The question may not be related to LDAP since your domain passwords are
changed. You should be looking at why the Unix password isn't being
changed.
- Are you using LDAP for Unix authentication?
- Can you change the Unix password using passwd?
- is your password chat in smb.conf correct for your system?


Fabiano Caixeta Duarte wrote:
> Hi, there!
>
> When my XP users try to change passwords, they get a message saying that
> password has been changed. That's not true!
>
> NT and LM passwords are changed but unixPassword isn't.
>
> Look at this openldap.log lines:
>
> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
> dn="uid=teste,ou=Users,dc=domain"
> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
> attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
> sambaPwdLastSet sambaPwdLastSet
>
> See?
>
> My smb.conf have this ldap related options:
>
> passdb backend = ldapsam:ldap://apolo.domain
> idmap backend = ldapsam:ldap://apolo.domain
> ldap suffix = dc=domain
> ldap admin dn = cn=root,dc=domain
> ldap ssl = start_tls
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Users
> ldap passwd sync = yes
> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> ldap delete dn = Yes
> delete user script = /usr/local/sbin/smbldap-userdel "%u"
> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

> Fabiano Caixeta Duarte wrote:
>> Hi, there!
>>
>> When my XP users try to change passwords, they get a message saying that
>> password has been changed. That's not true!
>>
>> NT and LM passwords are changed but unixPassword isn't.
>>
>> Look at this openldap.log lines:
>>
>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
>> dn="uid=teste,ou=Users,dc=domain"
>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
>> attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
>> sambaPwdLastSet sambaPwdLastSet
>>
>> See?
>>
>> My smb.conf have this ldap related options:
>>
>> passdb backend = ldapsam:ldap://apolo.domain
>> idmap backend = ldapsam:ldap://apolo.domain
>> ldap suffix = dc=domain
>> ldap admin dn = cn=root,dc=domain
>> ldap ssl = start_tls
>> ldap group suffix = ou=Groups
>> ldap user suffix = ou=Users
>> ldap machine suffix = ou=Computers
>> ldap idmap suffix = ou=Users
>> ldap passwd sync = yes
>> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>> ldap delete dn = Yes
>> delete user script = /usr/local/sbin/smbldap-userdel "%u"
>> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
>> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
>>
>
> The question may not be related to LDAP since your domain passwords are
> changed. You should be looking at why the Unix password isn't being
> changed.
> - Are you using LDAP for Unix authentication?
> - Can you change the Unix password using passwd?
> - is your password chat in smb.conf correct for your system?

AFAIK when using ldapsam, we must use ldap attributes for storing unix
information. So passwd won't work.

If so, we cannot use "passwd chat" "passwd program" "unix password
sync", etc. Instead, we have to use "ldap passwd sync".

Am I wrong?

And yes, I'm using also unix authentication for some services.

I assume that I missed something on smb.conf because samba doesn't ask
for modification on unixPassword ldap attribute as shown on openldap.log

Thanks for your attention.

--
Fabiano Caixeta Duarte
Especialista em Redes de Computadores
Linux User #195299
Ribeirão Preto - SP
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Fabiano Caixeta Duarte escreveu:
>> Fabiano Caixeta Duarte wrote:
>>> Hi, there!
>>>
>>> When my XP users try to change passwords, they get a message saying
>>> that
>>> password has been changed. That's not true!
>>>
>>> NT and LM passwords are changed but unixPassword isn't.
>>>
>>> Look at this openldap.log lines:
>>>
>>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
>>> dn="uid=teste,ou=Users,dc=domain"
>>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
>>> attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
>>> sambaPwdLastSet sambaPwdLastSet
>>>
>>> See?
>>>
>>> My smb.conf have this ldap related options:
>>>
>>> passdb backend = ldapsam:ldap://apolo.domain
>>> idmap backend = ldapsam:ldap://apolo.domain
>>> ldap suffix = dc=domain
>>> ldap admin dn = cn=root,dc=domain
>>> ldap ssl = start_tls
>>> ldap group suffix = ou=Groups
>>> ldap user suffix = ou=Users
>>> ldap machine suffix = ou=Computers
>>> ldap idmap suffix = ou=Users
>>> ldap passwd sync = yes
>>> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>>> ldap delete dn = Yes
>>> delete user script = /usr/local/sbin/smbldap-userdel "%u"
>>> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>>> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>>> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
>>> "%g"
>>> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
>>>
>>
> > The question may not be related to LDAP since your domain passwords are
> > changed. You should be looking at why the Unix password isn't being
> > changed.
> > - Are you using LDAP for Unix authentication?
> > - Can you change the Unix password using passwd?
> > - is your password chat in smb.conf correct for your system?
>
> AFAIK when using ldapsam, we must use ldap attributes for storing unix
> information. So passwd won't work.

passwd works partially. passwd uses PAM, and PAM can access LDAP but it
only knows about posix attributes.

