[SOLVED] Changing the Admin password after samba zimlet is deployed

[todd_dsm]

Hey all, I get this error when attempting to change the password for the admin account:

Code:

Message: invalid request: LDAP schema violation: [LDAP: error code 65 - attribute 'sambaNTPassword' not allowed] Error code: service.INVALID_REQUEST Method: SetPasswordRequest Details:soap:Sender

It's similar to this thread but this one went unanswered for 2 years. I'm hoping that someone has stumbled on to the fix by now.

I have a few zimlets installed as you might already know:
zimbra_posixaccount.zip
zimbra_samba.zip
zimbraSambaPassword.zip

The steps:
1) loginto the Admin UI: https://host.domain.com:7071/zimbraAdmin/
2) Click Accounts
3) Right-click admin > change password
4) Enter password twice > click OK: ERROR
Here's what mailbox.log says about it:

Code:

# tail -f /opt/zimbra/log/mailbox.log
2009-10-25 23:10:25,050 INFO  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] soap - GetAccountRequest
2009-10-25 23:10:25,068 INFO  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] soap - GetMailboxRequest
2009-10-25 23:10:25,097 INFO  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] soap - GetAccountMembershipRequest
2009-10-25 23:10:25,179 INFO  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] soap - GetAccountInfoRequest
2009-10-25 23:10:25,315 INFO  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] soap - SetPasswordRequest
2009-10-25 23:10:25,475 WARN  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] misc - checkValue: no attribute info for: sambaNTPassword
2009-10-25 23:10:25,475 WARN  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] misc - checkValue: no attribute info for: sambaLMPassword
2009-10-25 23:10:25,577 INFO  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] SoapEngine - handler exception
com.zimbra.common.service.ServiceException: invalid request: LDAP schema violation: [LDAP: error code 65 - attribute 'sambaNTPassword' not allowed]
ExceptionId:btpool0-2:1256530225576:13a653926a956e19
Code:service.INVALID_REQUEST
        at com.zimbra.common.service.ServiceException.INVALID_REQUEST(ServiceException.java:260)
        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:306)
        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:272)
        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:253)
        at com.zimbra.cs.account.Provisioning.modifyAttrs(Provisioning.java:1661)
        at com.zimbra.cs.account.ldap.LdapProvisioning.setPassword(LdapProvisioning.java:3334)
        at com.zimbra.cs.account.ldap.LdapProvisioning.setPassword(LdapProvisioning.java:3184)
        at com.zimbra.cs.service.admin.SetPassword.handle(SetPassword.java:65)
        at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:430)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:286)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:160)
        at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:275)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:187)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
        at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1102)
        at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
        at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:130)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:361)
        at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
        at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
        at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:716)
        at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:406)
        at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:211)
        at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
        at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:350)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
        at org.mortbay.jetty.Server.handle(Server.java:313)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:489)
        at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:834)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:644)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:364)
        at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)
        at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute 'sambaNTPassword' not allowed]; remaining name 'uid=admin,ou=people,dc=ptest,dc=us'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3048)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2963)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2769)
        at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1451)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
        at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
        at com.zimbra.cs.account.ldap.ZimbraLdapContext.modifyAttributes(ZimbraLdapContext.java:554)
        at com.zimbra.cs.account.ldap.LdapUtil.modifyAttrs(LdapUtil.java:416)
        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:294)
        ... 36 more

OR
Log into admin's webmail > go to preferences > Change Password > click OK: Error: An invalid request was made.

Code:

# tail -f /opt/zimbra/log/mailbox.log
2009-10-25 23:07:52,365 INFO  [btpool0-0] [ip=127.0.0.1;ua=zclient/5.0.19_GA_3083.RHEL5_64;] soap - ChangePasswordRequest
2009-10-25 23:07:52,473 WARN  [btpool0-0] [ip=127.0.0.1;ua=zclient/5.0.19_GA_3083.RHEL5_64;] misc - checkValue: no attribute info for: sambaNTPassword
2009-10-25 23:07:52,473 WARN  [btpool0-0] [ip=127.0.0.1;ua=zclient/5.0.19_GA_3083.RHEL5_64;] misc - checkValue: no attribute info for: sambaLMPassword
2009-10-25 23:07:52,523 INFO  [btpool0-0] [ip=127.0.0.1;ua=zclient/5.0.19_GA_3083.RHEL5_64;] SoapEngine - handler exception
com.zimbra.common.service.ServiceException: invalid request: LDAP schema violation: [LDAP: error code 65 - attribute 'sambaNTPassword' not allowed]
ExceptionId:btpool0-0:1256530072521:13a653926a956e19
Code:service.INVALID_REQUEST
        at com.zimbra.common.service.ServiceException.INVALID_REQUEST(ServiceException.java:260)
        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:306)
        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:272)
        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:253)
        at com.zimbra.cs.account.Provisioning.modifyAttrs(Provisioning.java:1661)
        at com.zimbra.cs.account.ldap.LdapProvisioning.setPassword(LdapProvisioning.java:3334)
        at com.zimbra.cs.account.ldap.LdapProvisioning.changePassword(LdapProvisioning.java:3109)
        at com.zimbra.cs.service.account.ChangePassword.handle(ChangePassword.java:63)
        at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:430)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:286)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:160)
        at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:275)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:187)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
        at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1102)
        at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
        at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:146)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:361)
        at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
        at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
        at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:716)
        at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:406)
        at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:211)
        at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
        at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:350)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
        at org.mortbay.jetty.Server.handle(Server.java:313)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:489)
        at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:834)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:644)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:364)
        at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)
        at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute 'sambaNTPassword' not allowed]; remaining name 'uid=admin,ou=people,dc=ptest,dc=us'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3048)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2963)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2769)
        at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1451)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
        at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
        at com.zimbra.cs.account.ldap.ZimbraLdapContext.modifyAttributes(ZimbraLdapContext.java:554)
        at com.zimbra.cs.account.ldap.LdapUtil.modifyAttrs(LdapUtil.java:416)
        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:294)
        ... 36 more

I see that there's a problem with the sambaNTPassword zimlet loaded on the system. As you may have guessed, I haven't mastered ldap yet, so please be gentle. Here's the question:

How do I exempt the admin account from the constraints of intended samba users so that I may change the admin password periodically?

Thanks in advance,
todd_dsm

Don't forget to Vote for this bug:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.

[ArcaneMagus]

As far as I know there is no "in between" way of doing this... you either have all your accounts with the Samba/POSIX attributes, or none.

My guess is that the admin account (and possibly all accounts created before you preformed the samba extensions install) doesn't have the samba object class installed. So when the LDAP extensions defined in the samba admin extension try to set the Samba attributes they fail as they are not allowed on that account.

If my guess is correct the output of the following command will be missing either one or both of the samba / posix objectClass'

Code:

zimbra@email:~$ zmprov ga admin@domain.com | grep objectClass
objectClass: organizationalPerson
objectClass: zimbraAccount
objectClass: amavisAccount
objectClass: posixAccount
objectClass: sambaSamAccount

To add the correct objectClass'es to existing accounts you need to run the commands found at the end of the linked section here: UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki




Hmmm... there might be a way to actually do this without adding those attributes if you are set against it. You could try disabling the admin extensions and changing the password, but be warned that all accounts with those objectClass extensions will probably not show up, or other crazy behavior...

[todd_dsm]

ArcaneMagus: thanks for hitting this one. This is the output of my admin account:

Code:

$ zmprov ga admin@domain.com | grep objectClass
objectClass: organizationalPerson
objectClass: zimbraAccount
objectClass: amavisAccount

===

I'm no big fan of skiddish behavior so, per your advice, I ran these commands:

Code:

zmprov ma admin@domain.com +objectClass posixAccount uidNumber 1000 gidNumber 1001 homeDirectory /bin/false loginShell /sbin/nologin

zmprov ma admin@domain.com +objectClass sambaSamAccount sambaDomainName OFFICE sambaSID S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz sambaAcctFlags [UX]

Re-running the getAccount now displays all object classes:

Code:

$ zmprov ga admin@domain.com | grep objectClass
objectClass: organizationalPerson
objectClass: zimbraAccount
objectClass: amavisAccount
objectClass: posixAccount
objectClass: sambaSamAccount

...and now there is peace in the valley, once again...

Thanks in advance,
todd_dsm

Don't forget to Vote for this bug:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.

[am_cornelis]

I just wanted to thank you both, because we hit exactely the same problem than todd_dsm (without knowing the exact cause) and it is now working like a charm after applying ArcaneMagus' fix.

Being somewhat unfamiliar with linux, it took me a little while to figure out what my uidNumber and gidNumber should be. For anyone with the same hurdle: the gidNumber (or group id) can be copied from an existing user (for example using the web UI for zimbra admin) and for the uidNumber (or user id) I looked at the uid of existing users and took the next one available. I also took the samba information (domain and SID) from the web admin UI.