3

We've installed CentOS Directory Server (389 DS) and have Samba using it as a backend. This works great except that when enabling password syncing in the smb.conf it is only synced one way. I could sync the ldap/samba password when using smbpasswd -a but not passwd. To fix this I added a line to my PAM system-auth settings to update the smb password file when changing my password. Again this works, but I'm getting the following error.

Changing password for user testuser1.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Invalid credentials

passwd: Authentication failure

This error isn't correct because both the LDAP and Samba passwords change successfully. Does any one have a clue why I'm getting the error at all?

The line I added to PAM is in bold:

password requisite pam_cracklib.so try_first_pass retry=3
password optional pam_smbpass.so use_authtok use_first_pass
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

My smb.conf file has the following:

[global]
workgroup = MyGroup
security = user
passdb backend = ldapsam:ldaps://192.168.124.89/
ldap admin dn = cn=Directory Manager
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap passwd sync = yes
ldap delete dn = no
wins support = yes

As I stated previously, everything is working as it should. I just don't want users freaking out when they see that nasty error message and I want it to go away.

Improve this question

1 Answer 1

Reset to default
1

(yes, 7 years later, and hopefully it was resolved earlier - this is for current and future reference) smbpasswd can handle LDAP passwd syncing, re:

-w / -W switches, from man page on samba.org website:

-w password This parameter is only available if Samba has been compiled with LDAP support. The -w switch is used to specify the password to be used with the ldap admin dn. Note that the password is stored in the secrets.tdb and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the password will need to be manually updated as well.

-W NOTE: This option is same as "-w" except that the password should be entered > using stdin.

This parameter is only available if Samba has been compiled with LDAP support. The -W switch is used to specify the password to be used with the ldap admin dn. Note that the password is stored in the secrets.tdb and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the password will need to be manually updated as well.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.