ZCS 6 + Samba - password change issues

[tslosek]

I have followed UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki somewhat (some changes needed because Samba in my case is running under OpenSolaris, so LDAP client configuration is handled differently from the way it's handled under Linux) and have the following situation:

From the Zimbra Admin interface (off port 7071), if an admin changes a user's password, it correctly applies to both ZWC and Samba logins.

When a user is logged into ZWC and changes their password, it only changes for ZWC but not for Samba. I'm not sure where to look for debugging information on this. Since the admin interface works correctly to change the Windows password, I'd really like the ZWC to work correctly as well.

When a user initiates password change from a Windows workstation attached to the Samba PDC, it correctly changes the Samba/Windows password, but fails to change the LDAP password and gives a misleading error to the user, making them think the password change failed when it didn't. Capturing the LDAP traffic between the Samba server and the Zimbra LDAP server and looking at it with Wireshark, when Samba (bound as 'uid=zmposixroot,cn=appaccts,cn=zimbra') attempts to do the passwdModifyOID against the correct userIdentity (in this case, uid=test_ts,ou=people,dc=ledgertranscript,dc=com), it gets back the ldap error 'insufficientAccessRights'.

Does anyone know which step in the wiki entry for integrating Samba and ZCS6 is supposed to grant zmposixroot the right to change ldap user's password?

[ArcaneMagus]

The issue of ZWC not changing the Samba password is addressed in this bug: Bug 17321 - Support change password listeners in provisioning and support Samba change password in the samba admin extension

As for the ACL rights, it should be handled in the last section of part 1.

[tslosek]

Quote:

Originally Posted by ArcaneMagus

The issue of ZWC not changing the Samba password is addressed in this bug: Bug 17321 - Support change password listeners in provisioning and support Samba change password in the samba admin extension

The zimlet referenced at the end of this bug says it is for 5.x - should it (in theory) also work for 6?

Quote:

Originally Posted by ArcaneMagus

As for the ACL rights, it should be handled in the last section of part 1.

This is what ldapsearch tells me:

ldapsearch -x -H ldapi:/// -D cn=config -W -b cn=config olcDatabase={2}hdb

Code:

olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by d
 n.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by * read
olcAccess: {10}to dn.subtree="dc=ledgertranscript,dc=com" by dn.children="cn=a
 dmins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" wr
 ite by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {11}to dn.subtree="ou=machines,dc=ledgertranscript,dc=com" by dn.ch
 ildren="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,c
 n=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * non
 e
olcAccess: {12}to dn.subtree="ou=groups,dc=ledgertranscript,dc=com" by dn.chil
 dren="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=
 zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {13}to dn.subtree="ou=people,dc=ledgertranscript,dc=com" by dn.chil
 dren="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=
 zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none

So I've applied something, but I'm not entirely comfortable with LDAP syntax, so I could easily have messed up the syntax.