6:28 a.m.
Hi all,
I have a problem with overlay ppolicy and samba. My samba backend is
openldap-2.4.20. I have a default ppolicy and a pwdCheckModule. If I change the
userPassword all works fine. I read the slapo-ppolicy man page and I know that
the only pwdAttribute is userPassword. If I change the userPassword with
smbpasswd the policy works also fine. But if I want to change the Password with
a Windows client the problem begins. The sambaNTPassword is set everytime to
the new Password because the ppolicy overlay checks only the userPassword.
So the both Passwords are different and there is no control for the
sambaNTPassword.
Exists any solution or a workaround for this problem.
Any help is appreciated.
Mit freundlichen Gruessen
Ralf Zimmermann
--
.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
7:10 a.m.
Ralf Zimmermann schrieb:
Hi all,
I have a problem with overlay ppolicy and samba. My samba backend is
openldap-2.4.20. I have a default ppolicy and a pwdCheckModule. If I change the
userPassword all works fine. I read the slapo-ppolicy man page and I know that
the only pwdAttribute is userPassword. If I change the userPassword with
smbpasswd the policy works also fine. But if I want to change the Password with
a Windows client the problem begins. The sambaNTPassword is set everytime to
the new Password because the ppolicy overlay checks only the userPassword.
So the both Passwords are different and there is no control for the
sambaNTPassword.
Exists any solution or a workaround for this problem.
Any help is appreciated.
Mit freundlichen Gruessen
Ralf Zimmermann
Hello Ralf,
you should take a look at the option 'ldap passwd sync' in the smb.conf
manpage. I would also recommend to take a look at the smbk5pwd overlay
if you don't already use that.
Best regards,
Christian Manal
7:36 a.m.
Hi Christian,
* Christian Manal <moenoel(a)informatik.uni-bremen.de> [16.02.2010 15:31]:
Ralf Zimmermann schrieb:
> Hi all,
>
> I have a problem with overlay ppolicy and samba. My samba backend is
> openldap-2.4.20. I have a default ppolicy and a pwdCheckModule. If I change the
> userPassword all works fine. I read the slapo-ppolicy man page and I know that
> the only pwdAttribute is userPassword. If I change the userPassword with
> smbpasswd the policy works also fine. But if I want to change the Password with
> a Windows client the problem begins. The sambaNTPassword is set everytime to
> the new Password because the ppolicy overlay checks only the userPassword.
> So the both Passwords are different and there is no control for the
> sambaNTPassword.
>
> Exists any solution or a workaround for this problem.
>
> Any help is appreciated.
>
> Mit freundlichen Gruessen
> Ralf Zimmermann
>
Hello Ralf,
you should take a look at the option 'ldap passwd sync' in the smb.conf
manpage. I would also recommend to take a look at the smbk5pwd overlay
if you don't already use that.
Best regards,
Christian Manal
the option 'ldap passwd sync' is set to yes. I will looking to the overlay
smbk5pwd again. But I think it will not resolve the problem because samba makes
a modify for the samba attributes.
We have a default ppolicy. But this policy works only with pwdAttribute
userPassword not with sambaNTPassword. The problem is, that a User can change
his password with a Windows Client. The sambaNTPassword is always set whatever
in the policy is configured.
Feb 16 14:16:32 rudi slapd[7683]: conn=1008 op=6 MOD
dn="uid=rzimmermann,ou=Users,dc=bad-gmbh,dc=de"
Feb 16 14:16:32 rudi slapd[7683]: conn=1008 op=6 MOD attr=sambaNTPassword sambaNTPassword
sambaPwdLastSet sambaPwdLastSet
Feb 16 14:16:32 rudi slapd[7683]: conn=1008 op=6 RESULT tag=103 err=0 text=
Feb 16 14:16:32 rudi slapd[7683]: conn=1009 op=6 EXT oid=1.3.6.1.4.1.4203.1.11.1
Feb 16 14:16:32 rudi slapd[7683]: conn=1009 op=6 PASSMOD
id="uid=rzimmermann,ou=Users,dc=bad-gmbh,dc=de" new
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |useCracklib 1 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [useCracklib]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minPoints 3 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minPoints]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Word = minPoints, value = 3
Feb 16 14:16:32 rudi slapd[7683]: check_password: Setting quality to [3 ]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minUpper 2 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minUpper]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minLower 2 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minLower]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minDigit 2 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minDigit]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minPunct 0 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minPunct]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |useCracklib 1 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [useCracklib]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Word = useCracklib, value = 1
...
