# Samba+LDAP password change - smbldap-passwd vs. smbpasswd

## qubix

Hi!

I've got a PDC samba installation with OpenLDAP and smbldap-tools.

I also use the LDAP to authorize users in SSH, Apache and PostgreSQL through PAM.

I've noticed than when users change their passwords using ctrl-alt-del in windows or using smbpasswd, the ldap attributes:

```
sambaPwdMustChange

shadowLastChange

shadowMax
```

are not modified in the OpenLDAP database. They are however modified if I change the password using smbldap-passwd.

The problem pops up, when a user's password gets old, PAM starts complaining about that, and a simple ctrl-alt-del password change does not solve it.

I could write a script, that would update those parameters for all users in my LDAP once a day, since samba monitors when a user needs to change the password by sambaPwd* parameters, but that is such a nasty solution.

How can I make those 3 parameters above get changed by samba by itself? I have tried to google it up with no results.

----------

## neonknight

You will need to put the following line in your /etc/samba/smb.conf to make Samba use smbldap-passwd for all password change requests:

passwd program = /usr/sbin/smbldap-passwd '%u'

----------

## qubix

Hi!

thanks for answering.

I guess that this will start working only after I use:

```
unix password sync = yes
```

Apart from the passwd program, will samba also change my ldap passwords by itself? I have ldap password sync = yes in my config.

What LDAP ACLS do I need for this to work? 

My current smb.conf

```

[global]

 netbios name = togusa

 workgroup = aaaaaaa

 server string = Serwer domeny

 hosts allow = 192.168.0.0/24 127.0.0.0/8

 security = user

 encrypt passwords = yes

 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

 local master = yes

 os level = 65

 domain master = yes

 preferred master = yes

 null passwords = no

 hide unreadable = yes

 hide dot files = yes

 domain logons = yes

 logon path = \\%L\profiles\%U

 logon drive = H:

 logon home = \\%L\%U

 wins support = yes

 name resolve order = wins lmhosts host bcast

 dns proxy = no

 time server = yes

 log file = /var/log/samba/log.%m

 max log size = 50

 add user script = /usr/sbin/smbldap-useradd -m "%u"

 add machine script = /usr/sbin/smbldap-useradd -w "%u"

 add group script = /usr/sbin/smbldap-groupadd -p "%g"

 add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"

 delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"

 set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

 # these two have just been added

 unix password sync = yes

 passwd program = /usr/sbin/smbldap-passwd -u "%u"

 passdb backend = ldapsam:ldap://127.0.0.1/

 ldap delete dn = Yes

 ldap ssl = no

 ldap passwd sync = yes

 ldap suffix = dc=aaaaaa,dc=pl

 ldap admin dn = cn=Manager,dc=aaaaaa,dc=pl

 ldap group suffix = ou=Groups

 ldap user suffix = ou=Users

 ldap machine suffix = ou=Computers

 ldap idmap suffix = ou=Idmap

```

My current "ACLS" in sldap.conf:

```

access to *

        by * read

        by anonymous auth

```

----------

## qubix

Hi!

If I add 

```
 unix password sync = yes

 passwd program = /usr/sbin/smbldap-passwd -u "%u" 

```

When a user uses ctrl-alt-del to change his password, an information pops up about wrong new password, and that the password has not yet been changed. Actually the password is changed to a new value but still error messages about wrong new passwords are shown.

Any suggestions?

----------

## neonknight

You definitly should not specify parameter -u! This only changes the Unix-password but not the Samba-password, see "smbldap-passwd --help". smbldap-tools directly access your LDAP-server to change values such as passwords.

Maybe you will also need to replace %u by %U - there's a difference in the username Samba uses if you change from lowercase to uppercase letter. It is well described in the Samba manuals although I don't really understand the difference anymore after using it in a few installations  :Smile:  My best practise is to test which one will work in the current setup.

----------

## qubix

Hi! Thanks for the interest!

I've tested that with %u, %U. In my opinion %u is the proper way - it works for other scripts.

Since I'm a bit fed up with the problem, I've decided to do a stupid (?) LDIF modification, that changes shadowMax on all accounts to 10000 days (that's over 27 years). Other samba parameters keep track of users changing their passwords by themselves anyway. Wonder who will die first.... the shadow passwords, me or the gentoo on this PC  :Smile: 

----------

