[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd does not properly update sambaNTPassword and sambaLMPassword

To: openldap-technical@openldap.org
Subject: Re: smbk5pwd does not properly update sambaNTPassword and sambaLMPassword
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Fri, 2 Oct 2009 10:22:49 +0100
Cc: Scott Classen <sclassen@lbl.gov>
Content-disposition: inline
In-reply-to: <5BE50004-2DF2-437C-A25B-C2CBD88968C3@lbl.gov>
References: <5BE50004-2DF2-437C-A25B-C2CBD88968C3@lbl.gov>
User-agent: KMail/1.11.4 (Linux/2.6.27.23-xen-3.4.0-1mdv; KDE/4.2.4; x86_64; ; )

On Wednesday, 30 September 2009 17:33:39 Scott Classen wrote:
> Hello
>
> I am running openldap 2.4.18 (BDB 4.8.24). Both of which I compiled
> from source.
> I compiled smbk5pwd with support ONLY for samba. I am using the samba
> that is distributed with CentOS 5.3 (3.0.33)

I use this module in my personal setup, and the last time I changed my 
password I have 2.4.17 installed, and my samba password works (and I am quite 
sure I didn't set it manually).

/me upgrades to 2.4.18 ...

On 2.4.18 (built from the same SRPM as the packages at 
http://staff.telkomsa.net/packages/rhel5/openldap/), it works for me:

[bgmilne@tiger ~]$ passwd
Changing password for user bgmilne.
Changing password for bgmilne.
Enter current password:
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information changed for bgmilne
passwd: all authentication tokens updated successfully.
[bgmilne@tiger ~]$ ldapwhoami -x -D 
uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -W
Enter LDAP Password:
dn:uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
[bgmilne@tiger ~]$ smbclient //localhost/bgmilne
Enter bgmilne's password:
Domain=[RANGER] OS=[Unix] Server=[Samba 3.4.1]
smb: \> 

> openldap does not crash or complain when it launches so I assume that:
>
> moduleload      /usr/local/libexec/smbk5pwd.la
>
> is at least loading up the module correctly.
>
> I have a user with the sambaSamAccount objectclass.
>
> I have configured PAM to change the LDAP userPassword when invoked
> from the command line with /usr/bin/passwd

What is pam_password set to in /etc/ldap.conf ?

Have you tried this by changing the password with ldappasswd instead (which we 
know will do an ldap password change exop, which pam_ldap should do only if 
pam_password is set to 'exop'.

> The userPassword hash gets successfully updated and the values of the
> sambaNTPassword and sambaLMPassword hashes are changed, but I am
> unable to authenticate as a samba user against these hashes... and
> they look sorta weird:
>
> 010000000000000090c9c94100000000
>
> when I would expect them to look more "complicated" like:
>
> 552902031BEDE9EFAAD3B435B51404EE
>
> Does this smell of a smbk5pwd bug/problem/misconfiguration or a samba/
> PAM one?

Could be a combination, this is only going to work if pam_password is set to 
exop, if smbk5pwd gets a password hash, it shouldn't be setting any other 
hashes.

Regards,
Buchan

Follow-Ups:
- Replication LDAP between PBC & BDC
  - From: "Dominguez, Gaston Matias" <gdominguez@eling.com.ar>

Prev by Date: Re: Fwd: syncrepl inseard of back-perl ?
Next by Date: Account Usable Request Control (1.3.6.1.4.1.42.2.27.9.5.8)
Index(es):
- Chronological
- Thread