LDAP and password expiry

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP and password expiry

jake-11
Hello,

We are using Samba 3.0.14a-6, slapd 2.2.26-4 and smbldap-tools 0.9.1-2 on
Debian. My users are complaining about warnings that their password is about to
expire and that the are told "You do not have permission to change your
password" when they try to change it. sambaAcctFlags includes the X flag which
I thought meant "don't expire passwords." The password changing thing has got
me even more stumped. Can anyone offer any clues?

/etc/pam_ldap.conf:
host localhost
base dc=trec,dc=us
ldap_version 3
rootbinddn cn=admin,dc=trec,dc=us
pam_password exop

/etc/libnss-ldap.conf:
host localhost
base dc=trec,dc=us
ldap_version 3
rootbinddn cn=admin,dc=trec,dc=us
pam_password exop

Example user entry:

dn: uid=sgoodrich,ou=Users,dc=trec,dc=us
objectClass:
top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMailRecipient
cn: Suzanne Goodrich
sn: Goodrich
uid: sgoodrich
uidNumber: 2046
gidNumber: 100
homeDirectory: /home/sgoodrich
loginShell: /bin/false
gecos: Suzanne Goodrich
description: Suzanne Goodrich
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: Suzanne Goodrich
sambaSID: S-1-5-21-193596418-479643985-2333711390-5092
sambaPrimaryGroupSID: S-1-5-21-193596418-479643985-2333711390-513
sambaLMPassword: redacted
sambaNTPassword: redacted
sambaPwdLastSet: 1117397780
sambaPwdMustChange: 1125951380
userPassword: {SSHA}redacted
sambaAcctFlags: [NUX]

/etc/samba/smb.conf:
[global]
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
delete user script = /usr/sbin/smbldap-userdel "%u"
domain logons = yes
domain master = yes
enable privileges = yes
encrypt passwords = true
guest account = nobody
ldap admin dn = cn=admin,dc=trec,dc=us
ldap delete dn = yes
ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap ssl = no # start_tls
ldap suffix = dc=trec,dc=us
ldap user suffix = ou=Users
load printers = no
local master = yes
log file = /var/log/samba/log
log level = 1
logon drive = Z:
logon home = \\%L\%U
logon path = \\%L\%U\Profile
logon script = logon.cmd
map archive = no
map hidden = no
map system = no
max log size = 1000
name resolve order = host
null passwords = yes
obey pam restrictions = yes
os level = 65
pam password change = yes
panic action = /usr/share/samba/panic-action %d
passdb backend = ldapsam:ldap://localhost/
preferred master = yes
preserve case = yes
security = user
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
short preserve case = yes
show add printer wizard = no
socket options = IPTOS_THROUGHPUT TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
syslog = 1
syslog only = no
time server = yes
unix password sync = yes
wins support = yes
workgroup = TREC
passwd chat debug = yes

[homes]
comment = %u's private information.
browseable = no
writable = yes
create mask = 0660
directory mask = 0770
inherit permissions = yes
hide files = /Profile/Registry/Outlook.pst/outlook.pst/Maildir/
guest ok = no
admin users = @staff

[profile]
path = %H/Profile
browsable = no
writable = yes
create mask = 0660
directory mask = 0770
# nt acl support = no
admin users = @staff

[netlogon]
comment = Network Logon Service
path = /export/netlogon
guest ok = yes
read only = yes
share modes = no
write list = root,@staff
# nt acl support = no
force group = staff
browseable = no


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

RE: LDAP and password expiry

Paul Gienger
> We are using Samba 3.0.14a-6, slapd 2.2.26-4 and smbldap-tools 0.9.1-2 on
> Debian. My users are complaining about warnings that their password is
> about to
> expire and that the are told "You do not have permission to change your
> password" when they try to change it. sambaAcctFlags includes the X flag
> which
> I thought meant "don't expire passwords." The password changing thing has
> got
> me even more stumped. Can anyone offer any clues?

Do you also get the password actually being changed when they get that
error?  I see that and also various other errors, which are false errors
since all passwords ARE in fact changed.  


