Hi all,
I have a problem with overlay ppolicy and samba. My samba backend is openldap-2.4.20. I have a default ppolicy and a pwdCheckModule. If I change the userPassword all works fine. I read the slapo-ppolicy man page and I know that the only pwdAttribute is userPassword. If I change the userPassword with smbpasswd the policy works also fine. But if I want to change the Password with a Windows client the problem begins. The sambaNTPassword is set everytime to the new Password because the ppolicy overlay checks only the userPassword. So the both Passwords are different and there is no control for the sambaNTPassword.
Exists any solution or a workaround for this problem.
Any help is appreciated.
Mit freundlichen Gruessen Ralf Zimmermann
--
.''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen
Tel.: +49 271 68193 13 Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen
Ralf Zimmermann schrieb:
Hi all,
I have a problem with overlay ppolicy and samba. My samba backend is openldap-2.4.20. I have a default ppolicy and a pwdCheckModule. If I change the userPassword all works fine. I read the slapo-ppolicy man page and I know that the only pwdAttribute is userPassword. If I change the userPassword with smbpasswd the policy works also fine. But if I want to change the Password with a Windows client the problem begins. The sambaNTPassword is set everytime to the new Password because the ppolicy overlay checks only the userPassword. So the both Passwords are different and there is no control for the sambaNTPassword.
Exists any solution or a workaround for this problem.
Any help is appreciated.
Mit freundlichen Gruessen Ralf Zimmermann
Hello Ralf,
you should take a look at the option 'ldap passwd sync' in the smb.conf manpage. I would also recommend to take a look at the smbk5pwd overlay if you don't already use that.
Best regards, Christian Manal
Hi Christian,
* Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 15:31]:
Ralf Zimmermann schrieb:
Hi all,
I have a problem with overlay ppolicy and samba. My samba backend is openldap-2.4.20. I have a default ppolicy and a pwdCheckModule. If I change the userPassword all works fine. I read the slapo-ppolicy man page and I know that the only pwdAttribute is userPassword. If I change the userPassword with smbpasswd the policy works also fine. But if I want to change the Password with a Windows client the problem begins. The sambaNTPassword is set everytime to the new Password because the ppolicy overlay checks only the userPassword. So the both Passwords are different and there is no control for the sambaNTPassword.
Exists any solution or a workaround for this problem.
Any help is appreciated.
Mit freundlichen Gruessen Ralf Zimmermann
Hello Ralf,
you should take a look at the option 'ldap passwd sync' in the smb.conf manpage. I would also recommend to take a look at the smbk5pwd overlay if you don't already use that.
Best regards, Christian Manal
the option 'ldap passwd sync' is set to yes. I will looking to the overlay smbk5pwd again. But I think it will not resolve the problem because samba makes a modify for the samba attributes.
We have a default ppolicy. But this policy works only with pwdAttribute userPassword not with sambaNTPassword. The problem is, that a User can change his password with a Windows Client. The sambaNTPassword is always set whatever in the policy is configured.
Feb 16 14:16:32 rudi slapd[7683]: conn=1008 op=6 MOD dn="uid=rzimmermann,ou=Users,dc=bad-gmbh,dc=de" Feb 16 14:16:32 rudi slapd[7683]: conn=1008 op=6 MOD attr=sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet Feb 16 14:16:32 rudi slapd[7683]: conn=1008 op=6 RESULT tag=103 err=0 text= Feb 16 14:16:32 rudi slapd[7683]: conn=1009 op=6 EXT oid=1.3.6.1.4.1.4203.1.11.1 Feb 16 14:16:32 rudi slapd[7683]: conn=1009 op=6 PASSMOD id="uid=rzimmermann,ou=Users,dc=bad-gmbh,dc=de" new Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |useCracklib 1 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [useCracklib] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minPoints 3 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minPoints] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Word = minPoints, value = 3 Feb 16 14:16:32 rudi slapd[7683]: check_password: Setting quality to [3 ] Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minUpper 2 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minUpper] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minLower 2 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minLower] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minDigit 2 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minDigit] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minPunct 0 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minPunct] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |useCracklib 1 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [useCracklib] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Word = useCracklib, value = 1 ... Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minLower 2 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minLower] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minDigit 2 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minDigit] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minPunct 0 | Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minPunct] Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted. Feb 16 14:16:32 rudi slapd[7683]: check_password: Word = minPunct, value = 0 Feb 16 14:16:32 rudi slapd[7683]: check_password: Setting parameter to [0 ] Feb 16 14:16:32 rudi slapd[7683]: check_password: Found lower character - quality raise 1 Feb 16 14:16:32 rudi slapd[7683]: check_password: Reallocating szErrStr from 64 to 174 Feb 16 14:16:32 rudi slapd[7683]: check_password_quality: module error: (check_password.so) Password for dn="uid=rzimmermann,ou=Users,dc=bad-gmbh,dc=de" do es not pass required number of strength checks (1 of 3).[1] Feb 16 14:16:32 rudi slapd[7683]: conn=1009 op=6 RESULT oid= err=19 text=
Thanks Ralf Zimmermann
--
.''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen
Tel.: +49 271 68193 13 Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen
the option 'ldap passwd sync' is set to yes. I will looking to the overlay smbk5pwd again. But I think it will not resolve the problem because samba makes a modify for the samba attributes.
