[Fedora-directory-users] Problems with syncronism between Fedora-DS and Samba

Josh Kelley joshkel at gmail.com
Fri Mar 9 19:09:58 UTC 2007


On 3/9/07, Agnaldo Freitas <agnaldofreitas at hotmail.com> wrote:
> 1 - [root at netuno1 ~]# passwd samuel
>
> Changing password for user samuel.
> Enter login(LDAP) password:
> New UNIX password:
> Retype new UNIX password:
> LDAP password information changed for samuel
> passwd: all authentication tokens updated successfully.
>
>
> Why this line "Enter login(LDAP) password:", if is root that is changing the
> samuel's password? It does not happen when the user is from /etc/passwd!.

I think that it's asking for root's password to bind to the LDAP
directory.  If you set the rootbinddn parameter in /etc/ldap.conf and
create /etc/ldap.secret (mode 600) containing the root DN's password,
then that message should go away.

Note that the passwd command won't update Samba passwords stored in
LDAP.  There has been talk of adding a plugin to FDS to let it
automatically synchronize Samba passwords when it receives a password
change, but I don't think that's been done.

> 2 - Depend on pam_passord (howto:wiki sugests exop) parameter smbpasswd
> fails:
>
> [root at netuno1 ~]# smbpasswd samuel
> ldapsam_modify_entry: LDAP Password could not be changed for user samuel:
> Confidentiality required
>         Operation requires a secure connection.
>  ldapsam_update_sam_account: failed to modify user with uid = samuel, error:
> Operation requires a secure connection.
>  (Success)
>  Failed to modify entry for user samuel.
>  Failed to modify password entry for user samuel
>
>
> 3 - When user try to change his password using CTRL + ALT + DEL from
> windows, after typing the passwords:
>
>         If ldap passwd sync = yes is set in /etc/samba/smb.conf, it returns
> the message: current password or user's name is incorrect, in other hands,
> if unix                 password sync = yes (password chat ...) is set,  it
> returns the message: you do not have permission to modify the password,
>         and only samba passwd is changed (in both cases). I need
> userPassword for single sign on because i use other services.
>
>     Why the smbldap-passwd always runs ok from the prompt and not from the
> password program parameter ?!

I haven't used smbldap-passwd, so I can't really help you there.
Using "ldap passwd sync" instead of "unix password sync" should work.

Did you make sure to set your root DN password in Samba by running
"smbpasswd -W"?

We're using a setup very similar to you (Samba PDC, FDS with simple
bind), and here are the settings that we're using.  In
/etc/samba/smb.conf:

passdb backend = ldapsam:"ldaps://ldapserver.example.com/"
ldap admin dn = "cn=Directory Manager"
ldap suffix = "dc=example,dc=com"
ldap password sync = yes

In /etc/ldap.conf:
pam_passwd md5

Then run "smbpasswd -W" to let Samba store the admin DN / root DN.

We don't use passwd chat or exop.

Your problems in #2 and #3 sound like more of a Samba issue than an
FDS issue.  I'll be glad to answer any questions I can, but if you
continue to have trouble, you might have better luck on the Samba
mailing list.

Josh Kelley




More information about the Fedora-directory-users mailing list