[SOLVED] Samba password sync

[lpizzina]

Hi All,

I've got an issue with samba_ldap password syncronization against the Zimbra LDAP, I wonder if anyone out there can shed some light on it.

I'm running Zimbra 5 network edition (trial version) on RH4 x86_64, with Posix & Samba extensions. I also installed and configured nss_ldap and pam_ldap. I can "su - user" where user is defined in Zimbra ldap, so everything is working so far. Also "getent passwd" is consistent with the contents of the Zimbra LDAP.

Then, on the same host I've configured samba 3.0.25b to authenticate agains Zimbra. And here's what I found:

1) If I change the user's password using the administration console AND the "Password does not expire" in the Samba Account tab is checked, then I can mount the samba shared on a client machine by providing the user account and user's password.

2) If I change the user's password using the administration console BUT the "Password does not expire" in the Samba Account tab is NOT checked, then the mount fails with error NT_STATUS_PASSWORD_MUST_CHANGE (I can see it in the samba logs)

3) If the users logs in via the web interface and changes the password (Preferences tab), then the user's password gets changed but the samba password doesn't, so the mount fails with error NT_STATUS_WRONG_PASSWORD


So, it looks like that when the user changes his password through the web interface, the Samba password goes out of sync. Only the Zimbra Admin Console updates both the user password and the samba password, but this is unacceptable.
Any hint?

Thanks in advance.
LP

[lpizzina]

Sorry to bug you all, the soluzion is already on the Zimbra website.
Look for zimbraSambaPassword extension.

Get or contribute Zimlets, UI themes, and languages in the Zimbra Gallery - zimbraSambaPassword Extension

Regs
LP

[gibo]

Thanks, this is what I was looking for just today :-)

[maumar]

using zimbraSambaPassword by A. Messina you get password sync, but with samba 3.0.28b (actual CentOS 5.2, at the time i am writing) there is still this issue:

Quote:

[10:19:30 root@zimbra ~ ]# smbclient -U maumar //zimbra.dominio.it/maumar
Password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

i solved as you wrote checking

Quote:

the "Password does not expire" in the Samba Account tab is checked

googling i find that is related to:

Quote:

sambaPwdLastSet

FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE

maybe changing password last change, issue get fixed

Quote:

pdbedit -v -u maumar |grep Password
Password last set: 0
Password can change: 0
Password must change: 0

hopefully Antonio could help to understand what's the problem

[mozg31337]

Hello everyone,

Has anyone managed to sort out the issue with "session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE"?

After playing around with the zimbra.samba.SambaPassword extension, i've managed to get the syncing work when the user changes the password. However, this does not make any change to the PASSWORD_MUST_CHANGE error the user gets when trying to mount the network share. Even when i change the password from a web ui, i still get this error. The only way to deal with it is to manually change the password using smbpasswd command, which is not an option for most users as I do not want them to have ssh access to the server.

The option of Password does not expire is not really a solution for me as I would like to implement a password change policy.

Does anyone have any idea on how this can be solved?

Thanks

Andrei