We have a default ppolicy. But this policy works only with pwdAttribute userPassword not with sambaNTPassword. The problem is, that a User can change his password with a Windows Client. The sambaNTPassword is always set whatever in the policy is configured.
If you set 'ldap passwd sync' to 'only' the Samba server triggers an extended operation for password change and doesn't touch the Samba attributes. smbk5pwd will take care of the Samba passwords.
Best regards, Christian Manal
Hi Christian,
* Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 16:05]:
the option 'ldap passwd sync' is set to yes. I will looking to the overlay smbk5pwd again. But I think it will not resolve the problem because samba makes a modify for the samba attributes.
We have a default ppolicy. But this policy works only with pwdAttribute userPassword not with sambaNTPassword. The problem is, that a User can change his password with a Windows Client. The sambaNTPassword is always set whatever in the policy is configured.
If you set 'ldap passwd sync' to 'only' the Samba server triggers an extended operation for password change and doesn't touch the Samba attributes. smbk5pwd will take care of the Samba passwords.
Best regards, Christian Manal
thanks, I take a look at smbk5pwd. Must I install heimdal kerberos? I need it only for samba and we have installed mit kerberos.
Mit freundlichen Gruessen Ralf Zimmermann
--
.''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen
Tel.: +49 271 68193 13 Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen
Ralf Zimmermann schrieb:
Hi Christian,
- Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 16:05]:
the option 'ldap passwd sync' is set to yes. I will looking to the overlay smbk5pwd again. But I think it will not resolve the problem because samba makes a modify for the samba attributes.
We have a default ppolicy. But this policy works only with pwdAttribute userPassword not with sambaNTPassword. The problem is, that a User can change his password with a Windows Client. The sambaNTPassword is always set whatever in the policy is configured.
If you set 'ldap passwd sync' to 'only' the Samba server triggers an extended operation for password change and doesn't touch the Samba attributes. smbk5pwd will take care of the Samba passwords.
Best regards, Christian Manal
thanks, I take a look at smbk5pwd. Must I install heimdal kerberos? I need it only for samba and we have installed mit kerberos.
You can disable Kerberos support in the Makefile.
Best regards, Christian Manal
Hi Christian,
* Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 16:18]:
Ralf Zimmermann schrieb:
Hi Christian,
- Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 16:05]:
the option 'ldap passwd sync' is set to yes. I will looking to the overlay smbk5pwd again. But I think it will not resolve the problem because samba makes a modify for the samba attributes.
We have a default ppolicy. But this policy works only with pwdAttribute userPassword not with sambaNTPassword. The problem is, that a User can change his password with a Windows Client. The sambaNTPassword is always set whatever in the policy is configured.
If you set 'ldap passwd sync' to 'only' the Samba server triggers an extended operation for password change and doesn't touch the Samba attributes. smbk5pwd will take care of the Samba passwords.
Best regards, Christian Manal
thanks, I take a look at smbk5pwd. Must I install heimdal kerberos? I need it only for samba and we have installed mit kerberos.
You can disable Kerberos support in the Makefile.
ok. I read it ;-) The Samba Server is a Sles11 with openldap2-2.4.12 and Samba-3.4.5. The Samba Server is not the LDAP Master. This is another Server with a self compiled openldap-2.4.20. The Samba Server runs with the Sles11 shipped openLDAP version. There it doesn't exits a smbk5pwd overlay.
I think that I must compile and configure the overlay only on the Samba Server. Is this correct? Ups and also on the BDC's?
Thanks Ralf Zimmermann
--
.''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen
Tel.: +49 271 68193 13 Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen
Ralf Zimmermann schrieb:
Hi Christian,
- Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 16:18]:
Ralf Zimmermann schrieb:
Hi Christian,
- Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 16:05]:
the option 'ldap passwd sync' is set to yes. I will looking to the overlay smbk5pwd again. But I think it will not resolve the problem because samba makes a modify for the samba attributes.
We have a default ppolicy. But this policy works only with pwdAttribute userPassword not with sambaNTPassword. The problem is, that a User can change his password with a Windows Client. The sambaNTPassword is always set whatever in the policy is configured.
If you set 'ldap passwd sync' to 'only' the Samba server triggers an extended operation for password change and doesn't touch the Samba attributes. smbk5pwd will take care of the Samba passwords.
Best regards, Christian Manal
thanks, I take a look at smbk5pwd. Must I install heimdal kerberos? I need it only for samba and we have installed mit kerberos.
You can disable Kerberos support in the Makefile.
ok. I read it ;-) The Samba Server is a Sles11 with openldap2-2.4.12 and Samba-3.4.5. The Samba Server is not the LDAP Master. This is another Server with a self compiled openldap-2.4.20. The Samba Server runs with the Sles11 shipped openLDAP version. There it doesn't exits a smbk5pwd overlay.
I think that I must compile and configure the overlay only on the Samba Server. Is this correct? Ups and also on the BDC's?
The overlay has to be installed on the LDAP master. Wouldn't make sense otherwise, since slaves are usually read-only.
Best regards, Christian Manal
Hi Christian,
* Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 16:41]:
Ralf Zimmermann schrieb:
Hi Christian,
- Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 16:18]:
Ralf Zimmermann schrieb:
Hi Christian,
- Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 16:05]:
the option 'ldap passwd sync' is set to yes. I will looking to the overlay smbk5pwd again. But I think it will not resolve the problem because samba makes a modify for the samba attributes.
We have a default ppolicy. But this policy works only with pwdAttribute userPassword not with sambaNTPassword. The problem is, that a User can change his password with a Windows Client. The sambaNTPassword is always set whatever in the policy is configured.
If you set 'ldap passwd sync' to 'only' the Samba server triggers an extended operation for password change and doesn't touch the Samba attributes. smbk5pwd will take care of the Samba passwords.
Best regards, Christian Manal
thanks, I take a look at smbk5pwd. Must I install heimdal kerberos? I need it only for samba and we have installed mit kerberos.
You can disable Kerberos support in the Makefile.
ok. I read it ;-) The Samba Server is a Sles11 with openldap2-2.4.12 and Samba-3.4.5. The Samba Server is not the LDAP Master. This is another Server with a self compiled openldap-2.4.20. The Samba Server runs with the Sles11 shipped openLDAP version. There it doesn't exits a smbk5pwd overlay.
I think that I must compile and configure the overlay only on the Samba Server. Is this correct? Ups and also on the BDC's?
The overlay has to be installed on the LDAP master. Wouldn't make sense otherwise, since slaves are usually read-only.
Best regards, Christian Manal
thanks for the advise. It sounds logically.
Thanks Ralf Zimmermann
--
.''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen
Tel.: +49 271 68193 13 Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen
Hi Christian,
* Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 16:41]:
ok. I read it ;-) The Samba Server is a Sles11 with openldap2-2.4.12 and Samba-3.4.5. The Samba Server is not the LDAP Master. This is another Server with a self compiled openldap-2.4.20. The Samba Server runs with the Sles11 shipped openLDAP version. There it doesn't exits a smbk5pwd overlay.
I think that I must compile and configure the overlay only on the Samba Server. Is this correct? Ups and also on the BDC's?
The overlay has to be installed on the LDAP master. Wouldn't make sense otherwise, since slaves are usually read-only.
the overlay smbk5pwd does not really work in this szenario. I have compiled heimdal on Sles11 and compiled the smbk5pwd with make and make install.
<snip Makefile> DEFS=-DDO_SAMBA
HEIMDAL_INC=-I/usr/heimdal/include #HEIMDAL_INC= SSL_INC= LDAP_INC=-I../../../include -I../../../servers/slapd INCS=$(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
HEIMDAL_LIB=-L/usr/heimdal/lib -lkrb5 -lkadm5srv #HEIMDAL_LIB= SSL_LIB=-lcrypto LDAP_LIB=-lldap_r -llber LIBS=$(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB) </snip>
Then I add 'moduleload smbk5pwd.la' and in the hdb section 'overlay smbk5pwd'. After this I create the online configuration with 'slaptest -d1 -f ...'. All looks fine. slapd starts without a error message. I change the smb.conf 'ldap passwd sync = yes' to 'ldap passwd sync = Only'.
With the overlay smbk5pwd nothing happens when I change a password over a Windows Client. Without the overlay I can see the PASSMOD for the user.
Any idea?
