4901 – "ldap passwd sync = only" broken

Bug 4901 - "ldap passwd sync = only" broken

Summary: "ldap passwd sync = only" broken

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	User/Group Accounts (show other bugs)
Version:	3.0.25a
Hardware:	Other FreeBSD

Importance:	P3 normal
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-08-20 06:49 UTC by Thierry Lacoste
Modified:	2008-03-14 12:05 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
trigger an ldap password change (414 bytes, patch) 2007-08-20 06:57 UTC, Thierry Lacoste	no flags	Details
Don't skip password change when other attributes are not modified (614 bytes, patch) 2007-12-27 11:44 UTC, Laurent Pinchart	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thierry Lacoste 2007-08-20 06:49:10 UTC

Overview Description:
ldap passwd sync = only was broken somewhere between 3.0.22 and 3.0.25a.

Steps to Reproduce:
Install samba-3.0.25a+OpenLDAP and set ldap passwd sync = only
Change a user's password from a joined XP client.

Actual Results:
XP reports success but no change appears in the LDAP db.

Expected Results:
The LDAP userPassword should have been changed.

Additional Information:

log level 10

[2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1784)
  ldapsam_update_sam_account: user lacoste to be modified has dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
[2007/08/14 23:45:26, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972)
  init_ldap_from_sam: Setting entry for user: lacoste
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2007/08/14 23:45:26, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(101) : conn_ctx_stack_ndx = 1
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:set_sec_ctx(243)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2007/08/14 23:45:26, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2007/08/14 23:45:26, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2007/08/14 23:45:26, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = ACCT_POL/maximum password age, value = 4294967295
  , timeout = Tue Aug 14 23:46:25 2007
[2007/08/14 23:45:26, 3] smbd/sec_ctx.c:pop_sec_ctx(366)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1797)
  ldapsam_update_sam_account: mods is empty: nothing to update for user: lacoste

log level 10 on 3.0.22

[2007/08/14 23:17:31, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1846)
  ldapsam_update_sam_account: user lacoste to be modified has dn: uid=lacoste,ou=Users,ou=Accounts,o=stars
[2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1064)
  init_ldap_from_sam: Setting entry for user: lacoste
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454)
  smbldap_make_mod: deleting attribute |sambaPwdCanChange| values |1187126144|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463)
  smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1187126251|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454)
  smbldap_make_mod: deleting attribute |sambaPwdMustChange| values |1218662144|
[2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463)
  smbldap_make_mod: adding attribute |sambaPwdMustChange| value |2147483647|
[2007/08/14 23:17:31, 5] lib/smbldap.c:smbldap_modify(1254)
  smbldap_modify: dn => [uid=lacoste,ou=Users,ou=Accounts,o=stars]
[2007/08/14 23:17:31, 3] passdb/pdb_ldap.c:ldapsam_modify_entry(1732)
  ldapsam_modify_entry: LDAP Password changed for user lacoste
[2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:ldapsam_update_sam_account(1879)
  ldapsam_update_sam_account: successfully modified uid = lacoste in the LDAP database

Thierry.

Comment 1 Thierry Lacoste 2007-08-20 06:57:03 UTC

Created attachment 2874 [details]
trigger an ldap password change

Comment 2 Thierry Lacoste 2007-08-20 06:59:41 UTC

FWIW here's my analysis of the problem.

In passdb/pdb_ldap.c/ldapsam_modify_entry I read:

if (!mods) {
	DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
	/* may be password change below however */

ldapsam_modify_entry is called from ldapsam_update_sam_account and
ldapsam_add_sam_account but never with a NULL mods.

Therefore if mods is NULL in ldapsam_update_sam_account (which happens with
ldap passwd sync = only when a windows user changes his password) the LDAP
password is not changed.

This does not happen with 3.0.22 because pdb_set_pass_changed_now in
passdb/pdb_get_set.c changes PDB_MUSTCHANGETIME and PDB_CANCHANGETIME
in the SAM_ACCOUNT.
This entails that mod is not NULL in ldapsam_update_sam_account but this
is not true in 3.0.25a because pdb_set_pass_changed_now was removed.

The attached patch provides a crude workaround.

Comment 3 Laurent Pinchart 2007-12-27 11:44:15 UTC

Created attachment 3076 [details]
Don't skip password change when other attributes are not modified

Comment 4 Laurent Pinchart 2007-12-27 11:45:59 UTC

Confirmed with Samba 3.0.26a (Ubuntu Gutsy package) on Linux. The proposed patch make samba not skip the ldapsam_modify_entry call when mods is NULL, as mods is checked for NULL in ldapsam_modify_entry.

Comment 5 Volker Lendecke 2008-03-14 12:05:49 UTC

Fixes upstream with a slight modification

Thanks -- Volker