Can't change expired password through usercorner

[peter.smallegange@…]

I've enabled password expiry and my users have to change their password every 90 days. The users who logon through windows clients can change their passwords without a problem.

However there are also a few users that use Linux and Mac clients and they can't connect to the samba shares any more due to their expired password. When they change their password in the "User corner" the samba log still says that the password is expired. Even when I as administrator change the password for the user in the Zentyal control panel it won't work and keeps saying that the password is expired.

Is this a bug?

With pdbedit -a -u username I as root can change the password but my users can't.

[cperez@…]

Hi Peter,

Can you attach log files for zentyal itself and usercorner?

/var/log/zentyal/zentyal.log /var/log/zentyal-usercorner/zentyal.log

Thank you for your report

[peter.smallegange@…]

/var/log/ebox/ebox.log

[peter.smallegange@…]

/var/log/ebox-usercorner/ebox.log

[peter.smallegange@…]

Hello cperez,

Thank you for your reply, I've attached the two files but I doubt if there will be any useful info in the /var/log/ebox/ebox.log file.

In the /var/log/ebox-usercorner/ebox.log I see these messages:

ERROR> Ldap.pm:1141 EBox::Ldap::safeBind - Couldn't bind to LDAP server, result code: 49 WARN> Auth.pm:198 EBox::UserCorner::Auth::authen_cred - Failed login from: WARN> Auth.pm:198 EBox::UserCorner::Auth::authen_cred - Failed login from:

In the samba log file of the user that can't change his password I see of course these lines:

sam_account_ok: Account for user 'USER' password expired! user-pc: sam_account_ok: Password expired at 'Wed, 21 Sep 2011 15:50:21 CEST' (1316613021) unix time

Looks to me that the usercorner can't communicate proper with LDAP.

[jamor@…]

Hello,

this is fixed in [6ba225276c8975]

However to hotfix in your production server is a bit tricky you could follow this isntructions:

1) Download the new SambaLdapUser?.pm file from  http://git.zentyal.org/zentyal.git/blob/6ba225276c89755a0c14d6c9b12b40a01a3a4349:/main/samba/src/EBox/SambaLdapUser.pm

2) Use it to replace /usr/share/perl5/EBox/SambaLdapUser.pm

3) You must execute the following session in the zentyal-shell to set the correct LDAP acls:

root@z22:/var/log# /usr/share/zentyal/shell 
zentyal> instance samba
$samba
zentyal> $samba->performLDAPActions()

(Ctrl-d exits the shell)

4) Execute the following two commands to get rid of cache code:

 sudo /etc/init.d/zentyal apache restart
 sudo /etc/init.d/zentyal usercorner restart

Regards,

Javier

[peter.smallegange@…]

Javier,

Thank you for your reply.

But I can't find were I can access the zentyal shell, there is no /usr/share/zentyal directory on my server. I'm still running version 2.1 of zentyal.

[jamor@…]

Sorry the fix was done for 2.2, the milestone was not set correctly in the ticket.

However I think it will also work in 2.1. Instead of using the zentyal/shell you should grant yourself root shell (execute 'sudo -s' for that ) and execute the following command:

perl -MEBox -MEBox::Global -e'EBox::init(); my $samba = EBox::Global->modInstance('samba'); $samba->performLDAPActions(); 1'

Regards,

Javier

[peter.smallegange@…]

Javier,

Thank you for your answer.

I've tried the command you suggested but I get the following error:

Can't load LDIF file: /usr/share/zentyal-samba/samba.ldifroot

There's no samba.ldifroot file present on my system:

ls -al /usr/share/zentyal-samba/samba.ldifroot
ls: cannot access /usr/share/zentyal-samba/samba.ldifroot: No such file or directory

Regards,

Peter

[jamor@…]

version for 2.0 series

[jamor@…]

Hello Peter,

I have attached to the ticket another version which I think it will work in your case. Replace /usr/share/perl5/EBox/SambaLdapUser.pm ith it and try again.

[peter.smallegange@…]

Javier,

Thanks again.

I've tried the new file you've attached but when executing the perl command I get the following error:

root@zentyal:/tmp# perl -MEBox -MEBox::Global -e'EBox::init(); my $samba = EBox::Global->modInstance('samba'); $samba->performLDAPActions(); 1'
Error loading class: EBox::Samba error: Unrecognized character \xE2 in column 18 at /usr/share/perl5/EBox/SambaLdapUser.pm line 11, <DATA> line 466.
Compilation failed in require at /usr/share/perl5/EBox/Samba.pm line 28, <DATA> line 466.
BEGIN failed--compilation aborted at /usr/share/perl5/EBox/Samba.pm line 28, <DATA> line 466.
Compilation failed in require at (eval 66) line 2, <DATA> line 466.
BEGIN failed--compilation aborted at (eval 66) line 2, <DATA> line 466.

I'm very sorry........

[jamor@…]

Hello,

this message says that the contents of the file SambaLdap?.pm are corrupt. I have downloaded it and it passes correctly through the perl compiler, so try to download it again.

If you continue having trouble you can revert to your old version and copy the methods 'acls' and '_modifyUser' from the newer version. The fix is localized in this tow methods.

[peter.smallegange@…]

Javier,

I've seen that the file was corrupted, this happened during the download of the file with wget. I pasted the code in the file now and still get a error, a different one but still an error:

root@zentyal:/tmp# perl -MEBox -MEBox::Global -e'EBox::init(); my $samba = EBox::Global->modInstance('samba'); $samba->performLDAPActions(); 1'
Error loading class: EBox::Samba error: Bad name after samba' at /usr/share/perl5/EBox/SambaLdapUser.pm line 354, <DATA> line 466.
Compilation failed in require at /usr/share/perl5/EBox/Samba.pm line 28, <DATA> line 466.
BEGIN failed--compilation aborted at /usr/share/perl5/EBox/Samba.pm line 28, <DATA> line 466.
Compilation failed in require at (eval 66) line 2, <DATA> line 466.
BEGIN failed--compilation aborted at (eval 66) line 2, <DATA> line 466

[jamor@…]

Hello,

this a syntax error when you pasted the code.

Yo check the syntax you could use 'perl -c' , so in this case it would be 'perl -c /usr/share/perl5/EBox/SambaLdapUser.pm'

Or maybe it would be more easier to download the file again, his md5sum is:

f7a90389708d5f4ba591c30b47b3d50d /tmp/SambaLdapUser.pm

[peter.smallegange@…]

Javier,

Thank you very much.

I feel such a noob, I constantly downloaded the file the wrong way.The md5sum is right now.

so:

$ sudo -s
# cp SambaLdapUser.pm /usr/share/perl5/EBox/SambaLdapUser.pm 
# perl -MEBox -MEBox::Global -e'EBox::init(); my $samba = EBox::Global->modInstance('samba'); $samba->performLDAPActions(); 1'

Now it works, I only have to test if a user can change his expired password through the usercorner.

Best regards,

Peter

[peter.smallegange@…]

Javier,

Just to let you know. I've tested it and the problem is solved now.

Regards,

Peter

[jamor@…]

I am glad that is all solved now.

Regards,

Javier

[scott.f@…]

Peter,

Are you using LDAP master/slave for authentication? for master are you using zentyal or Win AD?

Thanks, Scott

[peter.smallegange@…]

Scott,

I'm using Zentyal as a master Ldap server.It's currently the only Zentyal server in our network.

Regards,

Peter

[scott.f@…]

Ok. I am having the same issue but we have a master Zentyal LDAP and slave LDAP's at each of 30 sites. Thanks for the quick reply though!

Scott