 

> /etc/pam_ldap.conf:
> host localhost
> base dc=trec,dc=us
> ldap_version 3
> rootbinddn cn=admin,dc=trec,dc=us
> pam_password exop
>
> /etc/libnss-ldap.conf:
> host localhost
> base dc=trec,dc=us
> ldap_version 3
> rootbinddn cn=admin,dc=trec,dc=us
> pam_password exop
>
> Example user entry:
>
> dn: uid=sgoodrich,ou=Users,dc=trec,dc=us
> objectClass:
> top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMail
> Recipient
> cn: Suzanne Goodrich
> sn: Goodrich
> uid: sgoodrich
> uidNumber: 2046
> gidNumber: 100
> homeDirectory: /home/sgoodrich
> loginShell: /bin/false
> gecos: Suzanne Goodrich
> description: Suzanne Goodrich
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: Suzanne Goodrich
> sambaSID: S-1-5-21-193596418-479643985-2333711390-5092
> sambaPrimaryGroupSID: S-1-5-21-193596418-479643985-2333711390-513
> sambaLMPassword: redacted
> sambaNTPassword: redacted
> sambaPwdLastSet: 1117397780
> sambaPwdMustChange: 1125951380
> userPassword: {SSHA}redacted
> sambaAcctFlags: [NUX]
>
> /etc/samba/smb.conf:
> [global]
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> domain logons = yes
> domain master = yes
> enable privileges = yes
> encrypt passwords = true
> guest account = nobody
> ldap admin dn = cn=admin,dc=trec,dc=us
> ldap delete dn = yes
> ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
> ldap group suffix = ou=Groups
> ldap machine suffix = ou=Computers
> ldap passwd sync = yes
> ldap ssl = no # start_tls
> ldap suffix = dc=trec,dc=us
> ldap user suffix = ou=Users
> load printers = no
> local master = yes
> log file = /var/log/samba/log
> log level = 1
> logon drive = Z:
> logon home = \\%L\%U
> logon path = \\%L\%U\Profile
> logon script = logon.cmd
> map archive = no
> map hidden = no
> map system = no
> max log size = 1000
> name resolve order = host
> null passwords = yes
> obey pam restrictions = yes
> os level = 65
> pam password change = yes
> panic action = /usr/share/samba/panic-action %d
> passdb backend = ldapsam:ldap://localhost/
> preferred master = yes
> preserve case = yes
> security = user
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> short preserve case = yes
> show add printer wizard = no
> socket options = IPTOS_THROUGHPUT TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
> syslog = 1
> syslog only = no
> time server = yes
> unix password sync = yes
> wins support = yes
> workgroup = TREC
> passwd chat debug = yes
>
> [homes]
> comment = %u's private information.
> browseable = no
> writable = yes
> create mask = 0660
> directory mask = 0770
> inherit permissions = yes
> hide files = /Profile/Registry/Outlook.pst/outlook.pst/Maildir/
> guest ok = no
> admin users = @staff
>
> [profile]
> path = %H/Profile
> browsable = no
> writable = yes
> create mask = 0660
> directory mask = 0770
> # nt acl support = no
> admin users = @staff
>
> [netlogon]
> comment = Network Logon Service
> path = /export/netlogon
> guest ok = yes
> read only = yes
> share modes = no
> write list = root,@staff
> # nt acl support = no
> force group = staff
> browseable = no
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP and password expiry

Craig White-6
In reply to this post by jake-11
On Thu, 2005-08-25 at 14:53 -0400, [hidden email] wrote:
> Hello,
>
> We are using Samba 3.0.14a-6, slapd 2.2.26-4 and smbldap-tools 0.9.1-2 on
> Debian. My users are complaining about warnings that their password is about to
> expire and that the are told "You do not have permission to change your
> password" when they try to change it. sambaAcctFlags includes the X flag which
> I thought meant "don't expire passwords." The password changing thing has got
> me even more stumped. Can anyone offer any clues?
>
----
I believe that you will find the warning about the change password is
generated by local policy on the computers and not demanded by Samba.

