Bug 330 - smbpasswd incompatible with NDS / eDirectory 8.7
Summary: smbpasswd incompatible with NDS / eDirectory 8.7
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.0preX
Hardware: All Linux
: P3 major
Target Milestone: 3.0.0rc3
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
Depends on:
Reported: 2003-08-20 06:17 UTC by Ulf Dettmer
Modified: 2005-08-24 10:19 UTC (History)
1 user (show)

See Also:

patch to change the modify behavior to use REPLACE (1.78 KB, patch)
2003-08-28 09:44 UTC, Gerald (Jerry) Carter (dead mail address)
no flags Details
UNOFFICIAL and almost untested version of the REPLACE patch for Samba RC4 (1.75 KB, patch)
2003-09-22 23:14 UTC, Ulf Dettmer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ulf Dettmer 2003-08-20 06:17:22 UTC
smbpasswd incompatible with NDS / eDirectory 8.7

We use Samba 3 RC1 ( upgraded from Samba 2.2.8a ) on a SuSE 8.2 machine 
configure'd with --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --
sbindir=/usr/sbin --libdir=/usr/lib --sysconfdir=/etc --mandir=/usr/man --
infodir=/usr/info --localstatedir=/var/log --with-configdir=/etc/samba --with-
privatedir=/etc/samba --with-lockdir=/var/lock/samba --with-
swatdir=/usr/lib/samba/swat --with-sambabook=/usr/lib/samba/swat/using_samba --
with-codepagedir=/usr/lib/samba/codepages --with-smbwrapper --with-automount --
with-smbmount --with-pam --with-pam_smbpass --with-ldap --with-ldapsam --with-
syslog --with-profiling-data --with-quotas --with-libsmbclient --with-acl-
support --with-sendfile-support --with-winbind --with-ads .
Novell eDirectory 8.7 on a remote machine serves as passdb store. I've tried 
both ldapsam and ldapsam_compat passdb backend.
There is no problem adding SambaSamAccount ( or SambaAccount in ldapsam_compat 
mode ) to a User object with "smbpasswd -a User". However this happens when I 
try smbpasswd on an existing user:

# smbpasswd User
New SMB password: xxxxx
Retype new SMB password: xxxxx
failed to modify user dn= cn=User,ou=People,ou=department,o=company,c=DE with: 
Constraint violation
        NDS error: cant have multiple values (-612)
failed to modify user with uid = User, error: NDS error: cant have multiple 
values (-612) (Success)
Failed to modify entry for user User.
Failed to modify password entry for user User

I believe the problem is related to a LDAP modify operation for the single 
value attributes (samba)pwdCanChange, (samba)pwdMustChange and (samba)
pwdLastSet. smbpasswd tries to add the new value for each of these attributes 
before deleting the old value. This might work on some LDAP servers because it 
all happens in a single modify request but eDirectory 8.7 complains about it.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2003-08-28 09:43:31 UTC
I think this might be a problem with eDir:

Ok, RFC 2251, line 1815ff:

   - modification: A list of modifications to be performed on the entry.
     The entire list of entry modifications MUST be performed
     in the order they are listed, as a single atomic operation.  While
     individual modifications may violate the directory schema, the
     resulting entry after the entire list of modifications is performed
     MUST conform to the requirements of the directory schema.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2003-08-28 09:44:07 UTC
Created attachment 110 [details]
patch to change the modify behavior to use REPLACE
Comment 3 Gerald (Jerry) Carter (dead mail address) 2003-08-28 09:45:27 UTC
However, try this patch posted to samba technical from 
Erik Tews and se if it solves your problem.  It is 
under consideration for inclusion.
Comment 4 Ulf Dettmer 2003-09-01 00:10:04 UTC
The patch did it. Thanks a lot ! I will still contact Novell about their RFC 
conformance ...
Comment 5 Ulf Dettmer 2003-09-02 03:03:06 UTC
Wait, for some reason the patch only fixed smbpasswd but not pam_smbpass. The 
latter one still tries to do the ADD before the DELETE operation. Perhaps I 
should better open a new bug for pam_smbpass.
Please change this one to RESOLVED
Comment 6 Andrew Bartlett 2003-09-06 22:37:30 UTC
*** Bug 387 has been marked as a duplicate of this bug. ***
Comment 7 Andrew Bartlett 2003-09-06 22:39:52 UTC
I don't think we should work around non-RFC behaviour in LDAP servers, at least
not without a good config option.  We will hit the same thing with atomicly
incrementing counters, (like next rid), and any sequence number we decide to store.

It also removes the small amount of 'transaction safety' we have with LDAP -
which we are starting to use a little.

Marking as 'WONTFIX', unless anybody objects.
Comment 8 Ulf Dettmer 2003-09-22 23:14:10 UTC
Created attachment 164 [details]
UNOFFICIAL and almost untested version of the REPLACE patch for Samba RC4

I have modified the "LDAP use REPLACE" patch to work with Samba 3 RC4. Please
be aware that it's unofficial and little tested - use it at your own risk !
Comment 9 Andrew Bartlett 2003-12-25 16:39:08 UTC
Patch by Petri Asikainen <paca@sci.fi> applied that should fix this, without the
need to use REPLACE
Comment 10 Andrew Bartlett 2003-12-25 16:40:03 UTC
Fixed in current CVS.
Comment 11 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:05:43 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 12 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:19:20 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.