missing in your smb.conf, ldap
    passwd sync should work alone. but you can try smbldap-passwd as shown
    at the tree lines above. Make sure it works at the command line first.

    > Thanks for your attention.



    Regards.

    Edmundo Valle Neto
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. Re: [Samba] ldap passwd sync not working

    Edmundo Valle Neto escreveu:
    > Fabiano Caixeta Duarte escreveu:
    >>> Fabiano Caixeta Duarte wrote:
    >>>> Hi, there!
    >>>>
    >>>> When my XP users try to change passwords, they get a message saying
    >>>> that
    >>>> password has been changed. That's not true!
    >>>>
    >>>> NT and LM passwords are changed but unixPassword isn't.
    >>>>
    >>>> Look at this openldap.log lines:
    >>>>
    >>>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
    >>>> dn="uid=teste,ou=Users,dc=domain"
    >>>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
    >>>> attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
    >>>> sambaPwdLastSet sambaPwdLastSet
    >>>>
    >>>> See?
    >>>>
    >>>> My smb.conf have this ldap related options:
    >>>>
    >>>> passdb backend = ldapsam:ldap://apolo.domain
    >>>> idmap backend = ldapsam:ldap://apolo.domain
    >>>> ldap suffix = dc=domain
    >>>> ldap admin dn = cn=root,dc=domain
    >>>> ldap ssl = start_tls
    >>>> ldap group suffix = ou=Groups
    >>>> ldap user suffix = ou=Users
    >>>> ldap machine suffix = ou=Computers
    >>>> ldap idmap suffix = ou=Users
    >>>> ldap passwd sync = yes
    >>>> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
    >>>> ldap delete dn = Yes
    >>>> delete user script = /usr/local/sbin/smbldap-userdel "%u"
    >>>> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
    >>>> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
    >>>> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
    >>>> "%g"
    >>>> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
    >>>>
    >>>
    >> > The question may not be related to LDAP since your domain passwords are
    >> > changed. You should be looking at why the Unix password isn't being
    >> > changed.
    >> > - Are you using LDAP for Unix authentication?
    >> > - Can you change the Unix password using passwd?
    >> > - is your password chat in smb.conf correct for your system?

    >>
    >> AFAIK when using ldapsam, we must use ldap attributes for storing unix
    >> information. So passwd won't work.

    >
    > passwd works partially. passwd uses PAM, and PAM can access LDAP but it
    > only knows about posix attributes.
    >
    >> If so, we cannot use "passwd chat" "passwd program" "unix password
    >> sync", etc. Instead, we have to use "ldap passwd sync".

    >
    > Well, you can, but yes, ldap passwd sync does the same thing without
    > need to configure anything, so, it works but just doesnt make sense
    > configure both.
    >
    >
    > idealx documentation explain that:
    >
    > http://sourceforge.net/docman/displa...roup_id=166108
    >
    > 6.8 The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u
    > is not called, or i got a error message when changing the password from
    > windows
    > The directive is called if you also set unix password sync = Yes. Notes:
    >
    > * if you use OpenLDAP, none of those two options are needed. You just
    > need ldap passwd sync = Yes.
    > * the script called here must only update the userPassword attribute.
    > This is the reason of the -u option. Samba passwords will be updated by
    > samba itself.
    > * the passwd chat directive must match what is prompted when using the
    > smbldap-passwd command
    >
    > So..., just -u to change only userPassword and a working passwd chat
    >
    > And in: 8.1.3 The samba configuration file : /etc/samba/smb.conf
    >
    > #unix password sync = Yes
    > #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
    > #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new
    > password*" %n\n"
    > ldap passwd sync = Yes
    >
    > One OR another. But both approaches works.
    >
    >> Am I wrong?

    >
    > Yes.
    >
    >> And yes, I'm using also unix authentication for some services.
    >>
    >> I assume that I missed something on smb.conf because samba doesn't ask
    >> for modification on unixPassword ldap attribute as shown on openldap.log

    >
    > Thats funny, I cannot point anything missing in your smb.conf, ldap
    > passwd sync should work alone. but you can try smbldap-passwd as shown
    > at the tree lines above. Make sure it works at the command line first.
    >
    >> Thanks for your attention.

    >
    >
    > Regards.
    >
    > Edmundo Valle Neto


    Sure enough smbldap-passwd works. I have tried this once ldap passwd
    sync was not working. Though, there are two problems: 1) it's too slow
    and 2) it shows a message to the user telling he has no permissions to
    change password. So it's confusing. I don't feel comfortable using such
    a thing.

    Actually, I was hoping for some answer from whom has ldap passwd sync
    working. Hints on how to debug and so on.

    Thanks again!

    --
    Fabiano Caixeta Duarte
    Especialista em Redes de Computadores
    Linux User #195299
    Ribeirão Preto - SP
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  6. Re: [Samba] ldap passwd sync not working

    Le Tue, Feb 12, 2008 at 09:44:01AM -0200, Fabiano Caixeta Duarte a ecrit:
    > Hi, there!
    > When my XP users try to change passwords, they get a message saying that
    > password has been changed. That's not true!


    I can confirmed you that the following configuration work for me:

    unix password sync = No
    ldap passwd sync = Yes
    passwd program = /usr/sbin/smbldap-passwd -u %u
    passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"

    If you have not set the last directive, you should do: 'smbldap-password'
    does not prompt you the same way as 'passwd' for example. You sould also be
    careful to not add space or other caracter.


    --
    Jerome Tournier
    GPG key ID (pgp.mit.edu): 75FE0A51
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  7. Re: [Samba] ldap passwd sync not working

    (...)
    >
    > Sure enough smbldap-passwd works. I have tried this once ldap passwd
    > sync was not working.


    How?

    > Though, there are two problems: 1) it's too slow and 2) it shows a
    > message to the user telling he has no permissions to change password.


    Where? How?

    > So it's confusing. I don't feel comfortable using such a thing.
    >
    > Actually, I was hoping for some answer from whom has ldap passwd sync
    > working.


    Mine is. It doesn't needs anything else.

    > Hints on how to debug and so on.


    Was suggested one, try smbldap-passwd -u from command line and inside
    samba and see if it works, if it works alone theres a possibility that
    your samba config has a problem if it doesn't works even outside samba,
    it doesn't have anything to do with samba, as it runs alone, its a
    simple perl script that binds to ldap directly.

    If you conclude that the problem is with samba you can start to raise
    the log level, if its not, its useless and maybe you should look at your
    ldap acls.

    So, it depends, I didnt understood what works and what doesn't and in
    which situation now.

    > Thanks again!


    Edmundo Valle Neto

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  8. Re: [Samba] ldap passwd sync not working

    Jerome Tournier escreveu:
    > Le Tue, Feb 12, 2008 at 09:44:01AM -0200, Fabiano Caixeta Duarte a ecrit:
    >> Hi, there!
    >> When my XP users try to change passwords, they get a message saying that
    >> password has been changed. That's not true!

    >
    > I can confirmed you that the following configuration work for me:
    >
    > unix password sync = No
    > ldap passwd sync = Yes
    > passwd program = /usr/sbin/smbldap-passwd -u %u
    > passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"


    I assume that your ldap sync passwd is enough (like I wanted to) because
    smb.conf tells us that passwd chat is not used if unix password sync is
    set to no.

    passwd chat (G)
    Note that this parameter only is only used if the unix password
    sync parameter is set to yes.

    So, as I told Edmundo in my last post, I tried using

    unix passord sync = yes
    passwd program = /usr/local/sbin/smbldap-passwd -u %u
    passwd chat = "Changing UNIX password for %u"*New*password:* %n\n
    "*Retype new password:*" %n\n

    and it sort of worked. Both samba and unix passwords were changed, but
    users get a message telling they don't have permission to change
    passwords. In addition, it takes too long since user try the operation
    until system respond.

    Could you post (or send me in PVT) your smb.conf. I think this will help
    a lot. Please inform either the version of OS, samba and openldap.

    I'm using FreeBSD 6.3 in both samba and openldap servers, Samba 3.0.26a
    and openldap 2.3.38. Not using PAM.

    --
    Fabiano Caixeta Duarte
    Especialista em Redes de Computadores
    Linux User #195299
    Ribeirão Preto - SP
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  9. Re: [Samba] ldap passwd sync not working

    Le Thu, Feb 14, 2008 at 09:33:49AM +0100, Jerome Tournier a ecrit:
    > Le Wed, Feb 13, 2008 at 11:25:41PM -0200, Fabiano Caixeta Duarte a ecrit:
    > Have you try 'access to * by * write' in slapd.conf (don't think it come
    > from here as passwords are changed, but maybe users don't have write access
    > to attributes such as shadowLastChange) ?


    Oups, users don't need to have write access to shadowLastChange is run as root.
    But maybe you can try
    --
    Jérôme
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  10. Re: [Samba] ldap passwd sync not working

    Le Wed, Feb 13, 2008 at 11:25:41PM -0200, Fabiano Caixeta Duarte a ecrit:
    > I assume that your ldap sync passwd is enough (like I wanted to) because
    > smb.conf tells us that passwd chat is not used if unix password sync is set
    > to no.
    >
    > passwd chat (G)
    > Note that this parameter only is only used if the unix password sync
    > parameter is set to yes.


    You must effectively be right. I'll try this evening to be sure.

    > and it sort of worked. Both samba and unix passwords were changed, but
    > users get a message telling they don't have permission to change passwords.
    > In addition, it takes too long since user try the operation until system
    > respond.


    Isn't it related to the workstation ? Have you tried with another ?
    Have you informations in Samba log ?
    Have you try 'access to * by * write' in slapd.conf (don't think it come
    from here as passwords are changed, but maybe users don't have write access
    to attributes such as shadowLastChange) ?

