Results 1 to 4 of 4

Thread: [SOLVED] Changing the Admin password after samba zimlet is deployed

  1. #1
    todd_dsm's Avatar
    todd_dsm is offline Loyal Member
    Join Date
    May 2008
    Location
    Des Moines, IA
    Posts
    89
    Rep Power
    6

    Default [SOLVED] Changing the Admin password after samba zimlet is deployed

    Hey all, I get this error when attempting to change the password for the admin account:
    Code:
    Message: invalid request: LDAP schema violation: [LDAP: error code 65 - attribute 'sambaNTPassword' not allowed] Error code: service.INVALID_REQUEST Method: SetPasswordRequest Details:soap:Sender
    It's similar to this thread but this one went unanswered for 2 years. I'm hoping that someone has stumbled on to the fix by now.

    I have a few zimlets installed as you might already know:
    zimbra_posixaccount.zip
    zimbra_samba.zip
    zimbraSambaPassword.zip

    The steps:
    1) loginto the Admin UI: https://host.domain.com:7071/zimbraAdmin/
    2) Click Accounts
    3) Right-click admin > change password
    4) Enter password twice > click OK: ERROR
    Here's what mailbox.log says about it:
    Code:
    # tail -f /opt/zimbra/log/mailbox.log
    2009-10-25 23:10:25,050 INFO  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] soap - GetAccountRequest
    2009-10-25 23:10:25,068 INFO  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] soap - GetMailboxRequest
    2009-10-25 23:10:25,097 INFO  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] soap - GetAccountMembershipRequest
    2009-10-25 23:10:25,179 INFO  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] soap - GetAccountInfoRequest
    2009-10-25 23:10:25,315 INFO  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] soap - SetPasswordRequest
    2009-10-25 23:10:25,475 WARN  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] misc - checkValue: no attribute info for: sambaNTPassword
    2009-10-25 23:10:25,475 WARN  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] misc - checkValue: no attribute info for: sambaLMPassword
    2009-10-25 23:10:25,577 INFO  [btpool0-2] [name=admin@domain.com;mid=1;ip=10.0.0.101;ua=ZimbraWebClient - FF3.0 (Win);] SoapEngine - handler exception
    com.zimbra.common.service.ServiceException: invalid request: LDAP schema violation: [LDAP: error code 65 - attribute 'sambaNTPassword' not allowed]
    ExceptionId:btpool0-2:1256530225576:13a653926a956e19
    Code:service.INVALID_REQUEST
            at com.zimbra.common.service.ServiceException.INVALID_REQUEST(ServiceException.java:260)
            at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:306)
            at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:272)
            at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:253)
            at com.zimbra.cs.account.Provisioning.modifyAttrs(Provisioning.java:1661)
            at com.zimbra.cs.account.ldap.LdapProvisioning.setPassword(LdapProvisioning.java:3334)
            at com.zimbra.cs.account.ldap.LdapProvisioning.setPassword(LdapProvisioning.java:3184)
            at com.zimbra.cs.service.admin.SetPassword.handle(SetPassword.java:65)
            at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:430)
            at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:286)
            at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:160)
            at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:275)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
            at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:187)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
            at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
            at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1102)
            at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
            at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:130)
            at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
            at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:361)
            at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
            at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
            at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:716)
            at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:406)
            at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:211)
            at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
            at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
            at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:350)
            at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
            at org.mortbay.jetty.Server.handle(Server.java:313)
            at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:489)
            at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:834)
            at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:644)
            at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
            at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:364)
            at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)
            at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
    Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute 'sambaNTPassword' not allowed]; remaining name 'uid=admin,ou=people,dc=ptest,dc=us'
            at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3048)
            at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2963)
            at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2769)
            at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1451)
            at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
            at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
            at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
            at com.zimbra.cs.account.ldap.ZimbraLdapContext.modifyAttributes(ZimbraLdapContext.java:554)
            at com.zimbra.cs.account.ldap.LdapUtil.modifyAttrs(LdapUtil.java:416)
            at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:294)
            ... 36 more
    OR
    Log into admin's webmail > go to preferences > Change Password > click OK: Error: An invalid request was made.
    Code:
    # tail -f /opt/zimbra/log/mailbox.log
    2009-10-25 23:07:52,365 INFO  [btpool0-0] [ip=127.0.0.1;ua=zclient/5.0.19_GA_3083.RHEL5_64;] soap - ChangePasswordRequest
    2009-10-25 23:07:52,473 WARN  [btpool0-0] [ip=127.0.0.1;ua=zclient/5.0.19_GA_3083.RHEL5_64;] misc - checkValue: no attribute info for: sambaNTPassword
    2009-10-25 23:07:52,473 WARN  [btpool0-0] [ip=127.0.0.1;ua=zclient/5.0.19_GA_3083.RHEL5_64;] misc - checkValue: no attribute info for: sambaLMPassword
    2009-10-25 23:07:52,523 INFO  [btpool0-0] [ip=127.0.0.1;ua=zclient/5.0.19_GA_3083.RHEL5_64;] SoapEngine - handler exception
    com.zimbra.common.service.ServiceException: invalid request: LDAP schema violation: [LDAP: error code 65 - attribute 'sambaNTPassword' not allowed]
    ExceptionId:btpool0-0:1256530072521:13a653926a956e19
    Code:service.INVALID_REQUEST
            at com.zimbra.common.service.ServiceException.INVALID_REQUEST(ServiceException.java:260)
            at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:306)
            at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:272)
            at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:253)
            at com.zimbra.cs.account.Provisioning.modifyAttrs(Provisioning.java:1661)
            at com.zimbra.cs.account.ldap.LdapProvisioning.setPassword(LdapProvisioning.java:3334)
            at com.zimbra.cs.account.ldap.LdapProvisioning.changePassword(LdapProvisioning.java:3109)
            at com.zimbra.cs.service.account.ChangePassword.handle(ChangePassword.java:63)
            at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:430)
            at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:286)
            at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:160)
            at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:275)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
            at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:187)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
            at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
            at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1102)
            at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
            at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:146)
            at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
            at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:361)
            at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
            at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
            at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:716)
            at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:406)
            at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:211)
            at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
            at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
            at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:350)
            at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
            at org.mortbay.jetty.Server.handle(Server.java:313)
            at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:489)
            at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:834)
            at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:644)
            at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
            at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:364)
            at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)
            at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
    Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute 'sambaNTPassword' not allowed]; remaining name 'uid=admin,ou=people,dc=ptest,dc=us'
            at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3048)
            at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2963)
            at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2769)
            at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1451)
            at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
            at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
            at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
            at com.zimbra.cs.account.ldap.ZimbraLdapContext.modifyAttributes(ZimbraLdapContext.java:554)
            at com.zimbra.cs.account.ldap.LdapUtil.modifyAttrs(LdapUtil.java:416)
            at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:294)
            ... 36 more
    I see that there's a problem with the sambaNTPassword zimlet loaded on the system. As you may have guessed, I haven't mastered ldap yet, so please be gentle. Here's the question:

    How do I exempt the admin account from the constraints of intended samba users so that I may change the admin password periodically?

    Thanks in advance,
    todd_dsm

    Don't forget to Vote for this bug:
    RFE: A place To Display the contents of 'My Documents'
    Reasoning: It's new, bold, and cool.
    Last edited by todd_dsm; 10-08-2010 at 09:21 AM.

  2. #2
    ArcaneMagus's Avatar
    ArcaneMagus is offline Moderator
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    As far as I know there is no "in between" way of doing this... you either have all your accounts with the Samba/POSIX attributes, or none.

    My guess is that the admin account (and possibly all accounts created before you preformed the samba extensions install) doesn't have the samba object class installed. So when the LDAP extensions defined in the samba admin extension try to set the Samba attributes they fail as they are not allowed on that account.

    If my guess is correct the output of the following command will be missing either one or both of the samba / posix objectClass'
    Code:
    zimbra@email:~$ zmprov ga admin@domain.com | grep objectClass
    objectClass: organizationalPerson
    objectClass: zimbraAccount
    objectClass: amavisAccount
    objectClass: posixAccount
    objectClass: sambaSamAccount
    To add the correct objectClass'es to existing accounts you need to run the commands found at the end of the linked section here: UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki




    Hmmm... there might be a way to actually do this without adding those attributes if you are set against it. You could try disabling the admin extensions and changing the password, but be warned that all accounts with those objectClass extensions will probably not show up, or other crazy behavior...

  3. #3
    todd_dsm's Avatar
    todd_dsm is offline Loyal Member
    Join Date
    May 2008
    Location
    Des Moines, IA
    Posts
    89
    Rep Power
    6

    Default It works!

    ArcaneMagus: thanks for hitting this one. This is the output of my admin account:
    Code:
    $ zmprov ga admin@domain.com | grep objectClass
    objectClass: organizationalPerson
    objectClass: zimbraAccount
    objectClass: amavisAccount
    ===

    I'm no big fan of skiddish behavior so, per your advice, I ran these commands:
    Code:
    zmprov ma admin@domain.com +objectClass posixAccount uidNumber 1000 gidNumber 1001 homeDirectory /bin/false loginShell /sbin/nologin
    
    zmprov ma admin@domain.com +objectClass sambaSamAccount sambaDomainName OFFICE sambaSID S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz sambaAcctFlags [UX]
    Re-running the getAccount now displays all object classes:
    Code:
    $ zmprov ga admin@domain.com | grep objectClass
    objectClass: organizationalPerson
    objectClass: zimbraAccount
    objectClass: amavisAccount
    objectClass: posixAccount
    objectClass: sambaSamAccount
    ...and now there is peace in the valley, once again...

    Thanks in advance,
    todd_dsm

    Don't forget to Vote for this bug:
    RFE: A place To Display the contents of 'My Documents'
    Reasoning: It's new, bold, and cool.
    Last edited by todd_dsm; 10-08-2010 at 09:22 AM.

  4. #4
    am_cornelis is offline Starter Member
    Join Date
    Jun 2010
    Location
    Cambridge, UK
    Posts
    1
    Rep Power
    4

    Thumbs up Thanks

    I just wanted to thank you both, because we hit exactely the same problem than todd_dsm (without knowing the exact cause) and it is now working like a charm after applying ArcaneMagus' fix.

    Being somewhat unfamiliar with linux, it took me a little while to figure out what my uidNumber and gidNumber should be. For anyone with the same hurdle: the gidNumber (or group id) can be copied from an existing user (for example using the web UI for zimbra admin) and for the uidNumber (or user id) I looked at the uid of existing users and took the next one available. I also took the samba information (domain and SID) from the web admin UI.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Samba password sync
    By lpizzina in forum Administrators
    Replies: 6
    Last Post: 07-11-2010, 08:08 PM
  2. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  3. Samba and POSIX undeploy problem
    By catnipper in forum Zimlets
    Replies: 0
    Last Post: 09-02-2009, 10:51 AM
  4. Error in Admin screen when changing password
    By ozlee in forum Administrators
    Replies: 4
    Last Post: 10-22-2008, 02:30 AM
  5. MTA is Dying after yum update
    By tonyawbrey in forum Administrators
    Replies: 27
    Last Post: 04-02-2006, 06:11 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •