[Samba3 + OpenLDAP2] Kan password niet wijzigen

spinb03-vpc3:/etc/ldap# smbpasswd -a pieter
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: LDAP Password could not be changed for user pieter: Internal (implementation specific) error
        entry modify failed
ldapsam_update_sam_account: failed to modify user with uid = pieter, error: entry modify failed (Success)
Failed to modify entry for user pieter.
Failed to modify password entry for user pieter

Jun 13 17:10:04 spinb03-vpc3 slapd[1957]: conn=0 op=2 SRCH base="dc=bakmeel" scope=2 filter="(&(uid=pieter)(objectClass=sambaSamAccount))" 
Jun 13 17:10:04 spinb03-vpc3 slapd[1957]: conn=0 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime 
Jun 13 17:10:04 spinb03-vpc3 slapd[1957]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 
Jun 13 17:10:04 spinb03-vpc3 slapd[1956]: conn=0 op=3 MOD dn="uid=pieter,ou=users,dc=bakmeel" 
Jun 13 17:10:04 spinb03-vpc3 slapd[1956]: conn=0 op=3 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet 
Jun 13 17:10:04 spinb03-vpc3 slapd[1956]: conn=0 op=3 RESULT tag=103 err=0 text= 
Jun 13 17:10:04 spinb03-vpc3 slapd[1956]: conn=0 op=3 RESULT tag=103 err=0 text= 
Jun 13 17:10:05 spinb03-vpc3 slapd[1957]: Entry (uid=pieter,ou=users,dc=bakmeel), attribute 'userPassword' not allowed 
Jun 13 17:10:05 spinb03-vpc3 slapd[1957]: entry failed schema check: attribute 'userPassword' not allowed 
Jun 13 17:10:05 spinb03-vpc3 slapd[1954]: conn=0 fd=13 closed

access  to *                                                                    
        by *            write

--snip--
    idmap uid = 15000-20000                                                     
    idmap gid = 15000-20000                                                     
                                                                                
    passdb backend = ldapsam:ldap://192.168.0.143                               
    ldap admin dn = "cn=admin,dc=bakmeel"                                       
    ldap suffix = dc=bakmeel                                                    
    ldap user suffix = ou=users                                                 
    ldap group suffix = ou=groups                                               
    ldap machine suffix = ou=computers                                          
    ldap idmap suffix = ou=users                                                
    ldap passwd sync = yes
--snap--

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# Read slapd.conf(5) for possible values
loglevel        256

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_bdb

#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend         bdb

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend                <other>

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

# The base of your directory in database #1
suffix          "dc=bakmeel"

# The root DN
rootdn          "cn=admin,dc=bakmeel"

# The root password
rootpw          {SSHA}S5GwIpgIDnyGUDM5sLwLJax/nyytj8d4

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# Indexing options for database #1
index cn,sn,uid,displayName     pres,sub,eq
index uidNumber,gidNumber       eq
index sambaSID                  eq
index sambaPrimaryGroupSID      eq
index sambaDomainName           eq
index objectClass               pres,eq
#index rid,primaryGroupID       eq
index default                   sub

# Save the time that the entry gets modified, for database #1
lastmod         on

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog

#!!!!!!!!! CHANGE THIS !!!!!!!!!!
#access to dn=".*dc=bakmeel"
#       by self                 write
#       by *                    read

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below

#!!!!!!!!!!!!
# These access lines apply to database #1 only
#access to attribute=userPassword
#        by dn="cn=admin,dc=bakmeel" write
#        by anonymous auth
#        by self write
#        by * none
#!!!!!!!!!!!

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work 
# happily.

#!!!!!!!!!!
#access to dn.base="" by * read
#!!!!!!!!!!

# The admin dn has full write access, everyone else
# can read everything.

#!!!!!!!!!!
#access to *
#        by dn="cn=admin,dc=bakmeel" write
#        by * read
#!!!!!!!!!!

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=admin,dc=bakmeel" write
#        by dnattr=owner write

#!!!!!!!!!!
#access to attrs=SambaLMPassword,SambaNTPassword
#       by dn="cn=admin,ou=users,dc=bakmeel" write
#       by * none
#!!!!!!!!!!

#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database        <other>

# The base of your directory for database #2
#suffix         "dc=debian,dc=org"

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# Read slapd.conf(5) for possible values
loglevel        0

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_bdb

#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend         bdb

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend                <other>

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

# The base of your directory in database #1
suffix          "dc=bakmeel"

# The root DN
rootdn          "cn=admin,dc=bakmeel"

# The root password
rootpw          {SSHA}S5GwIpgIDnyGUDM5sLwLJax/nyytj8d4

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# Indexing options for database #1
index           objectClass eq

index cn        pres,sub,eq
index sn        pres,sub,eq
# required to support pdb_getsampwnam
index uid       pres,sub,eq
# required to support pdb_getsambapwrid()
index displayName       pres,sub,eq

index sambaSID          eq
index sambaPrimaryGroupSID      eq
index sambaDomainName           eq
index default           sub

# Save the time that the entry gets modified, for database #1
lastmod         on

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only

access to attrs=userPassword,SambaLMPassword,SambaNTPassword
        by dn="cn=admin,dc=bakmeel" write
        by self write
        by anonymous auth
        by * none

access to attrs=uid,uidNumber,gidNumber,homeDirectory
        by * read

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work 
# happily.
#access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=bakmeel" write
        by self write
        by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=admin,dc=spindent" write
#        by dnattr=owner write

#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database        <other>

# The base of your directory for database #2
#suffix         "dc=debian,dc=org"

[global]
    netbios name = spisvr03
    server string = "Test Enviorment"
    workgroup = bakmeel
    debug level = 3
    log file = /var/log/samba/%m.log
    max log size = 1024
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    name resolve order = lmhosts host wins bcast
    os level = 255
    security = user
    bind interfaces only = yes
    interfaces = eth0

# Functions
#   preferred master = yes
    domain master = yes
    local master = yes
    domain logons = yes
    wins support = yes
    time server = yes

# Password
#    smb passwd file = /etc/samba/smbpasswd
    passdb backend = ldapsam:ldap://127.0.0.1/
    passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
    passwd program = /usr/local/sbin/smbldap-passwd %u
    unix password sync = yes
    pam password change = yes
    encrypt passwords = true
    min passwd length = 3
    obey pam restrictions = no

# LDAP
    ldap passwd sync = yes
    mangling method = hash2
    ldap admin dn = cn=admin,dc=bakmeel
    ldap suffix = dc=bakmeel
    ldap group suffix = ou=groups
    ldap user suffix = ou=users
    ldap machine suffix = ou=computers
    ldap idmap suffix = ou=users
    ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))

    add user script = /usr/local/sbin/smbldap-useradd -m "%u"
    ldap delete dn = yes
    #delete user script = /usr/local/sbin/smbldap-userdel "%u"
    add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
    add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
    #delete group script = /usr/local/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"

# Logon
    logon path = c:\Documents and Settings\%u.bakmeel
    logon drive = H:
    logon home = \\bakmeel\%u
    logon script = logon.bat

# Printer
    printer admin = @"Print Operators"
    printcap = cups
    printing = cups

# Other
    root = Administrator pieter
    hide files = /Thumbs.db/.DS_Store/

[netlogon]
    path = /netlogon
    comment = Netlogon
    read only = yes
    create mask = 0666
    directory mask = 0777
    write list = @administrators, root
    
[homes]
    comment = User home directories
    create mask = 0600
    directory mask = 0700
    writable = yes
    hide dot files = yes    

[data]
    comment = Data partition
    path = /data
    create mask = 0666
    directory mask = 0777
    read only = yes
    write list = @administrators, root
    guest ok = yes

smbpasswd -a alok

spisvr03:/etc/samba# smbpasswd -a alok
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: LDAP Password could not be changed for user alok: Internal (implementation specific) error
        entry modify failed
ldapsam_add_sam_account: failed to modify/add user with uid = alok (dn = uid=alok,ou=users,dc=bakmeel)
Failed to add entry for user alok.
Failed to modify password entry for user alok
spisvr03:/etc/samba#