    > Could you post (or send me in PVT) your smb.conf. I think this will help a
    > lot. Please inform either the version of OS, samba and openldap.


    I tried on CentOS release 4.6 (Final)
    samba-3.0.25b-1.el4_6.4
    openldap-servers-2.2.13-8.el4_6.2
    smbldap-tools-0.9.5-pre4 (but changing password work with latest
    packages)

    > I'm using FreeBSD 6.3 in both samba and openldap servers, Samba 3.0.26a and
    > openldap 2.3.38. Not using PAM.


    Don't think PAM matter here.



    My smb.conf:
    # Global parameters
    [global]
    workgroup = DOMSMB
    netbios name = PDC-SRV
    security = user
    enable privileges = yes
    server string = Samba Server %v
    encrypt passwords = Yes
    unix password sync = No
    ldap passwd sync = Yes
    passwd program = /usr/sbin/smbldap-passwd -u %u
    passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
    #passwd chat debug = Yes
    log level = 0
    syslog = 0
    log file = /var/log/samba/log.%U
    max log size = 100000
    time server = Yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    mangling method = hash2
    Dos charset = 850
    Unix charset = ISO8859-1

    logon script = logon.bat
    logon drive = H:
    logon home =
    logon path =

    domain logons = Yes
    domain master = Yes
    os level = 65
    preferred master = Yes
    wins support = yes
    passdb backend = ldapsam:ldap://127.0.0.1/
    ldap admin dn = cn=Manager,dc=company,dc=com
    #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
    ldap suffix = dc=company,dc=com
    ldap group suffix = ou=Groups
    ldap user suffix = ou=Users
    ldap machine suffix = ou=Computers
    #ldap idmap suffix = ou=Idmap
    add user script = /usr/sbin/smbldap-useradd -m "%u"
    #ldap delete dn = Yes
    delete user script = /usr/sbin/smbldap-userdel "%u"
    add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
    add group script = /usr/sbin/smbldap-groupadd -p "%g"
    #delete group script = /usr/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

    # printers configuration
    printer admin = @"Print Operators"
    load printers = Yes
    create mask = 0640
    directory mask = 0750
    #force create mode = 0640
    #force directory mode = 0750
    nt acl support = No
    printing = cups
    printcap name = cups
    deadtime = 10
    guest account = nobody
    map to guest = Bad User
    dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
    show add printer wizard = yes
    ; to maintain capital letters in shortcuts in any of the profile folders:
    preserve case = yes
    short preserve case = yes
    case sensitive = no
    template shell = /bin/false
    winbind use default domain = no
    [netlogon]
    path = /home/netlogon/
    browseable = No
    read only = yes


    --
    Jerome Tournier
    GPG key ID (pgp.mit.edu): 75FE0A51
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  11. Re: [Samba] ldap passwd sync not working

    hi Fabiano,
    hi Edmundo,


    the second problem here ("user has no permission") when using an
    external passwd program sounds familiar to me:

    >
    > Sure enough smbldap-passwd works. I have tried this once ldap passwd
    > sync was not working. Though, there are two problems: 1) it's too slow
    > and 2) it shows a message to the user telling he has no permissions to
    > change password. So it's confusing. I don't feel comfortable using such


    At least on Solaris this "You do not have permissions to change your
    password"-behaviour is a known problem. See Bug-ID 5121 for details and
    a patch for Samba 3.0.28.
    https://bugzilla.samba.org/show_bug.cgi?id=5121

    kind regards,
    Reinhard
    --
    Reinhard Sojka

    Parlamentsdirektion
    A1.5 - EDV / System- & Networkadmin

    A-1017 Wien - Parlament
    Tel. +43 1 40110 2824
    Fax +43 1 40110 2848
    http://www.parlament.gv.at

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  12. Re: [Samba] ldap passwd sync not working [solved]

    Jerome Tournier escreveu:
    > I tried on CentOS release 4.6 (Final)
    > samba-3.0.25b-1.el4_6.4
    > openldap-servers-2.2.13-8.el4_6.2
    > smbldap-tools-0.9.5-pre4 (but changing password work with latest
    > packages)
    >
    >> I'm using FreeBSD 6.3 in both samba and openldap servers, Samba 3.0.26a and
    >> openldap 2.3.38. Not using PAM.


    You kind of helped me. Looking at openldap version (2.2) I remembered
    that I had ldap passwd sync working with this version of LDAP. So I
    looked for what has changed between 2.2 and 2.3 versions of Openldap. I
    found password policy, which seems to be mandatory for this whole thing
    to work with earlier versions of Samba.

    So, I (re)compiled openldap-server with ppolicy support and inserted
    this two lines in my slapd.conf:

    include /path/to/schema/ppolicy.schema
    overlay ppolicy

    Thanks for everyone who tried helping.

    --
    Fabiano Caixeta Duarte
    Especialista em Redes de Computadores
    Linux User #195299
    Ribeirão Preto - SP
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread