Bug 4901 - "ldap passwd sync = only" broken
"ldap passwd sync = only" broken
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.25a
Other FreeBSD
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-20 06:49 UTC by Thierry Lacoste
Modified: 2008-03-14 12:05 UTC (History)
1 user (show)

See Also:


Attachments
trigger an ldap password change (414 bytes, patch)
2007-08-20 06:57 UTC, Thierry Lacoste
no flags Details
Don't skip password change when other attributes are not modified (614 bytes, patch)
2007-12-27 11:44 UTC, Laurent Pinchart
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Lacoste 2007-08-20 06:49:10 UTC
Overview Description:
ldap passwd sync = only was broken somewhere between 3.0.22 and 3.0.25a.

Steps to Reproduce:
Install samba-3.0.25a+OpenLDAP and set ldap passwd sync = only
Change a user's password from a joined XP client.

Actual Results:
XP reports success but no change appears in the LDAP db.

Expected Results:
The LDAP userPassword should have been changed.

Additional Information:

log level 10

[2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1784)
  ldapsam_update_sam_account: user lacoste to be modified has dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
[2007/08/14 23:45:26, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972)
  init_ldap_from_sam: Setting entry for user: lacoste
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2007/08/14 23:45:26, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(101) : conn_ctx_stack_ndx = 1
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:set_sec_ctx(243)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2007/08/14 23:45:26, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2007/08/14 23:45:26, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2007/08/14 23:45:26, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = ACCT_POL/maximum password age, value = 4294967295
  , timeout = Tue Aug 14 23:46:25 2007
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:pop_sec_ctx(366)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1797)
  ldapsam_update_sam_account: mods is empty: nothing to update for user: lacoste

log level 10 on 3.0.22

[2007/08/14 23:17:31, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1846)
  ldapsam_update_sam_account: user lacoste to be modified has dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
[2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1064)
  init_ldap_from_sam: Setting entry for user: lacoste
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454)
  smbldap_make_mod: deleting attribute |sambaPwdCanChange| values |1187126144|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463)
  smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1187126251|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454)
  smbldap_make_mod: deleting attribute |sambaPwdMustChange| values |1218662144|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463)
  smbldap_make_mod: adding attribute |sambaPwdMustChange| value |2147483647|
[2007/08/14 23:17:31, 5] lib/smbldap.c:smbldap_modify(1254)
  smbldap_modify: dn => [uid=lacoste,ou=Users,ou=Accounts,o=stars]
[2007/08/14 23:17:31, 3] passdb/pdb_ldap.c:ldapsam_modify_entry(1732)
  ldapsam_modify_entry: LDAP Password changed for user lacoste
[2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:ldapsam_update_sam_account(1879)
  ldapsam_update_sam_account: successfully modified uid = lacoste in the LDAP database

Thierry.
Comment 1 Thierry Lacoste 2007-08-20 06:57:03 UTC
Created attachment 2874 [details]
trigger an ldap password change
Comment 2 Thierry Lacoste 2007-08-20 06:59:41 UTC
FWIW here's my analysis of the problem.

In passdb/pdb_ldap.c/ldapsam_modify_entry I read:

if (!mods) {
	DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
	/* may be password change below however */

ldapsam_modify_entry is called from ldapsam_update_sam_account and
ldapsam_add_sam_account but never with a NULL mods.

Therefore if mods is NULL in ldapsam_update_sam_account (which happens with
ldap passwd sync = only when a windows user changes his password) the LDAP
password is not changed.

This does not happen with 3.0.22 because pdb_set_pass_changed_now in
passdb/pdb_get_set.c changes PDB_MUSTCHANGETIME and PDB_CANCHANGETIME
in the SAM_ACCOUNT.
This entails that mod is not NULL in ldapsam_update_sam_account but this
is not true in 3.0.25a because pdb_set_pass_changed_now was removed.

The attached patch provides a crude workaround.
Comment 3 Laurent Pinchart 2007-12-27 11:44:15 UTC
Created attachment 3076 [details]
Don't skip password change when other attributes are not modified
Comment 4 Laurent Pinchart 2007-12-27 11:45:59 UTC
Confirmed with Samba 3.0.26a (Ubuntu Gutsy package) on Linux. The proposed patch make samba not skip the ldapsam_modify_entry call when mods is NULL, as mods is checked for NULL in ldapsam_modify_entry.
Comment 5 Volker Lendecke 2008-03-14 12:05:49 UTC
Fixes upstream with a slight modification

Thanks -- Volker