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minLower 2 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minLower]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minDigit 2 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minDigit]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Got line |minPunct 0 |
Feb 16 14:16:32 rudi slapd[7683]: check_password: Validating parameter [minPunct]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Parameter accepted.
Feb 16 14:16:32 rudi slapd[7683]: check_password: Word = minPunct, value = 0
Feb 16 14:16:32 rudi slapd[7683]: check_password: Setting parameter to [0 ]
Feb 16 14:16:32 rudi slapd[7683]: check_password: Found lower character - quality raise 1
Feb 16 14:16:32 rudi slapd[7683]: check_password: Reallocating szErrStr from 64 to 174
Feb 16 14:16:32 rudi slapd[7683]: check_password_quality: module error:
(check_password.so) Password for dn="uid=rzimmermann,ou=Users,dc=bad-gmbh,dc=de"
do
es not pass required number of strength checks (1 of 3).[1]
Feb 16 14:16:32 rudi slapd[7683]: conn=1009 op=6 RESULT oid= err=19 text=
Thanks
Ralf Zimmermann
--
.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
7:44 a.m.
the option 'ldap passwd sync' is set to yes. I will
looking to the overlay
smbk5pwd again. But I think it will not resolve the problem because samba makes
a modify for the samba attributes.
We have a default ppolicy. But this policy works only with pwdAttribute
userPassword not with sambaNTPassword. The problem is, that a User can change
his password with a Windows Client. The sambaNTPassword is always set whatever
in the policy is configured.
If you set 'ldap passwd sync' to 'only' the Samba server triggers an
extended operation for password change and doesn't touch the Samba
attributes. smbk5pwd will take care of the Samba passwords.
Best regards,
Christian Manal
7:53 a.m.
Hi Christian,
* Christian Manal <moenoel(a)informatik.uni-bremen.de> [16.02.2010 16:05]:
> the option 'ldap passwd sync' is set to yes. I will
looking to the overlay
> smbk5pwd again. But I think it will not resolve the problem because samba makes
> a modify for the samba attributes.
>
> We have a default ppolicy. But this policy works only with pwdAttribute
> userPassword not with sambaNTPassword. The problem is, that a User can change
> his password with a Windows Client. The sambaNTPassword is always set whatever
> in the policy is configured.
>
If you set 'ldap passwd sync' to 'only' the Samba server triggers an
extended operation for password change and doesn't touch the Samba
attributes. smbk5pwd will take care of the Samba passwords.
Best regards,
Christian Manal
thanks, I take a look at smbk5pwd. Must I install heimdal kerberos? I need it
only for samba and we have installed mit kerberos.
Mit freundlichen Gruessen
Ralf Zimmermann
--
.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
7:58 a.m.
Ralf Zimmermann schrieb:
Hi Christian,
* Christian Manal <moenoel(a)informatik.uni-bremen.de> [16.02.2010 16:05]:
>> the option 'ldap passwd sync' is set to yes. I will looking to the
overlay
>> smbk5pwd again. But I think it will not resolve the problem because samba makes
>> a modify for the samba attributes.
>>
>> We have a default ppolicy. But this policy works only with pwdAttribute
>> userPassword not with sambaNTPassword. The problem is, that a User can change
>> his password with a Windows Client. The sambaNTPassword is always set whatever
>> in the policy is configured.
>>
> If you set 'ldap passwd sync' to 'only' the Samba server triggers an
> extended operation for password change and doesn't touch the Samba
> attributes. smbk5pwd will take care of the Samba passwords.
>
>
> Best regards,
> Christian Manal
thanks, I take a look at smbk5pwd. Must I install heimdal kerberos? I need it
only for samba and we have installed mit kerberos.
You can disable Kerberos support in the Makefile.
Best regards,
Christian Manal
8:11 a.m.
Hi Christian,
* Christian Manal <moenoel(a)informatik.uni-bremen.de> [16.02.2010 16:18]:
Ralf Zimmermann schrieb:
> Hi Christian,
>
> * Christian Manal <moenoel(a)informatik.uni-bremen.de> [16.02.2010 16:05]:
>>> the option 'ldap passwd sync' is set to yes. I will looking to
the overlay
>>> smbk5pwd again. But I think it will not resolve the problem because samba
makes
>>> a modify for the samba attributes.
