samba - Mar 2006 - changing passwords from Windows XP Pro workstations

Back to square 1!  I stripped out my unsuccessful attempts to get Samba 
working with LDAP on my Debian Sarge server and am back with a tdbsam 
backend. I actually tried to purge as much of the old Samba & LDAP as I 
could then reinstalled fresh. This included removing the Windows groups 
and users and even the old tdbsam data.

Unfortunately, I'm back where I started - users can't change their own 
passwords using the Windows password change dialogue. Their system will 
go away for a very long time (more than 15 minutes) then silently fail 
to change the password.

For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) 
on a 2.6.8 kernel. This should mean that this is NOT the old Windows 
security patch issue.

I've attached my smb.conf (minus the shares definitions) if that helps.

Also, for what it's worth, the user accounts are all in Domain Users and 
users. All but mine use /bin/false as the login shell (but none of us 
can change passwords). My account is also in Domain Admins - and I can 
add machine accounts with it.

Any ideas anyone?
-------------- next part --------------
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2006/03/28 22:32:02

# Global parameters
[global]
	workgroup = RAHIM-DALE
	server string = %h PDC (Samba %v)
	passdb backend = tdbsam, guest
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:*
%n\n .
	unix password sync = Yes
	log level = 0
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	printcap name = cups
	add user script = /usr/sbin/useradd -g samba -c %u
	delete user script = /usr/sbin/userdel -r %u
	add group script = /usr/sbin/groupadd
	delete group script = /usr/sbin/groupdel %g
	add user to group script = /usr/sbin/usermod -G `/usr/bin/id -G %g %u
	add machine script = /usr/sbin/useradd -g machines -c Machine -d /dev/null -s
/bin/false %u
	logon script = scripts\logon.bat
	logon path = \\%L\Profiles\%U
	logon drive = M:
	logon home = \\%L\%U
	domain logons = Yes
	os level = 35
	preferred master = Yes
	domain master = Yes
	wins support = no
	ldap ssl = no
	panic action = /usr/share/samba/panic-action %d
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	invalid users = root
	admin users = garydale, root

	hosts allow = 192.168.2. 127.
	printing = cups
	print command = 
	lpq command = %p
	lprm command = 

[netlogon]
	comment = Logon Server Share
	path = /home/samba/netlogon
	read only = No

[profiles]
	path = /home/samba/profiles
	read only = No
	profile acls = Yes

[printers]
	comment = All Printers
	path = /var/spool/samba
	printer admin = root, garydale
	create mask = 0600
	guest ok = Yes
	printable = Yes
	browseable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers
	printer admin = root, garydale

On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote:
> Back to square 1!  I stripped out my unsuccessful attempts to get Samba 
> working with LDAP on my Debian Sarge server and am back with a tdbsam 
> backend. I actually tried to purge as much of the old Samba & LDAP as I
> could then reinstalled fresh. This included removing the Windows groups 
> and users and even the old tdbsam data.
> 
> Unfortunately, I'm back where I started - users can't change their
own
> passwords using the Windows password change dialogue. Their system will 
> go away for a very long time (more than 15 minutes) then silently fail 
> to change the password.
> 
> For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) 
> on a 2.6.8 kernel. This should mean that this is NOT the old Windows 
> security patch issue.
> 
> I've attached my smb.conf (minus the shares definitions) if that helps.
> 
> Also, for what it's worth, the user accounts are all in Domain Users
and
> users. All but mine use /bin/false as the login shell (but none of us 
> can change passwords). My account is also in Domain Admins - and I can 
> add machine accounts with it.
> 
> Any ideas anyone?
----
I kept my mouth shut because you were following someone's step by step
and not the samba official documentation.

If you want to follow the Samba By Example, methodology, you will
probably find a lot more people willing to help.

Changing passwords seems to only require that samba, smbldap-tools be
properly configured for your ldap setup and a script referenced in your
smb.conf

The smb.conf you attached of course has nothing to do with LDAP and it
isn't clear what you are trying to do.

I would suggest that you familiarize yourself with the Samba By Example
book (dead tree form) or pdf or html from the samba.org web site and
figure out what you are trying to do so someone could actually help.

Craig

I'm keeping this on list.

