smbpasswd incompatible with NDS / eDirectory 8.7 We use Samba 3 RC1 ( upgraded from Samba 2.2.8a ) on a SuSE 8.2 machine configure'd with --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin -- sbindir=/usr/sbin --libdir=/usr/lib --sysconfdir=/etc --mandir=/usr/man -- infodir=/usr/info --localstatedir=/var/log --with-configdir=/etc/samba --with- privatedir=/etc/samba --with-lockdir=/var/lock/samba --with- swatdir=/usr/lib/samba/swat --with-sambabook=/usr/lib/samba/swat/using_samba -- with-codepagedir=/usr/lib/samba/codepages --with-smbwrapper --with-automount -- with-smbmount --with-pam --with-pam_smbpass --with-ldap --with-ldapsam --with- syslog --with-profiling-data --with-quotas --with-libsmbclient --with-acl- support --with-sendfile-support --with-winbind --with-ads . Novell eDirectory 8.7 on a remote machine serves as passdb store. I've tried both ldapsam and ldapsam_compat passdb backend. There is no problem adding SambaSamAccount ( or SambaAccount in ldapsam_compat mode ) to a User object with "smbpasswd -a User". However this happens when I try smbpasswd on an existing user: # smbpasswd User New SMB password: xxxxx Retype new SMB password: xxxxx failed to modify user dn= cn=User,ou=People,ou=department,o=company,c=DE with: Constraint violation NDS error: cant have multiple values (-612) failed to modify user with uid = User, error: NDS error: cant have multiple values (-612) (Success) Failed to modify entry for user User. Failed to modify password entry for user User I believe the problem is related to a LDAP modify operation for the single value attributes (samba)pwdCanChange, (samba)pwdMustChange and (samba) pwdLastSet. smbpasswd tries to add the new value for each of these attributes before deleting the old value. This might work on some LDAP servers because it all happens in a single modify request but eDirectory 8.7 complains about it.
I think this might be a problem with eDir: Ok, RFC 2251, line 1815ff: - modification: A list of modifications to be performed on the entry. The entire list of entry modifications MUST be performed in the order they are listed, as a single atomic operation. While individual modifications may violate the directory schema, the resulting entry after the entire list of modifications is performed MUST conform to the requirements of the directory schema.
Created attachment 110 [details] patch to change the modify behavior to use REPLACE
However, try this patch posted to samba technical from Erik Tews and se if it solves your problem. It is under consideration for inclusion.
The patch did it. Thanks a lot ! I will still contact Novell about their RFC conformance ...
Wait, for some reason the patch only fixed smbpasswd but not pam_smbpass. The latter one still tries to do the ADD before the DELETE operation. Perhaps I should better open a new bug for pam_smbpass. Please change this one to RESOLVED
*** Bug 387 has been marked as a duplicate of this bug. ***
I don't think we should work around non-RFC behaviour in LDAP servers, at least not without a good config option. We will hit the same thing with atomicly incrementing counters, (like next rid), and any sequence number we decide to store. It also removes the small amount of 'transaction safety' we have with LDAP - which we are starting to use a little. Marking as 'WONTFIX', unless anybody objects.
Created attachment 164 [details] UNOFFICIAL and almost untested version of the REPLACE patch for Samba RC4 I have modified the "LDAP use REPLACE" patch to work with Samba 3 RC4. Please be aware that it's unofficial and little tested - use it at your own risk !
Patch by Petri Asikainen <paca@sci.fi> applied that should fix this, without the need to use REPLACE
Fixed in current CVS.
originally reported against one of the 3.0.0rc[1-4] releases. Cleaning up non-production versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.