[Bug 885758] Re: 'ldap passwd sync = yes' and ldap password not updated

Sun Mar 3 22:49:35 UTC 2013

** Description changed:

- After upgrading a server (with ubuntu server) to lucid from previous LTS (hardy?), users start complain that, after changing passwords, windows works but other services (imap, ssh, ...) not.
- After some hours of test, i've discovered that simply the NT/LM password got updated, the 'POSIX' ldap one not.
+ After upgrading a server (with ubuntu server) to lucid from previous LTS (hardy?), users start complaining that, after changing passwords, windows works but other services (imap, ssh, ...) don't.
+ After some hours of testing, I've discovered that simply the NT/LM password got updated, the 'POSIX' ldap one did not.
  Running 'smbpasswd -D 5 gaio' lead to:
-  smbldap_check_root_dse: Expected one rootDSE, got 0
+  smbldap_check_root_dse: Expected one rootDSE, got 0
  some other googling take me to the needs to add another ACL, so i've added:
-  access to attrs=namingcontexts
-    by * read
+  access to attrs=namingcontexts
+    by * read
  and now works.

  Some notes:
- 1) i don't know if this is the correct/best ACL to add, and if this is a bug 'per se' or a side effects of the upgrade: i've no other lucid system to test with...
- 2) this is probably a 'openldap upgrade bug'
- 3) this is mainly a samba bug, i think: if i set 'ldap passwd sync = yes' and ldap password fail, i this it is better to reject the entire password changing operation, not to have ''half-changed'' password.
+ 1) I don't know if this is the correct/best ACL to add, and if this is a bug 'per se' or a side effects of the upgrade: I have no other lucid system to test with...
+ 2) This is probably a 'openldap upgrade bug'.
+ 3) This is mainly a samba bug, I think: if I set 'ldap passwd sync = yes' and ldap password fails. If it is better to reject the entire password changing operation, to not have a ''half-changed'' password.

- I've marked also the ''security bug'' check because i think that this is
- a security issue: sysadmin could set a dumb password for a first logon,
+ I've marked also the ''security bug'' check because I think that this is
+ a security issue: sysadmin could set a dumb password for a first login,
  then users change immediately but the dumb password remains for all non-
  windows services.

  thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/885758

Title:
  'ldap passwd sync = yes' and ldap password not updated

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/885758/+subscriptions