On Thu, 2006-03-30 at 08:52 -0500, Gary Dale wrote:
> Craig White wrote:
> >----
> >if I was going to guess...I think your problems are...
> >
> >http://samba.org/samba/docs/man/Samba3-ByExample/small.html#id2525330
> >
> >see items #3 through #7
> >
> >you don't have a passwd chat script as I recall. That's
probably
> >important.
> >
> >your setup should track this setup as I see it.
> >
> >http://samba.org/samba/docs/man/Samba3-ByExample/secure.html
> >
> >since you have no interest in advancing your skills, count me out next
> >time unless you learn to ask simple questions. The simple truth is, if
> >you want know little, point and click Windows network administration,
> >you are probably better off using a Microsoft Windows server. 
> >
> >My interest is in helping people that actually are interested in
> >learning something, yes gasp, those that actually do want to become
> >expert. Lastly, I would heavily suggest you forget about LDAP until
your
> >attitude changes because it is hostile to administrators that don't
want
> >to become knowledgdable.
> >
> >Craig
> >
> >  
> >
> Thanks Craig. I think you'll see a problem here. You suggest that the 
> issue may be a lack of a passwd chat script, while two others suggest I 
> remove the passwd chat script - which is almost identical to the one in 
> the second URL you just gave.
> 
> The issue isn't about whether people want to learn. It's about how
much
> they have to learn to get things to work. If something takes too much 
> effort, in the real world it doesn't get done. There is nothing 
> inherently complicated about managing a directory service. Look at the 
> simple Linux tools for user  or printer administration for proof. I see 
> no virtue in making Samba-LDAP configuration a black art. A basic setup 
> should be easy to achieve. In fact, from what I have been reading, LDAP 
> should be the standard Samba backend. That won't happen if people have 
> to spend a week or more learning how to use it.
----
You completely do not get it.

Samba is infinitely configurable.

Windows - at the moment of setup you have to choose the role for a
server, whether a domain controller or a member server. The workstation
is sold separately. 

Samba provides all of those roles including a Windows 95/98 server too.

There is no way that anyone can solve your problem with any certainty
without suitable logs, an inspection of your tdbsam and your /etc/passwd
files AND the smb.conf, the whole of which you dumped on us last night
and undoubtedly have changed many times since. Proper mail list
etiquette and a commitment to demonstrating that you are actually
focused on the problem would dictate that you limit those items to only
the minimum necessary logs, smb.conf, etc.

Your information is incomplete and as I stated last night, I am not
going to speculate any further on your problems. In fact, your reply has
made me sorry that I even speculated on the solution to your problem. 

As for my 'seeing' the problem - that being in your mind - different
suggestions to solve your problem - that is absolutely absurd. 

***The problem*** is you don't know how to provide the information with
which someone can tell you what the definitive solution would be.

As for your suggestion that Samba-LDAP a black art...Samba is Samba and
LDAP is LDAP - you understand neither package so expecting them to work
for you is a rather pointless endeavor. Knowledge is power and you
appear to be lacking both. Yet you expect them to work for you even
though you don't understand them nor wish to understand them - I wish
you luck.

Let me be blunt - you are a help vampire. Please don't email me any more
until you change your ways.