> If so, we cannot use "passwd chat" "passwd program" "unix password
> sync", etc. Instead, we have to use "ldap passwd sync".

Well, you can, but yes, ldap passwd sync does the same thing without
need to configure anything, so, it works but just doesnt make sense
configure both.


idealx documentation explain that:

http://sourceforge.net/docman/displa...roup_id=166108

6.8 The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u
is not called, or i got a error message when changing the password from
windows
The directive is called if you also set unix password sync = Yes. Notes:

* if you use OpenLDAP, none of those two options are needed. You just
need ldap passwd sync = Yes.
* the script called here must only update the userPassword attribute.
This is the reason of the -u option. Samba passwords will be updated by
samba itself.
* the passwd chat directive must match what is prompted when using the
smbldap-passwd command

So..., just -u to change only userPassword and a working passwd chat

And in: 8.1.3 The samba configuration file : /etc/samba/smb.conf

#unix password sync = Yes
#passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
#passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new
password*" %n\n"
ldap passwd sync = Yes

One OR another. But both approaches works.

> Am I wrong?

Yes.

> And yes, I'm using also unix authentication for some services.
>
> I assume that I missed something on smb.conf because samba doesn't ask
> for modification on unixPassword ldap attribute as shown on openldap.log

Thats funny, I cannot point anything missing in your smb.conf, ldap
passwd sync should work alone. but you can try smbldap-passwd as shown
at the tree lines above. Make sure it works at the command line first.

> Thanks for your attention.


Regards.

Edmundo Valle Neto
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Edmundo Valle Neto escreveu:
> Fabiano Caixeta Duarte escreveu:
>>> Fabiano Caixeta Duarte wrote:
>>>> Hi, there!
>>>>
>>>> When my XP users try to change passwords, they get a message saying
>>>> that
>>>> password has been changed. That's not true!
>>>>
>>>> NT and LM passwords are changed but unixPassword isn't.
>>>>
>>>> Look at this openldap.log lines:
>>>>
>>>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
>>>> dn="uid=teste,ou=Users,dc=domain"
>>>> Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD
>>>> attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword
>>>> sambaPwdLastSet sambaPwdLastSet
>>>>
>>>> See?
>>>>
>>>> My smb.conf have this ldap related options:
>>>>
>>>> passdb backend = ldapsam:ldap://apolo.domain
>>>> idmap backend = ldapsam:ldap://apolo.domain
>>>> ldap suffix = dc=domain
>>>> ldap admin dn = cn=root,dc=domain
>>>> ldap ssl = start_tls
>>>> ldap group suffix = ou=Groups
>>>> ldap user suffix = ou=Users
>>>> ldap machine suffix = ou=Computers
>>>> ldap idmap suffix = ou=Users
>>>> ldap passwd sync = yes
>>>> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>>>> ldap delete dn = Yes
>>>> delete user script = /usr/local/sbin/smbldap-userdel "%u"
>>>> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>>>> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>>>> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
>>>> "%g"
>>>> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
>>>>
>>>
>> > The question may not be related to LDAP since your domain passwords are
>> > changed. You should be looking at why the Unix password isn't being
>> > changed.
>> > - Are you using LDAP for Unix authentication?
>> > - Can you change the Unix password using passwd?
>> > - is your password chat in smb.conf correct for your system?
>>
>> AFAIK when using ldapsam, we must use ldap attributes for storing unix
>> information. So passwd won't work.
>
> passwd works partially. passwd uses PAM, and PAM can access LDAP but it
> only knows about posix attributes.
>
>> If so, we cannot use "passwd chat" "passwd program" "unix password
>> sync", etc. Instead, we have to use "ldap passwd sync".
>
> Well, you can, but yes, ldap passwd sync does the same thing without
> need to configure anything, so, it works but just doesnt make sense
> configure both.
>
>
> idealx documentation explain that:
>
> http://sourceforge.net/docman/displa...roup_id=166108
>
> 6.8 The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u
> is not called, or i got a error message when changing the password from
> windows
> The directive is called if you also set unix password sync = Yes. Notes:
>
> * if you use OpenLDAP, none of those two options are needed. You just
> need ldap passwd sync = Yes.
> * the script called here must only update the userPassword attribute.
> This is the reason of the -u option. Samba passwords will be updated by
> samba itself.
> * the passwd chat directive must match what is prompted when using the
> smbldap-passwd command
>
> So..., just -u to change only userPassword and a working passwd chat
>
> And in: 8.1.3 The samba configuration file : /etc/samba/smb.conf
>
> #unix password sync = Yes
> #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
> #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new
> password*" %n\n"
> ldap passwd sync = Yes
>
> One OR another. But both approaches works.
>
>> Am I wrong?
>
> Yes.
>
>> And yes, I'm using also unix authentication for some services.
>>
>> I assume that I missed something on smb.conf because samba doesn't ask
>> for modification on unixPassword ldap attribute as shown on openldap.log
>
> Thats funny, I cannot point anything missing in your smb.conf, ldap
> passwd sync should work alone. but you can try smbldap-passwd as shown
> at the tree lines above. Make sure it works at the command line first.
>
>> Thanks for your attention.
>
>
> Regards.
>
> Edmundo Valle Neto

