changing passwords on an ldap client machine with passwd?

To: debian-user@lists.debian.org
Subject: changing passwords on an ldap client machine with passwd?
From: ryan <ryan.braun@ec.gc.ca>
Date: Tue, 26 Jul 2005 13:16:38 -0500
Message-id: <[🔎] 200507261316.38449.ryan.braun@ec.gc.ca>
I have setup a debian sarge ldap+samba server and for the most part it is 
working well.  All the windows clients work fine (so far),  just the problem 
arises when users logging into linux machines try to change their password.

All users can login to the client with username/passwords stored on the ldap 
master.  When logged into the master and changing passwords with passwd,  it 
works fine.

When I try (as root) to change the password for  any user accounts that are in 
the ldap db from a client,  I keep getting 

passwd: Authentication service cannot retrieve authentication info.

I'm thinking it's a pam issue but I'm not too sure.  I have installed the 
libnss and pam_ldap libraries,  and thought I configured pam correctly (ldap 
users can login).

Here is my libnss-ldap.conf which is symlinked to pam_ldap.conf aswell 
(domain/ip info x'd out) and also some log snippets when it works and when it 
doesn't

Thanks
Ryan


######################### /etc/libnss-ldap.conf ########################

base ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx
uri ldap://ldap.xxx.xx.xx.xx/
ldap_version 3

binddn cn=nss,ou=Admins,dc=xxx,dc=xx,dc=xx,dc=xx
bindpw ldap

rootbinddn cn=root,dc=xxx,dc=xx,dc=xx,dc=xx

nss_base_passwd ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx
nss_base_group  ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
nss_base_shadow ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx

TLS_CACERT /etc/ldap/certs/cacert.pem
ssl start_tls
#ssl no
#######################################################################

scope sub
pam_password md5
pam_filter objectclass=posixAccount
# search all entries where the object class equals posixAccount
pam_login_attribute uid
# the username is stored in the attribute uid

Here is an example of changing the password locally on the master

ldap:/var/log# id ryan.braun
uid=1009(ryan.braun) gid=513(Domain Users) groups=513(Domain Users)
ldap:/var/log# su ryan.braun
I have no name!@ldap:/var/log$ passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for ryan.braun
passwd: password updated successfully

slapd.log

Jul 26 18:14:16 ldap slapd[3856]: conn=38 fd=21 ACCEPT from 
IP=192.xx.xxx.xx:33360 (IP=0.0.0.0:389)
Jul 26 18:14:16 ldap slapd[3859]: conn=38 op=1 BIND 
dn="cn=root,dc=xxx,dc=xx,dc=xx,dc=xx" method=128
Jul 26 18:14:16 ldap slapd[3859]: conn=38 op=1 BIND 
dn="cn=root,dc=xxx,dc=xx,dc=xx,dc=xx" mech=SIMPLE ssf=0
Jul 26 18:14:16 ldap slapd[3859]: conn=38 op=1 RESULT tag=97 err=0 text=
Jul 26 18:14:16 ldap slapd[3858]: conn=38 op=2 SRCH 
base="ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 deref=0 
filter="(&(objectClass=posixAccount)(uid=ryan.braun))"
Jul 26 18:14:16 ldap slapd[3858]: conn=38 op=2 ENTRY 
dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx"
Jul 26 18:14:16 ldap slapd[3858]: conn=38 op=2 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jul 26 18:14:18 ldap slapd[3859]: conn=38 op=3 BIND anonymous mech=implicit 
ssf=0
Jul 26 18:14:18 ldap slapd[3859]: conn=38 op=3 BIND 
dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" method=128
Jul 26 18:14:18 ldap slapd[3859]: conn=38 op=3 BIND 
dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" mech=SIMPLE ssf=0
Jul 26 18:14:18 ldap slapd[3859]: conn=38 op=3 RESULT tag=97 err=0 text=
Jul 26 18:14:18 ldap slapd[3858]: conn=38 op=4 BIND anonymous mech=implicit 
ssf=0
Jul 26 18:14:18 ldap slapd[3858]: conn=38 op=4 BIND 
dn="cn=root,dc=xxx,dc=xx,dc=xx,dc=xx" method=128
Jul 26 18:14:18 ldap slapd[3858]: conn=38 op=4 BIND 
dn="cn=root,dc=xxx,dc=xx,dc=xx,dc=xx" mech=SIMPLE ssf=0
Jul 26 18:14:18 ldap slapd[3858]: conn=38 op=4 RESULT tag=97 err=0 text=
Jul 26 18:14:22 ldap slapd[3859]: conn=38 op=5 MOD 
dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx"
Jul 26 18:14:22 ldap slapd[3859]: conn=38 op=5 MOD attr=userPassword
Jul 26 18:14:22 ldap slapd[3859]: conn=38 op=5 RESULT tag=103 err=0 text=
Jul 26 18:14:22 ldap slapd[3858]: conn=38 op=6 MOD 
dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx"
Jul 26 18:14:22 ldap slapd[3858]: conn=38 op=6 MOD attr=shadowLastChange
Jul 26 18:14:22 ldap slapd[3858]: conn=38 op=6 RESULT tag=103 err=0 text=
Jul 26 18:14:22 ldap slapd[3859]: conn=38 op=7 UNBIND
Jul 26 18:14:22 ldap slapd[3859]: conn=38 fd=21 closed
Jul 26 18:14:22 ldap slapd[3856]: conn=37 fd=20 closed
Jul 26 18:14:31 ldap slapd[3858]: conn=36 op=3 UNBIND
Jul 26 18:14:31 ldap slapd[3858]: conn=36 fd=18 closed
Jul 26 18:14:31 ldap slapd[3856]: conn=35 fd=13 closed


And when it fails 

ldapclient:~# passwd ryan.braun
passwd: Authentication service cannot retrieve authentication info.

and slapd.log

Jul 26 18:10:34 ldap slapd[3856]: conn=33 fd=13 ACCEPT from 
IP=192.xx.xxx.xx:34213 (IP=0.0.0.0:389)
Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=0 BIND 
dn="cn=nss,ou=Admins,dc=xxx,dc=xx,dc=xx,dc=xx" method=128
Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=0 BIND 
dn="cn=nss,ou=Admins,dc=xxx,dc=xx,dc=xx,dc=xx" mech=SIMPLE ssf=0
Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=0 RESULT tag=97 err=0 text=
Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=1 SRCH 
base="ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 deref=0 
filter="(&(objectClass=posixAccount)(uid=ryan.braun))"
Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=1 SRCH attr=uid userPassword 
uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=1 ENTRY 
dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx"
Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=1 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=2 SRCH 
base="ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 deref=0 
filter="(&(objectClass=posixAccount)(uid=ryan.braun))"
Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=2 SRCH attr=uid userPassword 
uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=2 ENTRY 
dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx"
Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=2 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=3 SRCH 
base="ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 deref=0 
filter="(&(objectClass=shadowAccount)(uid=ryan.braun))"
Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=3 SRCH attr=uid userPassword 
shadowLastChange shadowMax shadowMin shadowWarning shadowInactive 
shadowExpire shadowFlag
Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=3 ENTRY 
dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx"
Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=3 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jul 26 18:10:34 ldap slapd[3856]: conn=33 fd=13 closed
Reply to:
Prev by Date: Re: how to tell the refresh rate of current display?
Next by Date: how to compute number bytes downloaded?
Previous by thread: Re: how to tell the refresh rate of current display?
Next by thread: how to compute number bytes downloaded?
Index(es):
- Date
- Thread