Hey Howard, Adam, and List:
I'm not even sure this is the path I ought to be going down. If smbk5pwd has no knowledge of ppolicy, and password changes from Windows clients won't adhere to those restrictions with any combination of configuration options in any currently known universe, perhaps what I really need is an alternate strategy. I'm open to suggestion; my only requirements are that password changes from a Windows workstation be subjected to the ppolicy constraints, and that the LDAP and Samba passwords all be in sync.
However, here are the logs entries and relevant slapd configuration options - pastings inline below:
Howard Chu wrote:
Ryan Steele wrote:
I realize that 'only' is what I want and that's what I'm using, however I think smbk5pwd is working. The two snippets below are show the differences after a Windows user changes his password (from the ctrl+alt+delete menu):
Don't guess. Turn up the slapd debug level and show what it logs when you perform the actual password change.
Note that although the logs seem to indicate (at least to my untrained eyes) that access to userPassword, sambaLMPassword, and sambaNTPassword is denied, Windows tells me it's been updated, and I can in fact log out and log back in with the new password.
Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access to "uid=tester,ou=Users,dc=example,dc=com" "userPassword" requested Apr 3 07:27:00 ldapmaster slapd[1012]: => acl_get: [1] attr userPassword Apr 3 07:27:00 ldapmaster slapd[1012]: access_allowed: no res from state (userPassword) Apr 3 07:27:00 ldapmaster slapd[1012]: => acl_mask: access to entry "uid=tester,ou=Users,dc=example,dc=com", attr "userPassword" requested Apr 3 07:27:00 ldapmaster slapd[1012]: => acl_mask: to value by "", (=0) Apr 3 07:27:00 ldapmaster slapd[1012]: <= check a_dn_pat: self Apr 3 07:27:00 ldapmaster slapd[1012]: <= check a_dn_pat: * Apr 3 07:27:00 ldapmaster slapd[1012]: <= acl_mask: [2] applying auth(=xd) (stop) Apr 3 07:27:00 ldapmaster slapd[1012]: <= acl_mask: [2] mask: auth(=xd) Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access denied by auth(=xd) Apr 3 07:27:00 ldapmaster slapd[1012]: send_search_entry: conn 5 access to attribute userPassword, value #0 not allowed
Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access to "uid=tester,ou=Users,dc=example,dc=com" "sambaLMPassword" requested Apr 3 07:27:00 ldapmaster slapd[1012]: => acl_get: [1] attr sambaLMPassword Apr 3 07:27:00 ldapmaster slapd[1012]: access_allowed: no res from state (sambaLMPassword) Apr 3 07:27:00 ldapmaster slapd[1012]: => acl_mask: access to entry "uid=tester,ou=Users,dc=example,dc=com", attr "sambaLMPassword" requested Apr 3 07:27:00 ldapmaster slapd[1012]: => acl_mask: to value by "", (=0) Apr 3 07:27:00 ldapmaster slapd[1012]: <= check a_dn_pat: self Apr 3 07:27:00 ldapmaster slapd[1012]: <= check a_dn_pat: * Apr 3 07:27:00 ldapmaster slapd[1012]: <= acl_mask: [2] applying auth(=xd) (stop) Apr 3 07:27:00 ldapmaster slapd[1012]: <= acl_mask: [2] mask: auth(=xd) Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access denied by auth(=xd) Apr 3 07:27:00 ldapmaster slapd[1012]: send_search_entry: conn 5 access to attribute sambaLMPassword, value #0 not allowed
Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access to "uid=tester,ou=Users,dc=example,dc=com" "sambaNTPassword" requested Apr 3 07:27:00 ldapmaster slapd[1012]: => acl_get: [1] attr sambaNTPassword Apr 3 07:27:00 ldapmaster slapd[1012]: access_allowed: no res from state (sambaNTPassword) Apr 3 07:27:00 ldapmaster slapd[1012]: => acl_mask: access to entry "uid=tester,ou=Users,dc=example,dc=com", attr "sambaNTPassword" requested Apr 3 07:27:00 ldapmaster slapd[1012]: => acl_mask: to value by "", (=0) Apr 3 07:27:00 ldapmaster slapd[1012]: <= check a_dn_pat: self Apr 3 07:27:00 ldapmaster slapd[1012]: <= check a_dn_pat: * Apr 3 07:27:00 ldapmaster slapd[1012]: <= acl_mask: [2] applying auth(=xd) (stop) Apr 3 07:27:00 ldapmaster slapd[1012]: <= acl_mask: [2] mask: auth(=xd) Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access denied by auth(=xd) Apr 3 07:27:00 ldapmaster slapd[1012]: send_search_entry: conn 5 access to attribute sambaNTPassword, value #0 not allowed
The only other references I found to these attributes in the logs (which are at loglevel 128) are:
Apr 3 07:27:00 ldapmaster slapd[1012]: <= root access granted Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access to "uid=tester,ou=Users,dc=example,dc=com" "sambaLMPassword" requested Apr 3 07:27:00 ldapmaster slapd[1012]: <= root access granted Apr 3 07:27:00 ldapmaster slapd[1012]: => access_allowed: read access to "uid=tester,ou=Users,dc=example,dc=com" "sambaNTPassword" requested
Also, don't make us guess - post the relevant portion of your slapd configuration.
include /etc/openldap/schema/ppolicy.schema
# Dynamic modules moduleload smbk5pwd.la
rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}tFEA391Y3ZLHXkQDDk6f0t1ZkJEuMwIj
# Overlays - ppolicy for enforcing password restrictions and smbk5pwd for syncing LDAP and Samba passwords overlay smbk5pwd overlay ppolicy ppolicy_default "cn=Password Policy,ou=Policies,dc=example,dc=com" ppolicy_use_lockout
# ACL's access to attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange by self write by * auth
access to * by * read
The relevant output from slapcat is below.
sambaPwdCanChange: 1207134133 sambaPwdMustChange: 2147483647 userPassword:: e1NTSEF9UkxaOUdIZnVhNkV2ejBzS0JKNVVWQ2pVOHNnR29Ma1Q= sambaPwdLastSet: 1207134133 sambaLMPassword: d85774cf671a9947aad3b435b51404ee sambaNTPassword: baac3929fabc9e6dcd32421ba94a84d4 pwdChangedTime: 20080402110213Z entryCSN: 20080402110213Z#000001#00#000000 modifiersName: cn=admin,dc=example,dc=com modifyTimestamp: 20080402110213Z
sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1207137250 userPassword:: e1NTSEF9NWMveHkxSkVtZDcvcnZuWFZ4a3dtMVJsUnAzUGdEQW4= sambaPwdLastSet: 1207137250 sambaLMPassword: 614a6376feed376daad3b435b51404ee sambaNTPassword: d01b4a346f59e594f299a41a48126188 pwdChangedTime: 20080402115410Z entryCSN: 20080402115410Z#000001#00#000000 modifiersName: cn=admin,dc=example,dc=com modifyTimestamp: 20080402115410Z