>>>
>>> We have a default ppolicy. But this policy works only with
pwdAttribute
>>> userPassword not with sambaNTPassword. The problem is, that a User can
change
>>> his password with a Windows Client. The sambaNTPassword is always set
whatever
>>> in the policy is configured.
>>>
>> If you set 'ldap passwd sync' to 'only' the Samba server
triggers an
>> extended operation for password change and doesn't touch the Samba
>> attributes. smbk5pwd will take care of the Samba passwords.
>>
>>
>> Best regards,
>> Christian Manal
>
> thanks, I take a look at smbk5pwd. Must I install heimdal kerberos? I need it
> only for samba and we have installed mit kerberos.
>
>
You can disable Kerberos support in the Makefile.
ok. I read it ;-) The Samba Server is a Sles11 with openldap2-2.4.12 and
Samba-3.4.5. The Samba Server is not the LDAP Master. This is another Server
with a self compiled openldap-2.4.20. The Samba Server runs with the Sles11
shipped openLDAP version. There it doesn't exits a smbk5pwd overlay.
I think that I must compile and configure the overlay only on the Samba Server.
Is this correct? Ups and also on the BDC's?
Thanks
Ralf Zimmermann
--
.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
8:20 a.m.
Ralf Zimmermann schrieb:
Hi Christian,
* Christian Manal <moenoel(a)informatik.uni-bremen.de> [16.02.2010 16:18]:
> Ralf Zimmermann schrieb:
>> Hi Christian,
>>
>> * Christian Manal <moenoel(a)informatik.uni-bremen.de> [16.02.2010 16:05]:
>>>> the option 'ldap passwd sync' is set to yes. I will looking
to the overlay
>>>> smbk5pwd again. But I think it will not resolve the problem because samba
makes
>>>> a modify for the samba attributes.
>>>>
>>>> We have a default ppolicy. But this policy works only with
pwdAttribute
>>>> userPassword not with sambaNTPassword. The problem is, that a User can
change
>>>> his password with a Windows Client. The sambaNTPassword is always set
whatever
>>>> in the policy is configured.
>>>>
>>> If you set 'ldap passwd sync' to 'only' the Samba server
triggers an
>>> extended operation for password change and doesn't touch the Samba
>>> attributes. smbk5pwd will take care of the Samba passwords.
>>>
>>>
>>> Best regards,
>>> Christian Manal
>> thanks, I take a look at smbk5pwd. Must I install heimdal kerberos? I need it
>> only for samba and we have installed mit kerberos.
>>
>>
> You can disable Kerberos support in the Makefile.
ok. I read it ;-) The Samba Server is a Sles11 with openldap2-2.4.12 and
Samba-3.4.5. The Samba Server is not the LDAP Master. This is another Server
with a self compiled openldap-2.4.20. The Samba Server runs with the Sles11
shipped openLDAP version. There it doesn't exits a smbk5pwd overlay.
I think that I must compile and configure the overlay only on the Samba Server.
Is this correct? Ups and also on the BDC's?
The overlay has to be installed on the LDAP master. Wouldn't make sense
otherwise, since slaves are usually read-only.
Best regards,
Christian Manal
8:30 a.m.
Hi Christian,
* Christian Manal <moenoel(a)informatik.uni-bremen.de> [16.02.2010 16:41]:
Ralf Zimmermann schrieb:
> Hi Christian,
>
> * Christian Manal <moenoel(a)informatik.uni-bremen.de> [16.02.2010 16:18]:
>> Ralf Zimmermann schrieb:
>>> Hi Christian,
>>>
>>> * Christian Manal <moenoel(a)informatik.uni-bremen.de> [16.02.2010
16:05]:
>>>>> the option 'ldap passwd sync' is set to yes. I will
looking to the overlay
>>>>> smbk5pwd again. But I think it will not resolve the problem because
samba makes
>>>>> a modify for the samba attributes.
>>>>>
>>>>> We have a default ppolicy. But this policy works only with
pwdAttribute
>>>>> userPassword not with sambaNTPassword. The problem is, that a User
can change
>>>>> his password with a Windows Client. The sambaNTPassword is always
set whatever
>>>>> in the policy is configured.
