Bug 430105 - smbldap-passwd fails on samba-only user
smbldap-passwd fails on samba-only user
Product: Fedora
Classification: Fedora
Component: smbldap-tools (Show other bugs)
All Linux
low Severity high
: ---
: ---
Assigned To: Paul Howarth
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-01-24 10:28 EST by John Holmstadt
Modified: 2008-07-30 18:26 EDT (History)
1 user (show)

See Also:
Fixed In Version: 0.9.5-2.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-30 18:26:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch for smbldap-passwd on smbldap-tools-0.9.4-1.fc8 (450 bytes, patch)
2008-05-21 12:28 EDT, John Holmstadt
no flags Details | Diff

  None (edit)
Description John Holmstadt 2008-01-24 10:28:44 EST
Upon upgrading from smbldap-tools-0.9.2-3.fc5 to smbldap-tools-0.9.4-1.fc8, I
noticed I could no longer change user passwords. smbldap-passwd would fail with
this error:

[root@myserver ~]# smbldap-passwd jdoe
Changing UNIX and samba passwords for jdoe
New password:
Retype new password:
Use of uninitialized value in string at /usr/sbin/smbldap-passwd line 277,
<STDIN> line 2.
Failed to modify UNIX password: shadowMax: value #0 invalid per syntax at
/usr/sbin/smbldap-passwd line 285, <STDIN> line 2.
[root@myserver ~]#

The problem seems to stem from 2 things:
1) I have no defaultMaxPasswordAge set in smbldap.conf. However, this has never
been a problem in the past, and isn't stated as being a required setting. If
possible, I'd like to keep maximum password ages diabled.
2) smbldap-passwd is trying to change attributes to the users account which
don't exist. If I'm reading the code correctly, it's attempting to set 3
attributes which don't apply to the samba schema: userPassword,
shadowLastChange, and shadowMax. They only apply to the nis schema, which we do
not use.

I apologize if I'm misconfiguring something, however as I stated, this worked
fine in 0.9.2.
Comment 1 John Holmstadt 2008-01-24 13:57:25 EST
Correction: userPassword is in the samba schema, however shadowLastChange and
shadowMax are not.

Additionally, here is the LDIF export of the applicable jdoe user account that
was created using: smbldap-useradd -a -m -c "John Doe" -P jdoe

dn: uid=jdoe,ou=People,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: jdoe
sn: jdoe
givenName: jdoe
uid: jdoe
uidNumber: 8199
gidNumber: 513
homeDirectory: /var/resource/users/jdoe
loginShell: /bin/bash
gecos: John Doe
userPassword: {crypt}x
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: jdoe
sambaSID: S-1-5-21-2828578859-3132521847-1089271054-17398
sambaPrimaryGroupSID: S-1-5-21-2828578859-3132521847-1089271054-513
sambaLogonScript: jdoe.bat
sambaHomeDrive: H:
sambaAcctFlags: [U]
sambaPwdMustChange: 1516489003
sambaLMPassword: (crypt)
sambaNTPassword: (crypt)
sambaPwdLastSet: 1201187794
Comment 2 John Holmstadt 2008-05-21 12:28:40 EDT
Created attachment 306274 [details]
Patch for smbldap-passwd on smbldap-tools-0.9.4-1.fc8

Ok. Seems as though the problem revolves around smbldap-passwd trying to set
shadowMax when no defaultMaxPasswordAge has been set in smbldap.conf. I have
attached a simple patch which seems to resolve the issue without any
Comment 3 Paul Howarth 2008-05-22 07:11:49 EDT
Quick query here: if you're not using the nis schema, how are you getting an
"objectClass: shadowAccount" in Comment #1?

Comment 4 John Holmstadt 2008-05-22 09:20:25 EDT
(In reply to comment #3)
> Quick query here: if you're not using the nis schema, how are you getting an
> "objectClass: shadowAccount" in Comment #1?

Sorry. That was incorrect. Somehow I missed the nis.schema include line in my
slapd.conf, which obviously has shadowMax. So my bug subject is inaccurate,
however the problem is still relevant. The new description should probably be
"smbldap-passwd tries to set shadowMax even though defaultMaxPasswordAge is not

Does my patch make sense?
Comment 5 Paul Howarth 2008-05-23 11:55:58 EDT
An almost identical patch has already been applied upstream in version 0.9.5.

See: https://gna.org/bugs/?10230

I've put together some packages for various Fedora releases at:

The packages there are basically the same as the one I've just built for
Rawhide. If they seem OK, I'll push them as updates for F8 and F-9.
Comment 6 Fedora Update System 2008-07-08 07:20:14 EDT
smbldap-tools-0.9.5-2.fc8 has been submitted as an update for Fedora 8
Comment 7 Fedora Update System 2008-07-08 22:47:54 EDT
smbldap-tools-0.9.5-2.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update smbldap-tools'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-6199
Comment 8 Paul Howarth 2008-07-30 18:26:54 EDT
This update is now in the main Fedora 8 updates repository.

Note You need to log in before you can comment on or make changes to this bug.