Bug 10900 - Changing LDAP Password from Windows failes if referral is configured
Changing LDAP Password from Windows failes if referral is configured
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: Domain Control
x64 Linux
: P5 normal
: ---
Assigned To: Guenther Deschner
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2014-10-28 07:56 UTC by the2nd
Modified: 2015-02-11 10:47 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description the2nd 2014-10-28 07:56:06 UTC
my problem is related to samba3 with openldap backend. i use syncrepl to replicate our openldap db to the slapd running on the samba server. slapd is configured to set a referrer for write requests via "updateref".
if i use smbpasswd to change the samba/ldap password from the console everything works fine. i can see the referrer offered by the local slapd and also a rebind to change the password on the master ldap server. also ldapmodify shows the correct referrer.
but if i try to change the password from within windows i get the following error message:
[2014/10/18 12:49:34.511026,  0] passdb/pdb_ldap.c:1826(ldapsam_modify_entry)
  ldapsam_modify_entry: LDAP Password could not be changed for user test: Referral
"ldap follow referral = yes" in smb.conf is set. but for some reason samba cannot find the correct referrer.
any help would be appreciated.
Comment 1 Christian Ambach 2014-12-12 11:17:40 UTC
Can you capture log level 10 logs showing the failed password change attempt and attach them here?

See https://www.samba.org/~asn/reporting_samba_bugs.txt for some instructions how to capture logs of smbd.
Comment 2 the2nd 2015-02-11 10:47:40 UTC
sorry for the delay. somehow i missed your reply.

i've captured the desired log but i'm not sure if it's save to paste it public without removing some sensitive information cause this is a live system.

after a quick look it seems like it contains at least the password hashes which is a bad idea to post public i think.

is there any option in samba to prevent sensitive data from beeing logged? or is there any howto what needs to be removed to be on the safe side?