Software
 » 
Samba
 » 
Samba - General

Error setting initial password for a user when using LDAP as backend and trying to set Samba and Unix password to the same value

View: New views
3 Messages — Rating Filter:   Alert me  

Error setting initial password for a user when using LDAP as backend and trying to set Samba and Unix password to the same value

by Jörg Spilker :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hello,

i´ve some problems setting the initial password for Windows and Unix
User with Samba configured to use LDAP as backend.

I´ve attached the configuration files and the errors.

Creating a new user with net rpc user add "xyz" is working without
problem. Using for example GQ as LDAP browser, i can see the account and
also getent passwd is showing the entry. I´ve activated  ldap passwd
sync = yes which should update NT Password and unix password. I´ve set
the password for the ldap admin dn with smbpasswd -W. However when
issuing the command smbpasswd "xyz" i got the attached error message.

I´m not sure why, because i´ve difficulties to read the ldap debug
information. I know that error 50 means insufficient privileges. But
when i remove the passwd sync = yes commandline, smbpasswd updates the
NT Password without problems. What is wrong?

Greetings, Joerg


# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access to user password
#               Allow anonymous users to authenticate
#               Allow read access to everything else
#       Directives needed to implement policy:

access to dn.base=""
        by dn="cn=samba,dc=jetsys,dc=de" write
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

access to *
        by dn="cn=samba,dc=jetsys,dc=de" write
        by * read


[global]
        log level = all:10
        workgroup = JETSYS
        security = user
        domain logons = yes
        domain master = yes
       
        wins support = yes

        passdb backend = ldapsam
        ldap admin dn = cn=samba,dc=jetsys,dc=de
        ldap suffix = dc=jetsys,dc=de
        ldap user suffix = ou=users
        ldap group suffix = ou=groups
        ldap machine suffix = ou=computers
        ldap idmap suffix = ou=idmaps
        ldap passwd sync = yes
        ldapsam:trusted = yes
        ldapsam:editposix = yes

        idmap domains = JETSYS
        idmap alloc backend = ldap
        idmap alloc config:ldap_base_dn = ou=idmap,dc=jetsys,dc=de
        idmap alloc config:ldap_user_dn = cn=samba,dc=jetsys,dc=de
        idmap alloc config:ldap_url = ldap://localhost
        idmap alloc config:range = 50000-500000



Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=3 SRCH base="dc=jetsys,dc=de" scope=2 deref=0 filter="(&(uid=js)(objectClass=sambaSamAccount))"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=3 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber
Jul 20 18:35:56 src@xdaolin slapd[3134]: <= bdb_equality_candidates: (uid) not indexed
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=4 SRCH base="sambaDomainName=JETSYS,dc=jetsys,dc=de" scope=0 deref=0 filter="(objectClass=*)"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=4 SRCH attr=sambaPwdHistoryLength
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=5 SRCH base="sambaDomainName=JETSYS,dc=jetsys,dc=de" scope=0 deref=0 filter="(objectClass=*)"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=5 SRCH attr=sambaMaxPwdAge
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=6 SRCH base="ou=groups,dc=jetsys,dc=de" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=50000))"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=6 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=7 SRCH base="ou=users,dc=jetsys,dc=de" scope=2 deref=0 filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-861600097-4184633116-946623014-513)))"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=7 SRCH attr=uid sambaSid
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=8 SRCH base="ou=groups,dc=jetsys,dc=de" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-861600097-4184633116-946623014-513)))"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=8 SRCH attr=cn displayName sambaSid sambaGroupType
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=9 MOD dn="uid=js,ou=users,dc=jetsys,dc=de"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=9 MOD attr=sambaPwdLastSet sambaPwdLastSet
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=9 RESULT tag=103 err=0 text=
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=10 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=10 SRCH attr=supportedExtension
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=11 EXT oid=1.3.6.1.4.1.4203.1.11.1
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=11 PASSMOD id="uid=js,ou=users,dc=jetsys,dc=de" new
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=11 RESULT oid= err=50 text=
Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 fd=20 closed (connection lost)

xdaolin:~ # smbpasswd js
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: LDAP Password could not be changed for user js: Insufficient access
        unknown
Failed to modify entry for user js.
Failed to modify password entry for user js


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: Error setting initial password for a user when using LDAP as backend and trying to set Samba and Unix password to the same value

by kissg :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Could you please try what happens if you set admin dn in smb.conf to your
LDAP administrator account?

In my opinion, it would be better to use the scripts provided by
smbldap-tools to change unix account information, and let Samba to handle
the rest of the attributes. That way, use of the passwd sync setting would
be unnecessary. I'm attaching my config files, try to set up your
configuration according to them. I don't have such problems like you, my DC
works wonderfully with an LDAP backend.