Sure enough smbldap-passwd works. I have tried this once ldap passwd
sync was not working. Though, there are two problems: 1) it's too slow
and 2) it shows a message to the user telling he has no permissions to
change password. So it's confusing. I don't feel comfortable using such
a thing.

Actually, I was hoping for some answer from whom has ldap passwd sync
working. Hints on how to debug and so on.

Thanks again!

--
Fabiano Caixeta Duarte
Especialista em Redes de Computadores
Linux User #195299
Ribeirão Preto - SP
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Le Tue, Feb 12, 2008 at 09:44:01AM -0200, Fabiano Caixeta Duarte a ecrit:
> Hi, there!
> When my XP users try to change passwords, they get a message saying that
> password has been changed. That's not true!

I can confirmed you that the following configuration work for me:

unix password sync = No
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"

If you have not set the last directive, you should do: 'smbldap-password'
does not prompt you the same way as 'passwd' for example. You sould also be
careful to not add space or other caracter.


--
Jerome Tournier
GPG key ID (pgp.mit.edu): 75FE0A51
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

(...)
>
> Sure enough smbldap-passwd works. I have tried this once ldap passwd
> sync was not working.

How?

> Though, there are two problems: 1) it's too slow and 2) it shows a
> message to the user telling he has no permissions to change password.

Where? How?

> So it's confusing. I don't feel comfortable using such a thing.
>
> Actually, I was hoping for some answer from whom has ldap passwd sync
> working.

Mine is. It doesn't needs anything else.

> Hints on how to debug and so on.

Was suggested one, try smbldap-passwd -u from command line and inside
samba and see if it works, if it works alone theres a possibility that
your samba config has a problem if it doesn't works even outside samba,
it doesn't have anything to do with samba, as it runs alone, its a
simple perl script that binds to ldap directly.

If you conclude that the problem is with samba you can start to raise
the log level, if its not, its useless and maybe you should look at your
ldap acls.

So, it depends, I didnt understood what works and what doesn't and in
which situation now.

> Thanks again!

Edmundo Valle Neto

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Jerome Tournier escreveu:
> Le Tue, Feb 12, 2008 at 09:44:01AM -0200, Fabiano Caixeta Duarte a ecrit:
>> Hi, there!
>> When my XP users try to change passwords, they get a message saying that
>> password has been changed. That's not true!
>
> I can confirmed you that the following configuration work for me:
>
> unix password sync = No
> ldap passwd sync = Yes
> passwd program = /usr/sbin/smbldap-passwd -u %u
> passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"

I assume that your ldap sync passwd is enough (like I wanted to) because
smb.conf tells us that passwd chat is not used if unix password sync is
set to no.

passwd chat (G)
Note that this parameter only is only used if the unix password
sync parameter is set to yes.

So, as I told Edmundo in my last post, I tried using

unix passord sync = yes
passwd program = /usr/local/sbin/smbldap-passwd -u %u
passwd chat = "Changing UNIX password for %u"*New*password:* %n\n
"*Retype new password:*" %n\n

and it sort of worked. Both samba and unix passwords were changed, but
users get a message telling they don't have permission to change
passwords. In addition, it takes too long since user try the operation
until system respond.

Could you post (or send me in PVT) your smb.conf. I think this will help
a lot. Please inform either the version of OS, samba and openldap.

I'm using FreeBSD 6.3 in both samba and openldap servers, Samba 3.0.26a
and openldap 2.3.38. Not using PAM.