>>>>>
>>>> If you set 'ldap passwd sync' to 'only' the Samba server
triggers an
>>>> extended operation for password change and doesn't touch the Samba
>>>> attributes. smbk5pwd will take care of the Samba passwords.
>>>>
>>>>
>>>> Best regards,
>>>> Christian Manal
>>> thanks, I take a look at smbk5pwd. Must I install heimdal kerberos? I need
it
>>> only for samba and we have installed mit kerberos.
>>>
>>>
>> You can disable Kerberos support in the Makefile.
>
> ok. I read it ;-) The Samba Server is a Sles11 with openldap2-2.4.12 and
> Samba-3.4.5. The Samba Server is not the LDAP Master. This is another Server
> with a self compiled openldap-2.4.20. The Samba Server runs with the Sles11
> shipped openLDAP version. There it doesn't exits a smbk5pwd overlay.
>
> I think that I must compile and configure the overlay only on the Samba Server.
> Is this correct? Ups and also on the BDC's?
>
The overlay has to be installed on the LDAP master. Wouldn't make sense
otherwise, since slaves are usually read-only.
Best regards,
Christian Manal
thanks for the advise. It sounds logically.
Thanks
Ralf Zimmermann
--
.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
2:31 a.m.
Hi Christian,
* Christian Manal <moenoel(a)informatik.uni-bremen.de> [16.02.2010 16:41]:
> ok. I read it ;-) The Samba Server is a Sles11 with
openldap2-2.4.12 and
> Samba-3.4.5. The Samba Server is not the LDAP Master. This is another Server
> with a self compiled openldap-2.4.20. The Samba Server runs with the Sles11
> shipped openLDAP version. There it doesn't exits a smbk5pwd overlay.
>
> I think that I must compile and configure the overlay only on the Samba Server.
> Is this correct? Ups and also on the BDC's?
>
The overlay has to be installed on the LDAP master. Wouldn't make sense
otherwise, since slaves are usually read-only.
the overlay smbk5pwd does not really work in this szenario. I have compiled
heimdal on Sles11 and compiled the smbk5pwd with make and make install.
<snip Makefile>
DEFS=-DDO_SAMBA
HEIMDAL_INC=-I/usr/heimdal/include
#HEIMDAL_INC=
SSL_INC=
LDAP_INC=-I../../../include -I../../../servers/slapd
INCS=$(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
HEIMDAL_LIB=-L/usr/heimdal/lib -lkrb5 -lkadm5srv
#HEIMDAL_LIB=
SSL_LIB=-lcrypto
LDAP_LIB=-lldap_r -llber
LIBS=$(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB)
</snip>
Then I add 'moduleload smbk5pwd.la' and in the hdb section 'overlay
smbk5pwd'.
After this I create the online configuration with 'slaptest -d1 -f ...'. All
looks fine. slapd starts without a error message. I change the smb.conf 'ldap
passwd sync = yes' to 'ldap passwd sync = Only'.
With the overlay smbk5pwd nothing happens when I change a password over a
Windows Client. Without the overlay I can see the PASSMOD for the user.
Any idea?
Regards
Ralf Zimmermann
--
.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
7:03 a.m.
On Wednesday, 17 February 2010 11:31:42 Ralf Zimmermann wrote:
Hi Christian,
* Christian Manal <moenoel(a)informatik.uni-bremen.de> [16.02.2010 16:41]:
> > ok. I read it ;-) The Samba Server is a Sles11 with
> > openldap2-2.4.12 and Samba-3.4.5. The Samba Server is not the LDAP
> > Master. This is another Server with a self compiled openldap-2.4.20.
> > The Samba Server runs with the Sles11 shipped openLDAP version. There
> > it doesn't exits a smbk5pwd overlay.
> >
> > I think that I must compile and configure the overlay only on the Samba
> > Server. Is this correct? Ups and also on the BDC's?
>
> The overlay has to be installed on the LDAP master. Wouldn't make sense
> otherwise, since slaves are usually read-only.
the overlay smbk5pwd does not really work in this szenario. I have
compiled heimdal
Why? Do you need LDAP password changes to change Heimdal passwords (IOW, did
you have a Heimdal installation before)?