Regards Ralf Zimmermann
--
.''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen
Tel.: +49 271 68193 13 Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen
On Wednesday, 17 February 2010 11:31:42 Ralf Zimmermann wrote:
Hi Christian,
- Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 16:41]:
ok. I read it ;-) The Samba Server is a Sles11 with openldap2-2.4.12 and Samba-3.4.5. The Samba Server is not the LDAP Master. This is another Server with a self compiled openldap-2.4.20. The Samba Server runs with the Sles11 shipped openLDAP version. There it doesn't exits a smbk5pwd overlay.
I think that I must compile and configure the overlay only on the Samba Server. Is this correct? Ups and also on the BDC's?
The overlay has to be installed on the LDAP master. Wouldn't make sense otherwise, since slaves are usually read-only.
the overlay smbk5pwd does not really work in this szenario. I have compiled heimdal
Why? Do you need LDAP password changes to change Heimdal passwords (IOW, did you have a Heimdal installation before)?
What version did you install?
on Sles11 and compiled the smbk5pwd with make and make install.
From the same source used to build slapd on the box the module runs under?
<snip Makefile> DEFS=-DDO_SAMBA
So, you shouldn't need Heimdal at all ...
HEIMDAL_INC=-I/usr/heimdal/include #HEIMDAL_INC= SSL_INC= LDAP_INC=-I../../../include -I../../../servers/slapd INCS=$(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
HEIMDAL_LIB=-L/usr/heimdal/lib -lkrb5 -lkadm5srv #HEIMDAL_LIB= SSL_LIB=-lcrypto LDAP_LIB=-lldap_r -llber LIBS=$(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB)
</snip>
Then I add 'moduleload smbk5pwd.la' and in the hdb section 'overlay smbk5pwd'. After this I create the online configuration with 'slaptest -d1 -f ...'. All looks fine. slapd starts without a error message. I change the smb.conf 'ldap passwd sync = yes' to 'ldap passwd sync = Only'.
With the overlay smbk5pwd nothing happens when I change a password over a Windows Client. Without the overlay I can see the PASSMOD for the user.
Well, without Heimdal has been working perfectly for me for a long time.
At times (e.g. 1.3.0 without patches), heimdal API changes have broken the Heimdal support in smbk5pwd.
Note that some distributions ship recent OpenLDAP with a working (at least for samba) smbk5pwd, others include a smbk5pwd with Heimdal support as well.
Regards, Buchan
Hi
* Buchan Milne bgmilne@staff.telkomsa.net [17.02.2010 15:24]:
On Wednesday, 17 February 2010 11:31:42 Ralf Zimmermann wrote:
Hi Christian,
- Christian Manal moenoel@informatik.uni-bremen.de [16.02.2010 16:41]:
ok. I read it ;-) The Samba Server is a Sles11 with openldap2-2.4.12 and Samba-3.4.5. The Samba Server is not the LDAP Master. This is another Server with a self compiled openldap-2.4.20. The Samba Server runs with the Sles11 shipped openLDAP version. There it doesn't exits a smbk5pwd overlay.
I think that I must compile and configure the overlay only on the Samba Server. Is this correct? Ups and also on the BDC's?
The overlay has to be installed on the LDAP master. Wouldn't make sense otherwise, since slaves are usually read-only.
the overlay smbk5pwd does not really work in this szenario. I have compiled heimdal
Why? Do you need LDAP password changes to change Heimdal passwords (IOW, did you have a Heimdal installation before)?
What version did you install?
i have installed heimdal-1.3.2rc2.
on Sles11 and compiled the smbk5pwd with make and make install.
From the same source used to build slapd on the box the module runs under?
Yes, I have compiled it under openldap-2.4.20.
<snip Makefile> DEFS=-DDO_SAMBA
So, you shouldn't need Heimdal at all ...
I compiled it yet with: DEFS=-DDO_SAMBA HEIMDAL_INC= HEIMDAL_LIB=
Well, without Heimdal has been working perfectly for me for a long time.
My problem was, that I must do a password change twice. I have searched the wholy day. After restarting the slapd on the Samba Server all works fine. Now I'm searching for the problem. On the Server is a backup software installed that can make problems.
The problem exists with ldappasswd too. I must change a password twice. After the second change the Master makes a password modify. After restarting the slapd on the Samba server I can change the password from the Samba server without problems.
And on the slaves was a ppolicy overlay configured. I have changed this.
At times (e.g. 1.3.0 without patches), heimdal API changes have broken the Heimdal support in smbk5pwd.
Note that some distributions ship recent OpenLDAP with a working (at least for samba) smbk5pwd, others include a smbk5pwd with Heimdal support as well.
I take the source from openLDAP.org.
Regards, Ralf Zimmermann
--
.''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen
Tel.: +49 271 68193 13 Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen
openldap-technical@openldap.org
-
Buchan Milne -
Christian Manal -
Ralf Zimmermann