Support for Windows/Samba clients in Lenny
this mail is about current status of Windows client support in our
Some weeks ago Ronny Aasen reported that his Windows clients started to
complain that the user accounts are expired at login and users are
unable to change passwords, after upgrading to Lenny.
As I do not a current Windows VM on my notebook I was not yet able to
verify this myself. But it did not take long until we found that the
Samba people had updated the schema description between the Samba
versions in Etch and Lenny. A fast check with a plain Debian Samba-LDAP
setup of mine, where Samba added the attributes to the accounts itself,
showed, that several new attributes were added to the LDAP tree (see
As the Windows clients in my setup do not complain, we updated the
schema file in debian-edu-config to the same version (which is the one
in the samba-doc package). We also modified the slapd config to allow
Samba access the added attributes.
The (hopefully) last step now is to update old LDAP trees and to create
new accounts with the new attributes. For the first part I hacked a
little Perl script that goes through the tree and adds the new
attributes with the (default) values listed on
http://wiki.debian.org/DebianEdu/Status/Lenny/SambaLDAP. This script is
still in development but already does the right thing. Before going and
polish the script I would like to know if the modifications done by the
script are sufficient to make Windows stop complaining.
For the braves already running Lenny and suffering from this problem the
following steps may fix the problems (please report your results in
- Update (if not yet up to date) debian-edu-config to the version in
- Download the hacked script from http://www.ping.de/~dh/update-ldap
- Make a backup (better save than sorry) with:
slapcat > meingutesbackup
and keep the "meingutesbackup" file save and secure as it contains
(hashed) user passwords.
- Run update-ldap. It will ask for the password of the rootdn which
normally is the root password chosen during install.
The update-ldap script should print some (ok many) lines about updated
After the script is done users should be able to login into Windows
boxes without complaints by Windows.
For the second part (the one about new user accounts) we would have to
modify LWAT to create the new attributes. I would like some feedback
about the updated user accounts first, before having a deeper look at
LWAT and send a patch upstream.
Hope someone is brave enough to test (remember to backup: than it is
only half as scary), ...