Users can't change password using smbldap-pwd in Lucid [Samba + OpenLDAP]

[goofrider]

I followed this guide to setup Samba + OpenLDAP in Lucid:

http://tuxnetworks.blogspot.com/2010...cid-short.html

Everything works fine. Users can login from XP clients, access SMB shares, group mapping, etc. I also setup PAM/NSS integration so the user can login to shell/ssh and they can use passwd to change their UNIX password in the LDAP directory.

However, users cannot change SMB password from XP clients (it says you do not have permission or something like that) nor use smbldap-password.
The exact error I get from smbldap-passwd is:

Code:

Failed to modify SMB password: Insufficient access at /usr/sbin/smbldap-passwd line 238, <STDIN> line 3.

I can still change user's SMB passwords smbldap-passwd as root, so it looks like ACL permission issue to sambaNTPassword and sambaLMPassword field?

The ACL rules as illustrated in the guide are:

Code:

olcAccess: to attrs=userPassword by dn="cn=admin,dc=tuxnetworks,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read

I check other Samba + OpenLDAP howtos and they all have the same ACL rules. I check my old slapd.d config backup and it had the same rules too. I tried changing the rule to

Code:

olcAccess: to attrs=userPassword by dn="cn=admin,dc=tuxnetworks,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange,sambaNTPassword,sambaLMPassword by self write by * read
olcAccess: to dn.base="" by * read

And it still didn't work.

Your help is very much appreciated.

[goofrider]

Can anyone help?

[upengan78]

Hi there,

I have the same problem, so thanks for starting the thread!

Did you find solution to this problem ? I have same ACLs as you originally had.

I am not sure if smbpasswd will achieve same results because in smb.conf I have enabled ldap password syncing.

Please let me know. Thanks.

[liororama]

Hi,

I have the same problem here.

smbldap-passwd managed to change the unix password but failed to change the samba one.

Any ideas??

--lior

[Zeosa]

Try this:

Code:

access to attrs=userPassword,shadowLastChange,sambaPwdMustChange,sambaLMPassword,sambaPwdLastSet,sambaNTPassword
        by dn="cn=admin,dc=xxx,dc=xxx" write
        by anonymous auth
        by self write
        by * none

[liororama]

Hi,

Thanks for your help. It worked and now I can change the password using smbldap-passwd.

I needed to do the following:

Create an ldif file

----- ldif file start ----
dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
-
add: olcAccess
olcAccess: {0} to
attrs=userPassword,shadowLastChange,sambaPwdMustCh ange,sambaLMPassword,
sambaPwdLastSet,sambaNTPassword by dn="cn=admin,dc=xxx,dc=xxx"
write by anonymous auth by self write by * none
-
-------- ldif file end -----

Remember to change the dc=xxx,dc=xxx entries inside the file.


Now you can run:

ldapmodify -x -D cn=admin,cn=config -W -f file.ldif

where file.ldif is the file you created before....

Once this is done you can use smbldap-passwd


--lior
----------------------oo--o(:-o--oo----------------
Lior Amar, Ph.D.
Cluster Logic Ltd --> The Art of HPC
www.clusterlogic.net
----------------------------------------------------------

[upengan78]

Thanks Zeosa ! also thanks to liororama for the .ldif and command. I know I will also need to run the command to modify the olcAccess. However, the command is not working in my case, can anyone help?

cat /tmp/modify_new

Code:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
add: olcAccess
olcAccess: {0} to
attrs=userPassword,shadowLastChange,sambaPwdMustChange,sambaLMPassword,
sambaPwdLastSet,sambaNTPassword by dn="cn=admin,dc=pdc"
write by anonymous auth by self write by * none

ldapmodify -x -D 'cn=admin,cn=config' -W -f /tmp/modify_new

Code:

Enter LDAP Password: 
modifying entry "olcDatabase={1}hdb,cn=config"
ldap_modify: Insufficient access (50)

ADDITONAL INFO :

ldapsearch -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -b cn=config -W olcDatabase={1}hdb

Code:

Enter LDAP Password: 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcDatabase={1}hdb
# requesting: ALL
#

# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=pdc
olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=pdc" write by anonymous
  auth by self write by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess:: ezN9dG8gKiBieSBkbj0iY24RtaW4ggggsZGM9cGRjeSAqIHJlYWQg
olcLastMod: TRUE
olcRootDN: cn=admin,dc=pdc
olcRootPW: qqqqqqblah
olcRootPW: {crypt}64KIVVtLyblah
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: cn eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq
olcDbIndex: memberUid eq
olcDbIndex: uniqueMember eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

what am I doing incorrectly?

Please help!

Thanks

[Zeosa]

I had that problem too, for some reason there was an extra colon ( in the file /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif in the olcRootPW entry.

Try running slappasswd and pasting the input in there as olcRootPW (backup the original first as always)
so is looks similar to this:

Code:

.......
olcRootDN: cn=admin,cn=config
olcRootPW: {SSHA}xxxxxxxxxxxxxxx
........

Then authenticate with the password you used to generate the hash using slappasswd.

Originally I had two colons on the olcRootPW line that had my access to cn=config screwed up.

[upengan78]

I had that problem too, for some reason there was an extra colon ( in the file /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif in the olcRootPW entry.

Try running slappasswd and pasting the input in there as olcRootPW (backup the original first as always)
so is looks similar to this:

Code:

.......
olcRootDN: cn=admin,cn=config
olcRootPW: {SSHA}xxxxxxxxxxxxxxx
........

Then authenticate with the password you used to generate the hash using slappasswd.

Originally I had two colons on the olcRootPW line that had my access to cn=config screwed up.

Thanks again.

Yes, that's true. I also see "::" in front of olcAccess and olcRootPW below file,

cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif

Code:

dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=pdc
olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=pdc" write by anonymous
  auth by self write by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess:: ezN9dG8gKiBieSBkbj0iY249YWRtRjIiB3cml0ZSBieSAqIHJlYWQg
olcLastMod: TRUE
olcRootDN: cn=admin,dc=pdc
olcRootPW:: I2Flcm8kc21pabcd=
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: cn eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq
olcDbIndex: memberUid eq
olcDbIndex: uniqueMember eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
structuralObjectClass: olcHdbConfig
entryUUID: b237ed4a-336c-102f-9e25-47eb1d9f6ff4
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20100803170251Z
entryCSN: 20100803170251.989496Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20100803170251Z
olcRootPW: {crypt}64KIVVtLyabcd

I will try to do what you have suggested

[upengan78]

Code:

ldapmodify -x -D cn=admin,cn=config -W -f /tmp/modify 
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)

Same error again..

I do see, below that, olcAccess line has two :: infront of it,

Code:

olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=pdc" write by anonymous
  auth by self write by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess:: ezN9dG8gKiBieSBkbj0iY249YWRtaW4sZGM9cGRjIiB3cml0ZSBieSAqIHJlYWQg

olcRootPW :: was fixed using slappasswd, thanks.

Any idea how to fix this ? May be this is causing the issue.