Overview Description: ldap passwd sync = only was broken somewhere between 3.0.22 and 3.0.25a. Steps to Reproduce: Install samba-3.0.25a+OpenLDAP and set ldap passwd sync = only Change a user's password from a joined XP client. Actual Results: XP reports success but no change appears in the LDAP db. Expected Results: The LDAP userPassword should have been changed. Additional Information: log level 10 [2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1784) ldapsam_update_sam_account: user lacoste to be modified has dn: uid=lacoste,ou=Users,ou=Accounts,o=stars [2007/08/14 23:45:26, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972) init_ldap_from_sam: Setting entry for user: lacoste [2007/08/14 23:45:26, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3 [2007/08/14 23:45:26, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(101) : conn_ctx_stack_ndx = 1 [2007/08/14 23:45:26, 3] smbd/sec_ctx.c:set_sec_ctx(243) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3 [2007/08/14 23:45:26, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2007/08/14 23:45:26, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2007/08/14 23:45:26, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = ACCT_POL/maximum password age, value = 4294967295 , timeout = Tue Aug 14 23:46:25 2007 [2007/08/14 23:45:26, 3] smbd/sec_ctx.c:pop_sec_ctx(366) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2 [2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1797) ldapsam_update_sam_account: mods is empty: nothing to update for user: lacoste log level 10 on 3.0.22 [2007/08/14 23:17:31, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1846) ldapsam_update_sam_account: user lacoste to be modified has dn: uid=lacoste,ou=Users,ou=Accounts,o=stars [2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1064) init_ldap_from_sam: Setting entry for user: lacoste [2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454) smbldap_make_mod: deleting attribute |sambaPwdCanChange| values |1187126144| [2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463) smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1187126251| [2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454) smbldap_make_mod: deleting attribute |sambaPwdMustChange| values |1218662144| [2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463) smbldap_make_mod: adding attribute |sambaPwdMustChange| value |2147483647| [2007/08/14 23:17:31, 5] lib/smbldap.c:smbldap_modify(1254) smbldap_modify: dn => [uid=lacoste,ou=Users,ou=Accounts,o=stars] [2007/08/14 23:17:31, 3] passdb/pdb_ldap.c:ldapsam_modify_entry(1732) ldapsam_modify_entry: LDAP Password changed for user lacoste [2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:ldapsam_update_sam_account(1879) ldapsam_update_sam_account: successfully modified uid = lacoste in the LDAP database Thierry.
Created attachment 2874 [details] trigger an ldap password change
FWIW here's my analysis of the problem. In passdb/pdb_ldap.c/ldapsam_modify_entry I read: if (!mods) { DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n")); /* may be password change below however */ ldapsam_modify_entry is called from ldapsam_update_sam_account and ldapsam_add_sam_account but never with a NULL mods. Therefore if mods is NULL in ldapsam_update_sam_account (which happens with ldap passwd sync = only when a windows user changes his password) the LDAP password is not changed. This does not happen with 3.0.22 because pdb_set_pass_changed_now in passdb/pdb_get_set.c changes PDB_MUSTCHANGETIME and PDB_CANCHANGETIME in the SAM_ACCOUNT. This entails that mod is not NULL in ldapsam_update_sam_account but this is not true in 3.0.25a because pdb_set_pass_changed_now was removed. The attached patch provides a crude workaround.
Created attachment 3076 [details] Don't skip password change when other attributes are not modified
Confirmed with Samba 3.0.26a (Ubuntu Gutsy package) on Linux. The proposed patch make samba not skip the ldapsam_modify_entry call when mods is NULL, as mods is checked for NULL in ldapsam_modify_entry.
Fixes upstream with a slight modification Thanks -- Volker