[Fedora-directory-users] Samba/Posix password sync problem

Roger Spencer rspencer at auspicecorp.com
Thu May 18 20:12:48 UTC 2006 

The only way I could get a password change from Windows to also sync the 
posix password was to add the following to smb.conf:

        unix password sync = Yes
        passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
        passwd chat = "Changing password for*\nNew password*" %n\n 
"*Retype new password*" %n\n"

It can be debugged by adding:

        passwd chat debug = Yes

This only handles the password change coming from Windows.  If someone 
changes their password from a shell prompt using passwd, then only the 
posix password is updated and the samba one is out of sync. 

Plant, Dean wrote:
> Hello list,
>
> I am fairly new to FDS and my head is starting to hurt trying to get
> things working correctly. I am having a problem syncing passwords using
> FDS from Samba to the posix password on Centos 3. When I change the
> password on my XP sp2 test machine I get "The username or old password
> is incorrect. Letters in passwords must be typed using the correct
> case". The password change is successful in samba, as I can logoff and
> the use the new password. The password change does not propagate into
> the Posix account details.
>
> SSL is configured and seems to be working. "ldapsearch -x -ZZ uid=test"
> returns the test user information.
>
> I have used Authconfig to configure LDAP with TLS on the test server to
> test the Posix account details.
>
> I am using the IdealX scripts, the /opt/IDEALX/sbin/smbldap-passwd works
> without TLS but I think I have a problem when enabling TLS within these
> scripts as smbldap-passwd fails to run. Below is my TLS settings from
> the /etc/opt/IDEALX/smbldap-tools/smbldap.conf Do this look correct?
>
> If anyone can give me a kick in the right direction I would appreciate
> the help.
>
> # Use TLS for LDAP
> # If set to 1, this option will use start_tls for connection
> # (you should also used the port 389)
> # If not defined, parameter is set to "1"
> #ldapTLS="0"
> ldapTLS="1"
>
> # How to verify the server's certificate (none, optional or require)
> # see "man Net::LDAP" in start_tls section for more details
> verify=""
>
> # CA certificate
> # see "man Net::LDAP" in start_tls section for more details
> cafile="/opt/fedora-ds/alias/cacert.asc"
>
> # certificate to use to connect to the ldap server
> # see "man Net::LDAP" in start_tls section for more details
> clientcert="/opt/fedora-ds/alias/slapd-myhost-cert8.db"
>
> # key certificate to use to connect to the ldap server
> # see "man Net::LDAP" in start_tls section for more details
> clientkey="/opt/fedora-ds/alias/slapd-myhost-key3.db"
>
>
> The samba log for the XP connection shows
>
> 2006/05/09 09:53:08, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1587)
>   ldapsam_modify_entry: LDAP Password could not be changed for user
> test: Confidentiality required
>         Operation requires a secure connection.
>
> [2006/05/09 09:53:08, 0]
> passdb/pdb_ldap.c:ldapsam_update_sam_account(1731)
>   ldapsam_update_sam_account: failed to modify user with uid = test,
> error: Operation requires a secure connection.
>    (Success)
> [2006/05/09 09:53:08, 0] libsmb/smbencrypt.c:decode_pw_buffer(539)
>   decode_pw_buffer: incorrect password length (1600733334).
> [2006/05/09 09:53:08, 0] libsmb/smbencrypt.c:decode_pw_buffer(540)
>   decode_pw_buffer: check that 'encrypt passwords = yes'
>
> The directory server logs show
>
> [09/May/2006:09:53:07 +0100] conn=247 fd=67 slot=67 connection from
> 127.0.0.1 to 127.0.0.1
> [09/May/2006:09:53:07 +0100] conn=247 op=0 BIND dn="cn=Directory
> Manager" method=128 version=3
> [09/May/2006:09:53:07 +0100] conn=247 op=0 RESULT err=0 tag=97
> nentries=0 etime=0 dn="cn=directory manager"
> [09/May/2006:09:53:07 +0100] conn=247 op=1 SRCH
> base="dc=roke,dc=co,dc=uk" scope=2
> filter="(&(uid=test)(objectClass=sambaSamAccount))" attrs="uid uidNumber
> gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> displayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
> sambaLogonHours modifyTimestamp"
> [09/May/2006:09:53:07 +0100] conn=247 op=1 RESULT err=0 tag=101
> nentries=1 etime=0
> [09/May/2006:09:53:07 +0100] conn=248 fd=71 slot=71 connection from
> 127.0.0.1 to 127.0.0.1
> [09/May/2006:09:53:07 +0100] conn=246 op=4 UNBIND
> [09/May/2006:09:53:07 +0100] conn=246 op=4 fd=68 closed - U1
> [09/May/2006:09:53:07 +0100] conn=248 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [09/May/2006:09:53:07 +0100] conn=248 op=0 RESULT err=0 tag=120
> nentries=0 etime=0
> [09/May/2006:09:53:07 +0100] conn=248 SSL 256-bit AES
> [09/May/2006:09:53:07 +0100] conn=248 op=1 BIND dn="" method=128
> version=3
> [09/May/2006:09:53:07 +0100] conn=248 op=1 RESULT err=0 tag=97
> nentries=0 etime=0 dn=""
