smbk5pwd - slapd stops responding - please help-me!

Hi People,

I use the overlay smbk5pwd for sync password of Samba with the of Heimdal Kerberos.

In Debian Etch using Samba 3.0.24-6etch10, OpenLDAP 2.3.30-5+etch2 and Heimdal Kerberos 0.7.2.dfsg.1-10, I don't have problems.

But, in Debian Lenny using Samba 2:3.2.5-4, OpenLDAP 2.4.11-1, and Heimdal Kerberos 1.2.dfsg.1-2.1, I have problems.

When I invoke smbpasswd or ldappaswd and trying change the password, slapd stops responding.

With kpasswd I do not have problems, change the password of Samba and Kerberos correctly, and userPassword fixed with {K5KEY}, slapd not stops responding (working correctly), but, I need change the password with smbpasswd for Windows clients.

Below follows a more detailed debug, has something else that I can show? This is a bug?

slapd.conf configuration: moduleload smbk5pwd overlay smbk5pwd smbk5pwd-enable krb5 smbk5pwd-enable samba smbk5pwd-must-change 2592000 password-hash {K5KEY}

- OpenLDAP have permission to read/write the file /var/lib/heimdal-kdc/m-key. - I configure OpenLDAP to run with user root and group root, for tests.

smb.conf configuration about password: ldap passwd sync = Only unix password sync = no

Look this example:

1 - LDAP OK:

root# ps aux|grep slapd root 3841 3.0 0.8 21920 4512 ? Ssl 14:47 0:00 /usr/sbin/slapd -h ldap://10.111.222.100:389/ ldaps://10.111.222.100:636/ ldapi:/// -g root -u root -f /etc/ldap/slapd.conf root 3844 0.0 0.1 3116 728 pts/0 S+ 14:47 0:00 grep slapd

root# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: sachs@LOCAL.INT.BR SASL SSF: 56 SASL data security layer installed. dn:uid=sachs,ou=samba,ou=usuarios,dc=local,dc=int,dc=br

2 - Change password witch LDAPPASSWD:

root# ldappasswd -x -D "krb5PrincipalName=ldapmaster/admin@LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" "uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" -w secret -S New password: Re-enter new password: ldap_result: Can't contact LDAP server (-1)

root# ps aux|grep slapd root 3832 0.0 0.1 3116 724 pts/0 S+ 14:47 0:00 grep slapd

root# ldapwhoami -Y GSSAPI ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Loglevel in 256, trying change password with LDAPPASWD, stop in PASSMOD: conn=0 fd=18 ACCEPT from IP=10.111.222.100:40181 (IP=10.111.222.100:389) conn=0 op=0 BIND dn="krb5PrincipalName=ldapmaster/admin@LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" method=128 conn=0 op=0 BIND dn="krb5PrincipalName=ldapmaster/admin@LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" mech=SIMPLE ssf=0 conn=0 op=0 RESULT tag=97 err=0 text= conn=0 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 conn=0 op=1 PASSMOD id="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" new

Debug of Overlay Audit, trying change password with LDAPPASWD: # modify 1236964911 dc=local,dc=int,dc=br krb5PrincipalName=ldapmaster/admin@LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br dn: uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br changetype: modify replace: userPassword userPassword:: e0s1S0VZfQ== - replace: entryCSN entryCSN: 20090313172151.459306Z#000000#000#000000 - replace: modifiersName modifiersName: krb5PrincipalName=ldapmaster/admin@LOCAL.INT.BR,ou=KerberosPrin cipals,ou=Usuarios,dc=local,dc=int,dc=br - replace: modifyTimestamp modifyTimestamp: 20090313172151Z - # end replace 1236964911

3 - Change Password with SMBPASSWD:

LDAP running correctly.

root# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: sachs@LOCAL.INT.BR SASL SSF: 56 SASL data security layer installed. dn:uid=sachs,ou=samba,ou=usuarios,dc=local,dc=int,dc=br

# smbpasswd sachs New SMB password: Retype new SMB password: failed to bind to server ldaps://debian.local.int.br/ with dn="krb5PrincipalName=ldapmaster/admin@LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" Error: Can't contact LDAP server (unknown) Connection to LDAP server failed for the 2 try! Connection to LDAP server failed for the 3 try! Connection to LDAP server failed for the 4 try! Connection to LDAP server failed for the 5 try! Connection to LDAP server failed for the 6 try! Connection to LDAP server failed for the 7 try!

Loglevel in 256, trying change password with SMBPASSWD, stop in PASSMOD:

conn=2 fd=27 ACCEPT from IP=10.111.222.100:35715 (IP=10.111.222.100:636) conn=2 fd=27 TLS established tls_ssf=128 ssf=128 conn=2 op=0 BIND dn="krb5PrincipalName=ldapmaster/admin@LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" method=128 conn=2 op=0 BIND dn="krb5PrincipalName=ldapmaster/admin@LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" mech=SIMPLE ssf=0 conn=2 op=0 RESULT tag=97 err=0 text= conn=2 op=1 SRCH base="ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=sachs))" conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=5 SRCH base="ou=Grupos,dc=local,dc=int,dc=br" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=513))" conn=1 op=5 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass conn=1 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=6 SRCH base="ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" scope=2 deref=0 filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-1831924168-3154312721-1575139623-513)))" conn=1 op=6 SRCH attr=uid sambaSid conn=1 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=1 op=7 SRCH base="ou=Grupos,dc=local,dc=int,dc=br" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-1831924168-3154312721-1575139623-513)))" conn=1 op=7 SRCH attr=cn displayName sambaSid sambaGroupType conn=1 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=8 MOD dn="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" conn=1 op=8 MOD attr=sambaAcctFlags sambaAcctFlags conn=1 op=9 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" conn=1 op=9 SRCH attr=supportedExtension conn=1 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=10 EXT oid=1.3.6.1.4.1.4203.1.11.1 conn=1 op=10 PASSMOD id="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" new conn=1 op=8 RESULT tag=103 err=0 text=

Debug of Overlay Audit, trying change password with SMBPASSWD: # modify 1236968199 dc=local,dc=int,dc=br krb5PrincipalName=ldapmaster/admin@LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br dn: uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br changetype: modify delete: sambaAcctFlags sambaAcctFlags: [U] - add: sambaAcctFlags sambaAcctFlags: [U ] - replace: entryCSN entryCSN: 20090313181639.613866Z#000000#000#000000 - replace: modifiersName modifiersName: krb5PrincipalName=ldapmaster/admin@LOCAL.INT.BR,ou=KerberosPrin cipals,ou=Usuarios,dc=local,dc=int,dc=br - replace: modifyTimestamp modifyTimestamp: 20090313181639Z - # end replace 1236968199

Thanks!!!