[Fedora-directory-users] Samba/Posix password sync problem

Plant, Dean dean.plant at roke.co.uk
Tue May 9 13:58:55 UTC 2006 

Hello list,

I am fairly new to FDS and my head is starting to hurt trying to get
things working correctly. I am having a problem syncing passwords using
FDS from Samba to the posix password on Centos 3. When I change the
password on my XP sp2 test machine I get "The username or old password
is incorrect. Letters in passwords must be typed using the correct
case". The password change is successful in samba, as I can logoff and
the use the new password. The password change does not propagate into
the Posix account details.

SSL is configured and seems to be working. "ldapsearch -x -ZZ uid=test"
returns the test user information.

I have used Authconfig to configure LDAP with TLS on the test server to
test the Posix account details.

I am using the IdealX scripts, the /opt/IDEALX/sbin/smbldap-passwd works
without TLS but I think I have a problem when enabling TLS within these
scripts as smbldap-passwd fails to run. Below is my TLS settings from
the /etc/opt/IDEALX/smbldap-tools/smbldap.conf Do this look correct?

If anyone can give me a kick in the right direction I would appreciate
the help.

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
#ldapTLS="0"
ldapTLS="1"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify=""

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/opt/fedora-ds/alias/cacert.asc"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/opt/fedora-ds/alias/slapd-myhost-cert8.db"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/opt/fedora-ds/alias/slapd-myhost-key3.db"


The samba log for the XP connection shows

2006/05/09 09:53:08, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1587)
  ldapsam_modify_entry: LDAP Password could not be changed for user
test: Confidentiality required
        Operation requires a secure connection.

[2006/05/09 09:53:08, 0]
passdb/pdb_ldap.c:ldapsam_update_sam_account(1731)
  ldapsam_update_sam_account: failed to modify user with uid = test,
error: Operation requires a secure connection.
   (Success)
[2006/05/09 09:53:08, 0] libsmb/smbencrypt.c:decode_pw_buffer(539)
  decode_pw_buffer: incorrect password length (1600733334).
[2006/05/09 09:53:08, 0] libsmb/smbencrypt.c:decode_pw_buffer(540)
  decode_pw_buffer: check that 'encrypt passwords = yes'