> [09/May/2006:09:53:07 +0100] conn=248 op=2 SRCH
> base="dc=roke,dc=co,dc=uk" scope=2
> filter="(&(objectClass=posixAccount)(uid=test))" attrs="uid userPassword
> uidNumber gidNumber cn homeDirectory loginShell gecos description
> objectClass"
> [09/May/2006:09:53:07 +0100] conn=248 op=2 RESULT err=0 tag=101
> nentries=1 etime=0
> [09/May/2006:09:53:07 +0100] conn=249 fd=68 slot=68 connection from
> 127.0.0.1 to 127.0.0.1
> [09/May/2006:09:53:07 +0100] conn=248 op=3 UNBIND
> [09/May/2006:09:53:07 +0100] conn=248 op=3 fd=71 closed - U1
> [09/May/2006:09:53:07 +0100] conn=249 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [09/May/2006:09:53:07 +0100] conn=249 op=0 RESULT err=0 tag=120
> nentries=0 etime=0
> [09/May/2006:09:53:07 +0100] conn=249 SSL 256-bit AES
> [09/May/2006:09:53:07 +0100] conn=249 op=1 BIND dn="" method=128
> version=3
> [09/May/2006:09:53:07 +0100] conn=249 op=1 RESULT err=0 tag=97
> nentries=0 etime=0 dn=""
> [09/May/2006:09:53:07 +0100] conn=249 op=2 SRCH
> base="dc=roke,dc=co,dc=uk" scope=2 filter="(uid=test)" attrs=ALL
> [09/May/2006:09:53:07 +0100] conn=249 op=2 RESULT err=0 tag=101
> nentries=1 etime=0
> [09/May/2006:09:53:07 +0100] conn=249 op=3 SRCH
> base="dc=roke,dc=co,dc=uk" scope=2
> filter="(&(objectClass=posixGroup)(|(memberUid=test)(uniqueMember=uid=te
> st,ou=People,dc=roke,dc=co,dc=uk)))" attrs="cn userPassword memberUid
> uniqueMember gidNumber"
> [09/May/2006:09:53:07 +0100] conn=249 op=3 RESULT err=0 tag=101
> nentries=1 etime=0
> [09/May/2006:09:53:07 +0100] conn=247 op=2 SRCH
> base="dc=roke,dc=co,dc=uk" scope=2
> filter="(&(uid=test)(objectClass=sambaSamAccount))" attrs="uid uidNumber
> gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> displayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
> sambaLogonHours modifyTimestamp"
> [09/May/2006:09:53:07 +0100] conn=247 op=2 RESULT err=0 tag=101
> nentries=1 etime=0
> [09/May/2006:09:53:07 +0100] conn=249 op=4 SRCH
> base="dc=roke,dc=co,dc=uk" scope=2
> filter="(&(objectClass=posixAccount)(uid=test))" attrs="uid userPassword
> uidNumber gidNumber cn homeDirectory loginShell gecos description
> objectClass"
> [09/May/2006:09:53:07 +0100] conn=249 op=4 RESULT err=0 tag=101
> nentries=1 etime=0
> [09/May/2006:09:53:07 +0100] conn=247 op=3 MOD
> dn="uid=test,ou=People,dc=roke,dc=co,dc=uk"
> [09/May/2006:09:53:07 +0100] conn=247 op=3 RESULT err=0 tag=103
> nentries=0 etime=0
> [09/May/2006:09:53:07 +0100] conn=247 op=4 SRCH base="" scope=0
> filter="(objectClass=*)" attrs="supportedExtension"
> [09/May/2006:09:53:08 +0100] conn=247 op=4 RESULT err=0 tag=101
> nentries=1 etime=1
> [09/May/2006:09:53:08 +0100] conn=247 op=5 EXT
> oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_extop"
> [09/May/2006:09:53:08 +0100] conn=247 op=5 RESULT err=13 tag=120
> nentries=0 etime=0
> [09/May/2006:09:53:08 +0100] conn=247 op=6 SRCH
> base="dc=roke,dc=co,dc=uk" scope=2
> filter="(&(uid=test)(objectClass=sambaSamAccount))" attrs="uid uidNumber
> gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> displayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
> sambaLogonHours modifyTimestamp"
> [09/May/2006:09:53:08 +0100] conn=247 op=6 RESULT err=0 tag=101
> nentries=1 etime=0
>
> My smb.conf
>
> [global]
> workgroup = TEST
> security = user
> passdb backend = ldapsam:ldap://localhost
> ldap admin dn = cn=Directory Manager
> ldap suffix = dc=roke,dc=co,dc=uk
> ldap user suffix = ou=People
> ldap machine suffix = ou=Computers
> ldap group suffix = ou=Groups
> encrypt passwords = yes
>
> log file = /var/log/samba/%m.log
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> os level = 33
> domain logons = yes
> domain master = yes
> local master = yes
> preferred master = yes
>
> wins support = yes
>
> logon home = \\%L\%U\profiles
> logon path = \\%L\profiles\%U
> logon drive = H:
>
> template shell = /bin/false
> winbind use default domain = no
>
> #ldap ssl = yes
> ldap passwd sync = Yes
>
> add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
> ldap delete dn = Yes
> delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
> add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 5 -w "%u"
> add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
> delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
> add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u"
> "%g"
> delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x
> "%u" "%g"
> set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
>
> [netlogon]
> path = /var/lib/samba/netlogon
> read only = yes
> browsable = no
>
> [profiles]
> path = /var/lib/samba/profiles
> read only = no
> create mask = 0600
> directory mask = 0700
>
> [homes]
> browsable = no
> writable = yes
>
> Thanks
>
> Dean Plant
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the Fedora-directory-users mailing list