smbpasswd incompatible with NDS / eDirectory 8.7
We use Samba 3 RC1 ( upgraded from Samba 2.2.8a ) on a SuSE 8.2 machine
configure'd with --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --
sbindir=/usr/sbin --libdir=/usr/lib --sysconfdir=/etc --mandir=/usr/man --
infodir=/usr/info --localstatedir=/var/log --with-configdir=/etc/samba --with-
privatedir=/etc/samba --with-lockdir=/var/lock/samba --with-
swatdir=/usr/lib/samba/swat --with-sambabook=/usr/lib/samba/swat/using_samba --
with-codepagedir=/usr/lib/samba/codepages --with-smbwrapper --with-automount --
with-smbmount --with-pam --with-pam_smbpass --with-ldap --with-ldapsam --with-
syslog --with-profiling-data --with-quotas --with-libsmbclient --with-acl-
support --with-sendfile-support --with-winbind --with-ads .
Novell eDirectory 8.7 on a remote machine serves as passdb store. I've tried
both ldapsam and ldapsam_compat passdb backend.
There is no problem adding SambaSamAccount ( or SambaAccount in ldapsam_compat
mode ) to a User object with "smbpasswd -a User". However this happens when I
try smbpasswd on an existing user:
# smbpasswd User
New SMB password: xxxxx
Retype new SMB password: xxxxx
failed to modify user dn= cn=User,ou=People,ou=department,o=company,c=DE with:
NDS error: cant have multiple values (-612)
failed to modify user with uid = User, error: NDS error: cant have multiple
values (-612) (Success)
Failed to modify entry for user User.
Failed to modify password entry for user User
I believe the problem is related to a LDAP modify operation for the single
value attributes (samba)pwdCanChange, (samba)pwdMustChange and (samba)
pwdLastSet. smbpasswd tries to add the new value for each of these attributes
before deleting the old value. This might work on some LDAP servers because it
all happens in a single modify request but eDirectory 8.7 complains about it.
I think this might be a problem with eDir:
Ok, RFC 2251, line 1815ff:
- modification: A list of modifications to be performed on the entry.
The entire list of entry modifications MUST be performed
in the order they are listed, as a single atomic operation. While
individual modifications may violate the directory schema, the
resulting entry after the entire list of modifications is performed
MUST conform to the requirements of the directory schema.
Created attachment 110 [details]
patch to change the modify behavior to use REPLACE
However, try this patch posted to samba technical from
Erik Tews and se if it solves your problem. It is
under consideration for inclusion.
The patch did it. Thanks a lot ! I will still contact Novell about their RFC
Wait, for some reason the patch only fixed smbpasswd but not pam_smbpass. The
latter one still tries to do the ADD before the DELETE operation. Perhaps I
should better open a new bug for pam_smbpass.
Please change this one to RESOLVED
*** Bug 387 has been marked as a duplicate of this bug. ***
I don't think we should work around non-RFC behaviour in LDAP servers, at least
not without a good config option. We will hit the same thing with atomicly
incrementing counters, (like next rid), and any sequence number we decide to store.
It also removes the small amount of 'transaction safety' we have with LDAP -
which we are starting to use a little.
Marking as 'WONTFIX', unless anybody objects.
Created attachment 164 [details]
UNOFFICIAL and almost untested version of the REPLACE patch for Samba RC4
I have modified the "LDAP use REPLACE" patch to work with Samba 3 RC4. Please
be aware that it's unofficial and little tested - use it at your own risk !
Patch by Petri Asikainen <email@example.com> applied that should fix this, without the
need to use REPLACE
Fixed in current CVS.
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.