Package: smbldap-tools
Severity: important
Tags: patch
The documentation covering the LDAP password sync integration is
incorrect or misleading. Samba does it's own intenral LDAP password
sync, which is governed by the 'ldap passwd sync' flag. Setting this to
yes will cause samba to update the password directly. For completeness,
the 'ldap passwd sync' flag actually updates the 'userPassword'
attribute stored in LDAP when you are using the ldapsam backend. The
other samba password hashes - the NT and LM passwords - are always
updated, regardless of this setting and regardless of the sam being
using.
The 'passwd program' and 'passwd chat' parameters are only called if the
'unix password sync' attribute is set to yes.
Setting both 'unix password sync' and 'ldap passwd sync' to yes, and
having the example configuration for 'passwd program' and 'passwd chat'
will result in a race condition between the two update (internal and
external) processes, which inevitably results in the password change
failing.
Internal ldap sync should be ok, except I have found at least one
package which could not use the passwords samba internal mechanism set.
Correct behaviour is to *either* set :
unix password sync = no
ldap passwd sync = yes
and not set 'passwd program' and 'passwd chat' at all. This will result
in samba doing all the password syncronization itself.
unix password sync = yes
ldap passwd sync = no
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
This will result in samba updating the NT/LM passwords itself, and
calling out to the specified passwd program to update the rest. Passing
the -u parameter to smbldap-passwd causes it to only update the
userPassword attribute in LDAP, as opposed to trying to update
everything, which can potentially cause another race condition.
I have only verified that this is the case on samba 3.0.21c packaged by
samba.org. I upgraded to this to see if it was a bug within the Sarge
3.0.14a packages, however upgrading didn't fix it and I eventually
discovered the above. I have yet to try reverting to Sarge packages and
testing, however this is a fundamental misconfiguration of these
parameters, and so I cannot forsee any reason for it not applying.
-----------------------------------------------------
--- README.Debian.orig 2006-03-28 07:55:43.000000000 +1200
+++ README.Debian 2006-03-28 07:56:42.000000000 +1200
@@ -74,9 +74,11 @@
3. More to use the smbldap-tools to change passwords:
- ; Do ldap passwd sync
- ldap passwd sync = Yes
- passwd program = /usr/sbin/smbldap-passwd %u
+ ; Don't use samba's internal LDAP password sync
+ ldap passwd sync = No
+ ; Use an external program to sync the LDAP password
+ unix password sync = Yes
+ passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
4. And if you want to administer user and groups from windows add:
-----------------------------------------------------
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.12-1
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