What version did you install?
on Sles11 and compiled the smbk5pwd with make and make
install.
From the same source used to build slapd on the box the module runs under?
<snip Makefile>
DEFS=-DDO_SAMBA
So, you shouldn't need Heimdal at all ...
HEIMDAL_INC=-I/usr/heimdal/include
#HEIMDAL_INC=
SSL_INC=
LDAP_INC=-I../../../include -I../../../servers/slapd
INCS=$(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
HEIMDAL_LIB=-L/usr/heimdal/lib -lkrb5 -lkadm5srv
#HEIMDAL_LIB=
SSL_LIB=-lcrypto
LDAP_LIB=-lldap_r -llber
LIBS=$(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB)
</snip>
Then I add 'moduleload smbk5pwd.la' and in the hdb section 'overlay
smbk5pwd'. After this I create the online configuration with 'slaptest
-d1 -f ...'. All looks fine. slapd starts without a error message. I
change the smb.conf 'ldap passwd sync = yes' to 'ldap passwd sync =
Only'.
With the overlay smbk5pwd nothing happens when I change a password
over a Windows Client. Without the overlay I can see the PASSMOD for the
user.
Well, without Heimdal has been working perfectly for me for a long time.
At times (e.g. 1.3.0 without patches), heimdal API changes have broken the
Heimdal support in smbk5pwd.
Note that some distributions ship recent OpenLDAP with a working (at least for
samba) smbk5pwd, others include a smbk5pwd with Heimdal support as well.
Regards,
Buchan
7:51 a.m.
Hi
* Buchan Milne <bgmilne(a)staff.telkomsa.net> [17.02.2010 15:24]:
On Wednesday, 17 February 2010 11:31:42 Ralf Zimmermann wrote:
> Hi Christian,
>
> * Christian Manal <moenoel(a)informatik.uni-bremen.de> [16.02.2010 16:41]:
> > > ok. I read it ;-) The Samba Server is a Sles11 with
> > > openldap2-2.4.12 and Samba-3.4.5. The Samba Server is not the LDAP
> > > Master. This is another Server with a self compiled openldap-2.4.20.
> > > The Samba Server runs with the Sles11 shipped openLDAP version. There
> > > it doesn't exits a smbk5pwd overlay.
> > >
> > > I think that I must compile and configure the overlay only on the Samba
> > > Server. Is this correct? Ups and also on the BDC's?
> >
> > The overlay has to be installed on the LDAP master. Wouldn't make sense
> > otherwise, since slaves are usually read-only.
>
> the overlay smbk5pwd does not really work in this szenario. I have
> compiled heimdal
Why? Do you need LDAP password changes to change Heimdal passwords (IOW, did
you have a Heimdal installation before)?
What version did you install?
i have installed heimdal-1.3.2rc2.
> on Sles11 and compiled the smbk5pwd with make and make
> install.
From the same source used to build slapd on the box the module runs under?
Yes, I have compiled it under openldap-2.4.20.
> <snip Makefile>
> DEFS=-DDO_SAMBA
So, you shouldn't need Heimdal at all ...
I compiled it yet with:
DEFS=-DDO_SAMBA
HEIMDAL_INC=
HEIMDAL_LIB=
Well, without Heimdal has been working perfectly for me for a long
time.
My problem was, that I must do a password change twice. I have searched the
wholy day. After restarting the slapd on the Samba Server all works fine. Now
I'm searching for the problem. On the Server is a backup software installed
that can make problems.
The problem exists with ldappasswd too. I must change a password twice. After
the second change the Master makes a password modify. After restarting the
slapd on the Samba server I can change the password from the Samba server
without problems.
And on the slaves was a ppolicy overlay configured. I have changed this.
At times (e.g. 1.3.0 without patches), heimdal API changes have
broken the
Heimdal support in smbk5pwd.
Note that some distributions ship recent OpenLDAP with a working (at least for
samba) smbk5pwd, others include a smbk5pwd with Heimdal support as well.
I take the source from openLDAP.org.
Regards,
Ralf Zimmermann
--
.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
4848
days inactive
4849
days old
openldap-technical@openldap.org
11 comments
3 participants
participants (3)
-
Buchan Milne -
Christian Manal -
Ralf Zimmermann