Craig

Gary Dale wrote:
> Craig White wrote:
>
>> I'm keeping this on list.
>>
>> On Thu, 2006-03-30 at 08:52 -0500, Gary Dale wrote:
>>  
>>
>>> Craig White wrote:
>>>   
>>
>>
>>  
>>
>>>> ----
>>>> if I was going to guess...I think your problems are...
>>>>
>>>>
http://samba.org/samba/docs/man/Samba3-ByExample/small.html#id2525330
>>>>
>>>> see items #3 through #7
>>>>
>>>> you don't have a passwd chat script as I recall. That's
probably
>>>> important.
>>>>
>>>> your setup should track this setup as I see it.
>>>>
>>>> http://samba.org/samba/docs/man/Samba3-ByExample/secure.html
>>>>
>>>> since you have no interest in advancing your skills, count me
out next
>>>> time unless you learn to ask simple questions. The simple truth
is, if
>>>> you want know little, point and click Windows network
administration,
>>>> you are probably better off using a Microsoft Windows server.
>>>> My interest is in helping people that actually are interested
in
>>>> learning something, yes gasp, those that actually do want to
become
>>>> expert. Lastly, I would heavily suggest you forget about LDAP
until
>>>> your
>>>> attitude changes because it is hostile to administrators that
don't
>>>> want
>>>> to become knowledgdable.
>>>>
>>>> Craig
>>>>
>>>>
>>>>
>>>>     
>>>
>>> Thanks Craig. I think you'll see a problem here. You suggest
that
>>> the issue may be a lack of a passwd chat script, while two others 
>>> suggest I remove the passwd chat script - which is almost identical
>>> to the one in the second URL you just gave.
>>>
>>> The issue isn't about whether people want to learn. It's
about how
>>> much they have to learn to get things to work. If something takes 
>>> too much effort, in the real world it doesn't get done. There
is
>>> nothing inherently complicated about managing a directory service. 
>>> Look at the simple Linux tools for user  or printer administration 
>>> for proof. I see no virtue in making Samba-LDAP configuration a 
>>> black art. A basic setup should be easy to achieve. In fact, from 
>>> what I have been reading, LDAP should be the standard Samba
backend.
>>> That won't happen if people have to spend a week or more
learning
>>> how to use it.
>>>   
>>
>> ----
>> You completely do not get it.
>>
>> Samba is infinitely configurable.
>>
>> Windows - at the moment of setup you have to choose the role for a
>> server, whether a domain controller or a member server. The workstation
>> is sold separately.
>> Samba provides all of those roles including a Windows 95/98 server too.
>>
>> There is no way that anyone can solve your problem with any certainty
>> without suitable logs, an inspection of your tdbsam and your
/etc/passwd
>> files AND the smb.conf, the whole of which you dumped on us last night
>> and undoubtedly have changed many times since. Proper mail list
>> etiquette and a commitment to demonstrating that you are actually
>> focused on the problem would dictate that you limit those items to only
>> the minimum necessary logs, smb.conf, etc.
>>
>> Your information is incomplete and as I stated last night, I am not
>> going to speculate any further on your problems. In fact, your reply
has
>> made me sorry that I even speculated on the solution to your problem.
>> As for my 'seeing' the problem - that being in your mind -
different
>> suggestions to solve your problem - that is absolutely absurd.
>> ***The problem*** is you don't know how to provide the information
with
>> which someone can tell you what the definitive solution would be.
>>
>> As for your suggestion that Samba-LDAP a black art...Samba is Samba and
>> LDAP is LDAP - you understand neither package so expecting them to work
>> for you is a rather pointless endeavor. Knowledge is power and you
>> appear to be lacking both. Yet you expect them to work for you even
>> though you don't understand them nor wish to understand them - I
wish
>> you luck.
>>
>> Let me be blunt - you are a help vampire. Please don't email me any
more
>> until you change your ways.
>>
>> Craig
>>
>>  
>>
> Under your rules, it is up to the patient to figure out what tests 
> need to be performed before visiting the doctor. :)
>
> I have always regarded the help process as a dialogue - maybe that 
> comes from my having worked in systems support at one time, or maybe 
> it comes from my being a systems consultant (both inhouse and contract 
> at various times) - but I have never expected the customer to tell me 
> what is wrong in a manner that I can immediately say "here's what
you
> have to do".
>
> In my experience, the customer/patient comes to the experts with a 
> problem. The experts dig around to determine what the issue really is, 
> including asking for specific tests or more information. Then they 
> make a diagnosis and prescribe a treatment/solution.
>
> Insulting the patient/customer is usually not a good way to go about 
> things. I've been working with PCs since 1978 and with Linux since 
> 1998. I put a lot of effort into learning about making things work. 
> And according the the Mensa test, I'm not stupid. :) But I'm also
not
> someone who has a narrowly defined role. My customers expect me to be 
> broadly knowledgeable on just about every topic associated with 
> computers. Even if I became an LDAP guru, I'd be unlikely to maintain 
> that level of expertice for long. That is a fact of life in the real 
> world.
>
> Responding to your particular criticism about what I did post: You 
> have demonstrated on several occaisions that you haven't read or 
> understood my posts. You have said that you weren't sure what setup I 
> was using LDAP or tdbsam) when my post stated I was using tdbsam. You 
> said I didn't have a passwd change dialogue, when the smb.conf I 
> posted did. And you said that I posted the entire smb.conf when I 
> clearly indicated that I had trimmed unnecessary parts from it.
>
> I note however that this exchange has generated some helpful tips on 
> resolving the problem. This is in sharp contrast to my earlier posts 
> on the topic last September, and my recent posts on problems with 
> LDAP, both of which were largely ignored (except for an exchange with 
> Jeremy Allison which didn't resolve the problem). My "style"
of
> posting this time seems to have achieved results, so if you object to 
> it, perhaps you should look at your "style" of figuring out who
to
> respond to. :) If I'd had this level of response last year, or even in 
> my LDAP posts, things would have been a lot simpler for me.
>
> BTW: Windows, the last time I looked (which was W2K), allows you to 
> change server roles. You can add or remove domain control 
> functionality easily. And I recall using a third-party tool to promote 
> and demote NT domain controllers before W2K (actually, it was helpful 
> in moving the organization from NT to W2K and in restructuring the 
> domain setup).
>
> I'm not going to defend Windows, but I'm also not going to resort
to
> hyperbole about Linux being "infinitely configurable". There are
only
> a small number of reasonable backends for Samba. They are tdbsam, LDAP 
> and MySQL. Clear, straightforward configuration of each is not 
> unachievable. It's only one more backend than Windows domains have (NT 
> and ADS).
>
> Anyway Craig, thanks for your input. You've been quite helpful.
>
PLEASE STOP...


-- 
--------------------
Ra?l D. Pitt? Palma
Associate
Global Engineering and Technologies
mobile (507)-6616-0194
office (507)-264-2362
Republic of Panama
www.globaltecsa.com