--
Fabiano Caixeta Duarte
Especialista em Redes de Computadores
Linux User #195299
Ribeirão Preto - SP
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Le Thu, Feb 14, 2008 at 09:33:49AM +0100, Jerome Tournier a ecrit:
> Le Wed, Feb 13, 2008 at 11:25:41PM -0200, Fabiano Caixeta Duarte a ecrit:
> Have you try 'access to * by * write' in slapd.conf (don't think it come
> from here as passwords are changed, but maybe users don't have write access
> to attributes such as shadowLastChange) ?

Oups, users don't need to have write access to shadowLastChange is run as root.
But maybe you can try
--
Jérôme
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Le Wed, Feb 13, 2008 at 11:25:41PM -0200, Fabiano Caixeta Duarte a ecrit:
> I assume that your ldap sync passwd is enough (like I wanted to) because
> smb.conf tells us that passwd chat is not used if unix password sync is set
> to no.
>
> passwd chat (G)
> Note that this parameter only is only used if the unix password sync
> parameter is set to yes.

You must effectively be right. I'll try this evening to be sure.

> and it sort of worked. Both samba and unix passwords were changed, but
> users get a message telling they don't have permission to change passwords.
> In addition, it takes too long since user try the operation until system
> respond.

Isn't it related to the workstation ? Have you tried with another ?
Have you informations in Samba log ?
Have you try 'access to * by * write' in slapd.conf (don't think it come
from here as passwords are changed, but maybe users don't have write access
to attributes such as shadowLastChange) ?

> Could you post (or send me in PVT) your smb.conf. I think this will help a
> lot. Please inform either the version of OS, samba and openldap.

I tried on CentOS release 4.6 (Final)
samba-3.0.25b-1.el4_6.4
openldap-servers-2.2.13-8.el4_6.2
smbldap-tools-0.9.5-pre4 (but changing password work with latest
packages)

> I'm using FreeBSD 6.3 in both samba and openldap servers, Samba 3.0.26a and
> openldap 2.3.38. Not using PAM.

Don't think PAM matter here.



My smb.conf:
# Global parameters
[global]
workgroup = DOMSMB
netbios name = PDC-SRV
security = user
enable privileges = yes
server string = Samba Server %v
encrypt passwords = Yes
unix password sync = No
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
#passwd chat debug = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1

logon script = logon.bat
logon drive = H:
logon home =
logon path =

domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=company,dc=com
#ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
ldap suffix = dc=company,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
#ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m "%u"
#ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

# printers configuration
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
#force create mode = 0640
#force directory mode = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
template shell = /bin/false
winbind use default domain = no
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes


--
Jerome Tournier
GPG key ID (pgp.mit.edu): 75FE0A51
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

hi Fabiano,
hi Edmundo,


the second problem here ("user has no permission") when using an
external passwd program sounds familiar to me:

>
> Sure enough smbldap-passwd works. I have tried this once ldap passwd
> sync was not working. Though, there are two problems: 1) it's too slow
> and 2) it shows a message to the user telling he has no permissions to
> change password. So it's confusing. I don't feel comfortable using such

At least on Solaris this "You do not have permissions to change your
password"-behaviour is a known problem. See Bug-ID 5121 for details and
a patch for Samba 3.0.28.
https://bugzilla.samba.org/show_bug.cgi?id=5121

kind regards,
Reinhard
--
Reinhard Sojka

Parlamentsdirektion
A1.5 - EDV / System- & Networkadmin

A-1017 Wien - Parlament
Tel. +43 1 40110 2824
Fax +43 1 40110 2848
http://www.parlament.gv.at

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Jerome Tournier escreveu:
> I tried on CentOS release 4.6 (Final)
> samba-3.0.25b-1.el4_6.4
> openldap-servers-2.2.13-8.el4_6.2
> smbldap-tools-0.9.5-pre4 (but changing password work with latest
> packages)
>
>> I'm using FreeBSD 6.3 in both samba and openldap servers, Samba 3.0.26a and
>> openldap 2.3.38. Not using PAM.

You kind of helped me. Looking at openldap version (2.2) I remembered
that I had ldap passwd sync working with this version of LDAP. So I
looked for what has changed between 2.2 and 2.3 versions of Openldap. I
found password policy, which seems to be mandatory for this whole thing
to work with earlier versions of Samba.

So, I (re)compiled openldap-server with ppolicy support and inserted
this two lines in my slapd.conf:

include /path/to/schema/ppolicy.schema
overlay ppolicy

Thanks for everyone who tried helping.

--
Fabiano Caixeta Duarte
Especialista em Redes de Computadores
Linux User #195299
Ribeirão Preto - SP
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba