[Bug 885758] Re: 'ldap passwd sync = yes' and ldap password not updated

[Debra Virden]

** Description changed:

- After upgrading a server (with ubuntu server) to lucid from previous LTS (hardy?), users start complain that, after changing passwords, windows works but other services (imap, ssh, ...) not.
- After some hours of test, i've discovered that simply the NT/LM password got updated, the 'POSIX' ldap one not.
+ After upgrading a server (with ubuntu server) to lucid from previous LTS (hardy?), users start complaining that, after changing passwords, windows works but other services (imap, ssh, ...) don't.
+ After some hours of testing, I've discovered that simply the NT/LM password got updated, the 'POSIX' ldap one did not.
  Running 'smbpasswd -D 5 gaio' lead to:
-  smbldap_check_root_dse: Expected one rootDSE, got 0
+  smbldap_check_root_dse: Expected one rootDSE, got 0
  some other googling take me to the needs to add another ACL, so i've added:
-  access to attrs=namingcontexts
-    by * read
+  access to attrs=namingcontexts
+    by * read
  and now works.
  
  Some notes:
- 1) i don't know if this is the correct/best ACL to add, and if this is a bug 'per se' or a side effects of the upgrade: i've no other lucid system to test with...
- 2) this is probably a 'openldap upgrade bug'
- 3) this is mainly a samba bug, i think: if i set 'ldap passwd sync = yes' and ldap password fail, i this it is better to reject the entire password changing operation, not to have ''half-changed'' password.
+ 1) I don't know if this is the correct/best ACL to add, and if this is a bug 'per se' or a side effects of the upgrade: I have no other lucid system to test with...
+ 2) This is probably a 'openldap upgrade bug'.
+ 3) This is mainly a samba bug, I think: if I set 'ldap passwd sync = yes' and ldap password fails. If it is better to reject the entire password changing operation, to not have a ''half-changed'' password.
  
- I've marked also the ''security bug'' check because i think that this is
- a security issue: sysadmin could set a dumb password for a first logon,
+ I've marked also the ''security bug'' check because I think that this is
+ a security issue: sysadmin could set a dumb password for a first login,
  then users change immediately but the dumb password remains for all non-
  windows services.
  
  thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/885758

Title:
  'ldap passwd sync = yes' and ldap password not updated

Status in “samba” package in Ubuntu:
  New

Bug description:
  After upgrading a server (with ubuntu server) to lucid from previous LTS (hardy?), users start complaining that, after changing passwords, windows works but other services (imap, ssh, ...) don't.
  After some hours of testing, I've discovered that simply the NT/LM password got updated, the 'POSIX' ldap one did not.
  Running 'smbpasswd -D 5 gaio' lead to:
   smbldap_check_root_dse: Expected one rootDSE, got 0
  some other googling take me to the needs to add another ACL, so i've added:
   access to attrs=namingcontexts
     by * read
  and now works.

  Some notes:
  1) I don't know if this is the correct/best ACL to add, and if this is a bug 'per se' or a side effects of the upgrade: I have no other lucid system to test with...
  2) This is probably a 'openldap upgrade bug'.
  3) This is mainly a samba bug, I think: if I set 'ldap passwd sync = yes' and ldap password fails. If it is better to reject the entire password changing operation, to not have a ''half-changed'' password.

  I've marked also the ''security bug'' check because I think that this
  is a security issue: sysadmin could set a dumb password for a first
  login, then users change immediately but the dumb password remains for
  all non-windows services.

  thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/885758/+subscriptions