Hi People,
I use the overlay smbk5pwd for sync password of Samba with the of
Heimdal Kerberos.
In Debian Etch using Samba 3.0.24-6etch10, OpenLDAP 2.3.30-5+etch2
and Heimdal Kerberos 0.7.2.dfsg.1-10, I don't have problems.
But, in Debian Lenny using Samba 2:3.2.5-4, OpenLDAP 2.4.11-1,
and Heimdal Kerberos 1.2.dfsg.1-2.1, I have problems.
When I invoke smbpasswd or ldappaswd and trying change
the password, slapd stops responding.
With kpasswd I do not have problems, change the password of
Samba and Kerberos correctly, and userPassword fixed with {K5KEY},
slapd not stops responding (working correctly), but, I need change
the password with smbpasswd for Windows clients.
Below follows a more detailed debug, has something else that I can show?
This is a bug?
slapd.conf configuration:
moduleload smbk5pwd
overlay smbk5pwd
smbk5pwd-enable krb5
smbk5pwd-enable samba
smbk5pwd-must-change 2592000
password-hash {K5KEY}
- OpenLDAP have permission to read/write the file /var/lib/heimdal-kdc/m-key.
- I configure OpenLDAP to run with user root and group root, for tests.
smb.conf configuration about password:
ldap passwd sync = Only
unix password sync = no
Look this example:
1 - LDAP OK:
root# ps aux|grep slapd
root 3841 3.0 0.8 21920 4512 ? Ssl 14:47 0:00
/usr/sbin/slapd -h ldap://10.111.222.100:389/
ldaps://10.111.222.100:636/ ldapi:/// -g root -u root -f
/etc/ldap/slapd.conf
root 3844 0.0 0.1 3116 728 pts/0 S+ 14:47 0:00 grep slapd
root# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: sachs(a)LOCAL.INT.BR
SASL SSF: 56
SASL data security layer installed.
dn:uid=sachs,ou=samba,ou=usuarios,dc=local,dc=int,dc=br
2 - Change password witch LDAPPASSWD:
root# ldappasswd -x -D
"krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
"uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" -w secret -S
New password:
Re-enter new password:
ldap_result: Can't contact LDAP server (-1)
root# ps aux|grep slapd
root 3832 0.0 0.1 3116 724 pts/0 S+ 14:47 0:00 grep slapd
root# ldapwhoami -Y GSSAPI
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Loglevel in 256, trying change password with LDAPPASWD, stop in PASSMOD:
conn=0 fd=18 ACCEPT from IP=10.111.222.100:40181 (IP=10.111.222.100:389)
conn=0 op=0 BIND
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
method=128
conn=0 op=0 BIND
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
mech=SIMPLE ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
conn=0 op=1 PASSMOD
id="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" new
Debug of Overlay Audit, trying change password with LDAPPASWD:
# modify 1236964911 dc=local,dc=int,dc=br
krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br
dn: uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br
changetype: modify
replace: userPassword
userPassword:: e0s1S0VZfQ==
-
replace: entryCSN
entryCSN: 20090313172151.459306Z#000000#000#000000
-
replace: modifiersName
modifiersName: krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrin
cipals,ou=Usuarios,dc=local,dc=int,dc=br
-
replace: modifyTimestamp
modifyTimestamp: 20090313172151Z
-
# end replace 1236964911
3 - Change Password with SMBPASSWD:
LDAP running correctly.
root# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: sachs(a)LOCAL.INT.BR
SASL SSF: 56
SASL data security layer installed.
dn:uid=sachs,ou=samba,ou=usuarios,dc=local,dc=int,dc=br
# smbpasswd sachs
New SMB password:
Retype new SMB password:
failed to bind to server ldaps://debian.local.int.br/ with
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
Error: Can't contact LDAP server
(unknown)
Connection to LDAP server failed for the 2 try!
Connection to LDAP server failed for the 3 try!
Connection to LDAP server failed for the 4 try!
Connection to LDAP server failed for the 5 try!
Connection to LDAP server failed for the 6 try!
Connection to LDAP server failed for the 7 try!
Loglevel in 256, trying change password with SMBPASSWD, stop in PASSMOD:
conn=2 fd=27 ACCEPT from IP=10.111.222.100:35715 (IP=10.111.222.100:636)
conn=2 fd=27 TLS established tls_ssf=128 ssf=128
conn=2 op=0 BIND
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
method=128
conn=2 op=0 BIND
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
mech=SIMPLE ssf=0
conn=2 op=0 RESULT tag=97 err=0 text=
conn=2 op=1 SRCH base="ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br"
scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=sachs))"
conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn
homeDirectory loginShell gecos description objectClass
conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=5 SRCH base="ou=Grupos,dc=local,dc=int,dc=br" scope=2
deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=513))"
conn=1 op=5 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList
description displayName cn objectClass
conn=1 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=6 SRCH base="ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br"
scope=2 deref=0
filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-1831924168-3154312721-1575139623-513)))"
conn=1 op=6 SRCH attr=uid sambaSid
conn=1 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=1 op=7 SRCH base="ou=Grupos,dc=local,dc=int,dc=br" scope=2
deref=0 filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-1831924168-3154312721-1575139623-513)))"
conn=1 op=7 SRCH attr=cn displayName sambaSid sambaGroupType
conn=1 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=8 MOD dn="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br"
conn=1 op=8 MOD attr=sambaAcctFlags sambaAcctFlags
conn=1 op=9 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
conn=1 op=9 SRCH attr=supportedExtension
conn=1 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=10 EXT oid=1.3.6.1.4.1.4203.1.11.1
conn=1 op=10 PASSMOD
id="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" new
conn=1 op=8 RESULT tag=103 err=0 text=
Debug of Overlay Audit, trying change password with SMBPASSWD:
# modify 1236968199 dc=local,dc=int,dc=br
krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br
dn: uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br
changetype: modify
delete: sambaAcctFlags
sambaAcctFlags: [U]
-
add: sambaAcctFlags
sambaAcctFlags: [U ]
-
replace: entryCSN
entryCSN: 20090313181639.613866Z#000000#000#000000
-
replace: modifiersName
modifiersName: krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrin
cipals,ou=Usuarios,dc=local,dc=int,dc=br
-
replace: modifyTimestamp
modifyTimestamp: 20090313181639Z
-
# end replace 1236968199
Thanks!!!