I think Paul was hinting at a rather quirky thing in Samba 3 that gets
an error reported to the user when he changes his password that it
didn't work but on properly configured systems, that message seems to
get sent anyway, even when the password change does indeed work.

Craig

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

RE: LDAP and password expiry

Jacob Elder
In reply to this post by Paul Gienger
No, the passwords never actually get changed.

--
Jacob Elder


Quoting Paul Gienger <[hidden email]>:

>> We are using Samba 3.0.14a-6, slapd 2.2.26-4 and smbldap-tools 0.9.1-2 on
>> Debian. My users are complaining about warnings that their password is
>> about to
>> expire and that the are told "You do not have permission to change your
>> password" when they try to change it. sambaAcctFlags includes the X flag
>> which
>> I thought meant "don't expire passwords." The password changing thing has
>> got
>> me even more stumped. Can anyone offer any clues?
>
> Do you also get the password actually being changed when they get that
> error?  I see that and also various other errors, which are false errors
> since all passwords ARE in fact changed.
>
>
>
>> /etc/pam_ldap.conf:
>> host localhost
>> base dc=trec,dc=us
>> ldap_version 3
>> rootbinddn cn=admin,dc=trec,dc=us
>> pam_password exop
>>
>> /etc/libnss-ldap.conf:
>> host localhost
>> base dc=trec,dc=us
>> ldap_version 3
>> rootbinddn cn=admin,dc=trec,dc=us
>> pam_password exop
>>
>> Example user entry:
>>
>> dn: uid=sgoodrich,ou=Users,dc=trec,dc=us
>> objectClass:
>> top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount,inetLocalMail
>> Recipient
>> cn: Suzanne Goodrich
>> sn: Goodrich
>> uid: sgoodrich
>> uidNumber: 2046
>> gidNumber: 100
>> homeDirectory: /home/sgoodrich
>> loginShell: /bin/false
>> gecos: Suzanne Goodrich
>> description: Suzanne Goodrich
>> sambaLogonTime: 0
>> sambaLogoffTime: 2147483647
>> sambaKickoffTime: 2147483647
>> sambaPwdCanChange: 0
>> displayName: Suzanne Goodrich
>> sambaSID: S-1-5-21-193596418-479643985-2333711390-5092
>> sambaPrimaryGroupSID: S-1-5-21-193596418-479643985-2333711390-513
>> sambaLMPassword: redacted
>> sambaNTPassword: redacted
>> sambaPwdLastSet: 1117397780
>> sambaPwdMustChange: 1125951380
>> userPassword: {SSHA}redacted
>> sambaAcctFlags: [NUX]
>>
>> /etc/samba/smb.conf:
>> [global]
>> add group script = /usr/sbin/smbldap-groupadd -p "%g"
>> add machine script = /usr/sbin/smbldap-useradd -w "%u"
>> add user script = /usr/sbin/smbldap-useradd -m "%u"
>> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>> delete group script = /usr/sbin/smbldap-groupdel "%g"
>> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
>> delete user script = /usr/sbin/smbldap-userdel "%u"
>> domain logons = yes
>> domain master = yes
>> enable privileges = yes
>> encrypt passwords = true
>> guest account = nobody
>> ldap admin dn = cn=admin,dc=trec,dc=us
>> ldap delete dn = yes
>> ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
>> ldap group suffix = ou=Groups
>> ldap machine suffix = ou=Computers
>> ldap passwd sync = yes
>> ldap ssl = no # start_tls
>> ldap suffix = dc=trec,dc=us
>> ldap user suffix = ou=Users
>> load printers = no
>> local master = yes
>> log file = /var/log/samba/log
>> log level = 1
>> logon drive = Z:
>> logon home = \\%L\%U
>> logon path = \\%L\%U\Profile
>> logon script = logon.cmd
>> map archive = no
>> map hidden = no
>> map system = no
>> max log size = 1000
>> name resolve order = host
>> null passwords = yes
>> obey pam restrictions = yes
>> os level = 65
>> pam password change = yes
>> panic action = /usr/share/samba/panic-action %d
>> passdb backend = ldapsam:ldap://localhost/
>> preferred master = yes
>> preserve case = yes
>> security = user
>> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>> short preserve case = yes
>> show add printer wizard = no
>> socket options = IPTOS_THROUGHPUT TCP_NODELAY SO_RCVBUF=8192
>> SO_SNDBUF=8192
>> syslog = 1
>> syslog only = no
>> time server = yes
>> unix password sync = yes
>> wins support = yes
>> workgroup = TREC
>> passwd chat debug = yes
>>
>> [homes]
>> comment = %u's private information.
>> browseable = no
>> writable = yes
>> create mask = 0660
>> directory mask = 0770
>> inherit permissions = yes
>> hide files = /Profile/Registry/Outlook.pst/outlook.pst/Maildir/
>> guest ok = no
>> admin users = @staff
>>
>> [profile]
>> path = %H/Profile
>> browsable = no
>> writable = yes
>> create mask = 0660
>> directory mask = 0770
>> # nt acl support = no
>> admin users = @staff
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /export/netlogon
>> guest ok = yes
>> read only = yes
>> share modes = no
>> write list = root,@staff
>> # nt acl support = no
>> force group = staff
>> browseable = no
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
>