The directory server logs show

[09/May/2006:09:53:07 +0100] conn=247 fd=67 slot=67 connection from
127.0.0.1 to 127.0.0.1
[09/May/2006:09:53:07 +0100] conn=247 op=0 BIND dn="cn=Directory
Manager" method=128 version=3
[09/May/2006:09:53:07 +0100] conn=247 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"
[09/May/2006:09:53:07 +0100] conn=247 op=1 SRCH
base="dc=roke,dc=co,dc=uk" scope=2
filter="(&(uid=test)(objectClass=sambaSamAccount))" attrs="uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp"
[09/May/2006:09:53:07 +0100] conn=247 op=1 RESULT err=0 tag=101
nentries=1 etime=0
[09/May/2006:09:53:07 +0100] conn=248 fd=71 slot=71 connection from
127.0.0.1 to 127.0.0.1
[09/May/2006:09:53:07 +0100] conn=246 op=4 UNBIND
[09/May/2006:09:53:07 +0100] conn=246 op=4 fd=68 closed - U1
[09/May/2006:09:53:07 +0100] conn=248 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[09/May/2006:09:53:07 +0100] conn=248 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[09/May/2006:09:53:07 +0100] conn=248 SSL 256-bit AES
[09/May/2006:09:53:07 +0100] conn=248 op=1 BIND dn="" method=128
version=3
[09/May/2006:09:53:07 +0100] conn=248 op=1 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[09/May/2006:09:53:07 +0100] conn=248 op=2 SRCH
base="dc=roke,dc=co,dc=uk" scope=2
filter="(&(objectClass=posixAccount)(uid=test))" attrs="uid userPassword
uidNumber gidNumber cn homeDirectory loginShell gecos description
objectClass"
[09/May/2006:09:53:07 +0100] conn=248 op=2 RESULT err=0 tag=101
nentries=1 etime=0
[09/May/2006:09:53:07 +0100] conn=249 fd=68 slot=68 connection from
127.0.0.1 to 127.0.0.1
[09/May/2006:09:53:07 +0100] conn=248 op=3 UNBIND
[09/May/2006:09:53:07 +0100] conn=248 op=3 fd=71 closed - U1
[09/May/2006:09:53:07 +0100] conn=249 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[09/May/2006:09:53:07 +0100] conn=249 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[09/May/2006:09:53:07 +0100] conn=249 SSL 256-bit AES
[09/May/2006:09:53:07 +0100] conn=249 op=1 BIND dn="" method=128
version=3
[09/May/2006:09:53:07 +0100] conn=249 op=1 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[09/May/2006:09:53:07 +0100] conn=249 op=2 SRCH
base="dc=roke,dc=co,dc=uk" scope=2 filter="(uid=test)" attrs=ALL
[09/May/2006:09:53:07 +0100] conn=249 op=2 RESULT err=0 tag=101
nentries=1 etime=0
[09/May/2006:09:53:07 +0100] conn=249 op=3 SRCH
base="dc=roke,dc=co,dc=uk" scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=test)(uniqueMember=uid=te
st,ou=People,dc=roke,dc=co,dc=uk)))" attrs="cn userPassword memberUid
uniqueMember gidNumber"
[09/May/2006:09:53:07 +0100] conn=249 op=3 RESULT err=0 tag=101
nentries=1 etime=0
[09/May/2006:09:53:07 +0100] conn=247 op=2 SRCH
base="dc=roke,dc=co,dc=uk" scope=2
filter="(&(uid=test)(objectClass=sambaSamAccount))" attrs="uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp"
[09/May/2006:09:53:07 +0100] conn=247 op=2 RESULT err=0 tag=101
nentries=1 etime=0
[09/May/2006:09:53:07 +0100] conn=249 op=4 SRCH
base="dc=roke,dc=co,dc=uk" scope=2
filter="(&(objectClass=posixAccount)(uid=test))" attrs="uid userPassword
uidNumber gidNumber cn homeDirectory loginShell gecos description
objectClass"
[09/May/2006:09:53:07 +0100] conn=249 op=4 RESULT err=0 tag=101
nentries=1 etime=0
[09/May/2006:09:53:07 +0100] conn=247 op=3 MOD
dn="uid=test,ou=People,dc=roke,dc=co,dc=uk"
[09/May/2006:09:53:07 +0100] conn=247 op=3 RESULT err=0 tag=103
nentries=0 etime=0
[09/May/2006:09:53:07 +0100] conn=247 op=4 SRCH base="" scope=0
filter="(objectClass=*)" attrs="supportedExtension"
[09/May/2006:09:53:08 +0100] conn=247 op=4 RESULT err=0 tag=101
nentries=1 etime=1
[09/May/2006:09:53:08 +0100] conn=247 op=5 EXT
oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_extop"
[09/May/2006:09:53:08 +0100] conn=247 op=5 RESULT err=13 tag=120
nentries=0 etime=0
[09/May/2006:09:53:08 +0100] conn=247 op=6 SRCH
base="dc=roke,dc=co,dc=uk" scope=2
filter="(&(uid=test)(objectClass=sambaSamAccount))" attrs="uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp"
[09/May/2006:09:53:08 +0100] conn=247 op=6 RESULT err=0 tag=101
nentries=1 etime=0

My smb.conf

[global]
workgroup = TEST
security = user
passdb backend = ldapsam:ldap://localhost
ldap admin dn = cn=Directory Manager
ldap suffix = dc=roke,dc=co,dc=uk
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
encrypt passwords = yes

log file = /var/log/samba/%m.log
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

os level = 33
domain logons = yes
domain master = yes
local master = yes
preferred master = yes

wins support = yes

logon home = \\%L\%U\profiles
logon path = \\%L\profiles\%U
logon drive = H:

template shell = /bin/false
winbind use default domain = no

#ldap ssl = yes
ldap passwd sync = Yes

add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 5 -w "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"

[netlogon]
path = /var/lib/samba/netlogon
read only = yes
browsable = no

[profiles]
path = /var/lib/samba/profiles
read only = no
create mask = 0600
directory mask = 0700

[homes]
browsable = no
writable = yes

Thanks

Dean Plant

More information about the 389-users mailing list