Regards
Gergely Kiss, Hungary

2008/7/20 Jörg Spilker <js@...>:

> Hello,
>
> i´ve some problems setting the initial password for Windows and Unix User
> with Samba configured to use LDAP as backend.
>
> I´ve attached the configuration files and the errors.
>
> Creating a new user with net rpc user add "xyz" is working without problem.
> Using for example GQ as LDAP browser, i can see the account and also getent
> passwd is showing the entry. I´ve activated  ldap passwd sync = yes which
> should update NT Password and unix password. I´ve set the password for the
> ldap admin dn with smbpasswd -W. However when issuing the command smbpasswd
> "xyz" i got the attached error message.
>
> I´m not sure why, because i´ve difficulties to read the ldap debug
> information. I know that error 50 means insufficient privileges. But when i
> remove the passwd sync = yes commandline, smbpasswd updates the NT Password
> without problems. What is wrong?
>
> Greetings, Joerg
>
>
> # Sample access control policy:
> #       Root DSE: allow anyone to read it
> #       Subschema (sub)entry DSE: allow anyone to read it
> #       Other DSEs:
> #               Allow self write access to user password
> #               Allow anonymous users to authenticate
> #               Allow read access to everything else
> #       Directives needed to implement policy:
>
> access to dn.base=""
>        by dn="cn=samba,dc=jetsys,dc=de" write
>        by * read
>
> access to dn.base="cn=Subschema"
>        by * read
>
> access to attrs=userPassword,userPKCS12
>        by self write
>        by * auth
>
> access to attrs=shadowLastChange
>        by self write
>        by * read
>
> access to *
>        by dn="cn=samba,dc=jetsys,dc=de" write
>        by * read
>
>
> [global]
>        log level = all:10
>        workgroup = JETSYS
>        security = user
>        domain logons = yes
>        domain master = yes
>
>        wins support = yes
>
>        passdb backend = ldapsam
>        ldap admin dn = cn=samba,dc=jetsys,dc=de
>        ldap suffix = dc=jetsys,dc=de
>        ldap user suffix = ou=users
>        ldap group suffix = ou=groups
>        ldap machine suffix = ou=computers
>        ldap idmap suffix = ou=idmaps
>        ldap passwd sync = yes
>        ldapsam:trusted = yes
>        ldapsam:editposix = yes
>
>        idmap domains = JETSYS
>        idmap alloc backend = ldap
>        idmap alloc config:ldap_base_dn = ou=idmap,dc=jetsys,dc=de
>        idmap alloc config:ldap_user_dn = cn=samba,dc=jetsys,dc=de
>        idmap alloc config:ldap_url = ldap://localhost
>        idmap alloc config:range = 50000-500000
>
>
>
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=3 SRCH
> base="dc=jetsys,dc=de" scope=2 deref=0
> filter="(&(uid=js)(objectClass=sambaSamAccount))"
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=3 SRCH attr=uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn
> displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath
> description sambaUserWorkstations sambaSID sambaPrimaryGroupSID
> sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags
> sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
> sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp
> uidNumber
> Jul 20 18:35:56 src@xdaolin slapd[3134]: <= bdb_equality_candidates: (uid)
> not indexed
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=3 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=4 SRCH
> base="sambaDomainName=JETSYS,dc=jetsys,dc=de" scope=0 deref=0
> filter="(objectClass=*)"
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=4 SRCH
> attr=sambaPwdHistoryLength
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=4 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=5 SRCH
> base="sambaDomainName=JETSYS,dc=jetsys,dc=de" scope=0 deref=0
> filter="(objectClass=*)"
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=5 SRCH
> attr=sambaMaxPwdAge
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=5 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=6 SRCH
> base="ou=groups,dc=jetsys,dc=de" scope=2 deref=0
> filter="(&(objectClass=sambaGroupMapping)(gidNumber=50000))"
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=6 SRCH attr=gidNumber
> sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=6 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=7 SRCH
> base="ou=users,dc=jetsys,dc=de" scope=2 deref=0
> filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-861600097-4184633116-946623014-513)))"
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=7 SRCH attr=uid
> sambaSid
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=7 SEARCH RESULT tag=101
> err=0 nentries=0 text=
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=8 SRCH
> base="ou=groups,dc=jetsys,dc=de" scope=2 deref=0
> filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-861600097-4184633116-946623014-513)))"
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=8 SRCH attr=cn
> displayName sambaSid sambaGroupType
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=8 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=9 MOD
> dn="uid=js,ou=users,dc=jetsys,dc=de"
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=9 MOD
> attr=sambaPwdLastSet sambaPwdLastSet
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=9 RESULT tag=103 err=0
> text=
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=10 SRCH base="" scope=0
> deref=0 filter="(objectClass=*)"
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=10 SRCH
> attr=supportedExtension
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=10 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=11 EXT
> oid=1.3.6.1.4.1.4203.1.11.1
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=11 PASSMOD
> id="uid=js,ou=users,dc=jetsys,dc=de" new
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 op=11 RESULT oid= err=50
> text=
> Jul 20 18:35:56 src@xdaolin slapd[3134]: conn=9 fd=20 closed (connection
> lost)
>
> xdaolin:~ # smbpasswd js
> New SMB password:
> Retype new SMB password:
> ldapsam_modify_entry: LDAP Password could not be changed for user js:
> Insufficient access
>        unknown
> Failed to modify entry for user js.
> Failed to modify password entry for user js
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: Error setting initial password for a user when using LDAP as backend and trying to set Samba and Unix password to the same value

by Charlie-77 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Herr Spilker, you need to change this part

>access to attrs=userPassword,userPKCS12
>       by self write
>       by * auth

to allow your samba daemon to write the unix password, which is stored
in the userPassword attribute.  For example, this should work:

access to attrs=userPassword,userPKCS12
       by self write
       by dn="cn=samba,dc=jetsys,dc=de" write
       by * auth

I personally would not use these permissions (I don't let samba
daemons write passwords to accounts that do not have the
sambaSamAccount objectclass) but many people do.

You have allowed samba to write your root DSE in this stanza:

> access to dn.base=""
>        by dn="cn=samba,dc=jetsys,dc=de" write
>        by * read

I have never heard of anyone doing this before; is there a reason?

--Charlie
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Free Forum Powered by Nabble Forum Help