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP and password expiry

Jacob Elder
In reply to this post by Craig White-6
I should have noted that this started coming up only after we switched
to LDAP.
The local policies on the workstations are mostly unchanged from the old
domain, which did not suffer from this problem. By "mostly," I mean we are now
allowing all authenticated users to change the system time (so logon.cmd can
use NET TIME /SET /Y). This shouldn't have impacted the password expiry...


--
Jacob Elder


Quoting Craig White <[hidden email]>:

> On Thu, 2005-08-25 at 14:53 -0400, [hidden email] wrote:
>> Hello,
>>
>> We are using Samba 3.0.14a-6, slapd 2.2.26-4 and smbldap-tools 0.9.1-2 on
>> Debian. My users are complaining about warnings that their password
>> is about to
>> expire and that the are told "You do not have permission to change your
>> password" when they try to change it. sambaAcctFlags includes the X
>> flag which
>> I thought meant "don't expire passwords." The password changing
>> thing has got
>> me even more stumped. Can anyone offer any clues?
>>
> ----
> I believe that you will find the warning about the change password is
> generated by local policy on the computers and not demanded by Samba.
>
> I think Paul was hinting at a rather quirky thing in Samba 3 that gets
> an error reported to the user when he changes his password that it
> didn't work but on properly configured systems, that message seems to
> get sent anyway, even when the password change does indeed work.
>
> Craig
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP and password expiry

John H Terpstra - Samba Team
On Thursday 25 August 2005 13:44, Jacob Elder wrote:
> I should have noted that this started coming up only after we switched
> to LDAP.
> The local policies on the workstations are mostly unchanged from the old
> domain, which did not suffer from this problem. By "mostly," I mean we are
> now allowing all authenticated users to change the system time (so
> logon.cmd can use NET TIME /SET /Y). This shouldn't have impacted the
> password expiry...

Email your smb.conf to me off-line to <[hidden email]>, I'll try to help.

- John T.

>
>
> --
> Jacob Elder
>
> Quoting Craig White <[hidden email]>:
> > On Thu, 2005-08-25 at 14:53 -0400, [hidden email] wrote:
> >> Hello,
> >>
> >> We are using Samba 3.0.14a-6, slapd 2.2.26-4 and smbldap-tools 0.9.1-2
> >> on Debian. My users are complaining about warnings that their password
> >> is about to
> >> expire and that the are told "You do not have permission to change your
> >> password" when they try to change it. sambaAcctFlags includes the X
> >> flag which
> >> I thought meant "don't expire passwords." The password changing
> >> thing has got
> >> me even more stumped. Can anyone offer any clues?
> >
> > ----
> > I believe that you will find the warning about the change password is
> > generated by local policy on the computers and not demanded by Samba.
> >
> > I think Paul was hinting at a rather quirky thing in Samba 3 that gets
> > an error reported to the user when he changes his password that it
> > didn't work but on properly configured systems, that message seems to
> > get sent anyway, even when the password change does indeed work.
> >
> > Craig
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba

--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba