Hello again,
I would like to thank Giant Wang and Miquel Bonastre for their responses
to my query in "Samba Digest 1734" regarding simultaneous passwd
changing for
users via Samba. Their comments were helpful, but have not solved the
problem.
For those who do not have a back log of the Digests, the problem is that
with unix password sync=yes, users are not able to change their own password.
However, if I set unix password sync=no, they can. I am running Red Hat 5.0,
using PAM encryption, and compiled Samba with ALLOW_CHANGE_PASSWORD enabled.
I am running Samba 1.9.18p8. Running passwd from the unix side of things
works fine. The error reported to the user is
>smbpasswd: machine 127.0.0.1 rejected the password change: Error was : The
>specified password is invalid.
Giant Wang's suggestion of chmod to 666 a few of the /dev/ptya? character
devices eliminated several errors found in the level 3 debug log. However,
the session still fails with (still at level 3)
>>>snip<<<<
1998/07/08 15:59:53 Transaction 1 of length 168
switch message SMBnegprot (pid 5208)
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [MICROSOFT NETWORKS 1.03]
Requested protocol [MICROSOFT NETWORKS 3.0]
Requested protocol [LANMAN1.0]
Requested protocol [LM1.2X002]
Requested protocol [Samba]
Selected protocol NT LANMAN 1.0
1998/07/08 15:59:53 Transaction 2 of length 110
switch message SMBsesssetupX (pid 5208)
Domain=[] NativeOS=[Unix] NativeLanMan=[Samba]
sesssetupX:name=[HOLBROOK]
adding home directory genuser at /home/genuser
genuser is in 2 groups
504 100
uid 503 registered to name genuser
Clearing default real name
1998/07/08 15:59:53 Transaction 3 of length 63
switch message SMBtconX (pid 5208)
Trying username ipc$
ACCEPTED: validated uid ok as non-guest
found free connection number 42
Connect path is /tmp
chdir to /tmp
chdir to /etc
1998/07/08 15:59:53 monte (127.0.0.1) connect to service IPC$ as user genuser
(uid=50
3,gid=504) (pid 5208)
1998/07/08 15:59:53 tconX service=ipc$ user=genuser cnum=42
1998/07/08 15:59:53 Transaction 4 of length 637
switch message SMBtrans (pid 5208)
chdir to /tmp
trans <\PIPE\LANMAN> data=532 params=25 setup=0
named pipe command on <LANMAN> name
Got API command 214 of form <zsT> <B516B16>
(tdscnt=532,tpscnt=25,mdrcnt=0,mprcnt=2)
Doing SamOEMChangePassword
api_SamOEMChangePassword: Change password for <genuser>
Password change for user: genuser
pty: try to open ptya0, line was /dev/ptyXX
pty: opened /dev/ptya0
Dochild for user genuser (uid=0,gid=0)
response 1 incorrect
Child failed to change password: genuser
end of file from client
chdir to /etc
Closing connections
1998/07/08 15:59:58 monte (127.0.0.1) closed connection to service IPC$
>>>>>snip<<<<<
When I compare level 10 logs (i.e., with and without password sync), I see
that samba scans the passwd file, but then searches through what seems to be
every entry in the /dev directory, reporting the error
Doing SamOEMChangePassword
api_SamOEMChangePassword: Change password for <genuser>
get_smbpwd_entry: opening file /etc/smbpasswd
get_smbpwd_entry: search by name: genuser
get_smbpwd_entry: skipping comment or blank line
get_smbpwd_entry: found by name: genuser
get_smbpwd_entry: returning passwd entry for user genuser, uid 503
Password change for user: genuser
is_in_path: .
is_in_path: no name list.
is_in_path: ..
is_in_path: no name list.
is_in_path: atibm
is_in_path: no name list.
is_in_path: audio
is_in_path: no name list.
is_in_path: audio1
is_in_path: no name list.
is_in_path: aztcd
<snip>
is_in_path: ttyI61
is_in_path: no name list.
is_in_path: ttyI62
Dochild for user genuser (uid=0,gid=0)
unbecome_user now uid=(0,0) gid=(0,0)
Closing connections
1998/07/10 20:27:42 monte (127.0.0.1) closed connection to service IPC$
Yielding connection to 42 IPC$
1998/07/10 20:27:42 Server exit (normal exit)
As both Giant Wang and Miquel pointed out, smbpasswd is executed with uid
root. Both suggested eliminating the request for "old password" from
the password chat. This did not work and, if I read the documentation
correctly, is not necessary because samba automatically substitutes
a null string for the old password when executing as root to change the
password.
Below is a snipet of the global section of smb.conf:
============
smb passwd file= /etc/smbpasswd
encrypt passwords= yes
; passwd chat= "*Enter OLD password*" %o\n "*Enter NEW
password*" %n\n \
; "*Reenter NEW password*" %n\n "*Password
Changed*"
passwd chat= *Enter*NEW*password* %n\n *Reenter*NEW*password* %n\n \
*Password*Changed*
passwd program= /usr/bin/passwd %u
unix password sync= true
passwd chat debug= yes
client code page= 437
printing = bsd
printcap name = /etc/printcap
load printers = yes
debug level=3
guest account = guest
log file = /var/log/samba-log.%m
max log size = 50
short preserve case = yes
preserve case = yes
lock directory = /var/lock/samba
locking = yes
strict locking = yes
share modes = yes
security = user
deadtime= 15
logon home="\\%L\%U"
logon drive= u:
logon script= /etc/netlogon/STARTUP.BAT
message command= csh -c 'xedit %s;rm %s' &
socket options = TCP_NODELAY
os level = 31
local master= yes
preferred master= yes
domain master= no
wins support = yes
==========
Thank you all for your help. I hope you have a good weekend.
Best wishes,
Jeff Ballin
