samba - May 2008 - Unable to change Windows password on Samba BDC

Dear Help,

We are currently running Samba 3.0.22 on a distributed network/domain as a PDC
(primary domain controller) and several as BDCs (Backup domain controllers) in
our branch offices located around the country.

At this point, the PDC is set up in our corporate office (where I'm located)
and
users have no trouble authenticating (via logging into windows and accessing
shares) and also have no trouble changing passwords (either when they expire or
manually) through the Windows interface.

However, users located in the branch offices (where the BDCs are located), they
have no trouble authenticating (via logging into windows and accessing shares)
BUT are unable to change their password through the Windows interface, getting
the error that "The system cannot change your password now because the
domain
<name> is not available".  All clients are Windows XP with SP2
installed.

I have added (see below) the smb.conf for our PDC as well as the BDC that's
causing problems -- all BDCs basically have the exact same config.

I've tried raising the log level to 3 on the BDC that's not working
properly,
but it turns out that trying to change the password doesn't generate ANY
log.
However, I know that the domain is available since immediately before attempting
to change password I logged on to Windows using the domain...  I've poked
around
various forums and newsgroups but haven't found anything that has stuck (or
particularly pertains to BDCs).  If anyone has ANY suggestions whatsoever,
I'd
be glad to hear them!

Thanks,
Matt

======= PDC smb.conf (global section only) ============[global]
	netbios name = ds-tem-1
	workgroup = DOMAIN
	server string = Samba PDC %v %h
	obey pam restrictions = Yes
	passdb backend = "ldapsam:ldaps://ip.goes.here ldaps://ip.goes.here"
	security = user
	log level = 3 
	log file = /var/log/samba/%m.log
	max log size = 5000 
	add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null/ -g machine -c
'Machine Account for %u' -s /bin/false %u
	logon path = 
	logon home = 
	domain logons = Yes
	os level = 128
	preferred master = Yes
	domain master = Yes
	ldap admin dn = cn=name,o=organization
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=IDMap
	ldap machine suffix = ou=Workstations
	ldap user suffix = 
	ldap filter = (uid=%u)
	ldap suffix = o=organization
	ldap passwd sync = No 
	unix password sync = Yes
	passwd program = /usr/sbin/smbldap-passwd -u %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
	idmap backend = "ldaps://ip.goes.here ldaps://ip.goes.here"
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	veto files = /.?*/
	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
	wins support = Yes 
	encrypt passwords = Yes
	logon script = %U.bat
	map to guest = Bad User

======== BDC smb.conf (global section only) ========[global]
	workgroup = DOMAIN
	server string = Samba BDC %v %h
	obey pam restrictions = Yes
	passdb backend = "ldapsam:ldaps://ip.goes.here ldaps://ip.goes.here"
	log level = 2 
	log file = /var/log/samba/%m.log
	max log size = 1000
	logon path = 
	logon home 	domain logons = Yes
	domain master = No
	preferred master = Yes
	ldap admin dn = cn=name,o=organization
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=IDMap
	ldap machine suffix = ou=Workstations
	ldap suffix = o=organization
	ldap passwd sync = No
	ldap filter = (uid=%u)
	unix password sync = Yes
	passwd program = /usr/sbin/smbldap-passwd -u %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
	idmap backend = "ldaps://ip.goes.here ldaps://ip.goes.here"
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	veto files = /.?*/
	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
	wins server = ip.of.PDC.here
	map to guest = Bad User

in the BDC, take out:

	passwd program = /usr/sbin/smbldap-passwd -u %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
	unix password sync = yes


add:

ldap passwd sync = yes
encrypt passwords = yes
update encrypted = Yes
unix password sync = no

Matt Anderson wrote:
> Dear Help,
>
> We are currently running Samba 3.0.22 on a distributed network/domain as a
PDC
> (primary domain controller) and several as BDCs (Backup domain controllers)
in
> our branch offices located around the country.
>
> At this point, the PDC is set up in our corporate office (where I'm
located) and
> users have no trouble authenticating (via logging into windows and
accessing
> shares) and also have no trouble changing passwords (either when they
expire or
> manually) through the Windows interface.
>
> However, users located in the branch offices (where the BDCs are located),
they
> have no trouble authenticating (via logging into windows and accessing
shares)
> BUT are unable to change their password through the Windows interface,
getting
> the error that "The system cannot change your password now because the
domain
> <name> is not available".  All clients are Windows XP with SP2
installed.
>
> I have added (see below) the smb.conf for our PDC as well as the BDC
that's
> causing problems -- all BDCs basically have the exact same config.
>
> I've tried raising the log level to 3 on the BDC that's not working
properly,
> but it turns out that trying to change the password doesn't generate
ANY log.
> However, I know that the domain is available since immediately before
attempting
> to change password I logged on to Windows using the domain...  I've
poked around
> various forums and newsgroups but haven't found anything that has stuck
(or
> particularly pertains to BDCs).  If anyone has ANY suggestions whatsoever,
I'd
> be glad to hear them!
>
> Thanks,
> Matt
>
> ======= PDC smb.conf (global section only) ============> [global]
> 	netbios name = ds-tem-1
> 	workgroup = DOMAIN
> 	server string = Samba PDC %v %h
> 	obey pam restrictions = Yes
> 	passdb backend = "ldapsam:ldaps://ip.goes.here
ldaps://ip.goes.here"
> 	security = user
> 	log level = 3 
> 	log file = /var/log/samba/%m.log
> 	max log size = 5000 
> 	add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null/ -g machine
-c
> 'Machine Account for %u' -s /bin/false %u
> 	logon path = 
> 	logon home = 
> 	domain logons = Yes
> 	os level = 128
> 	preferred master = Yes
> 	domain master = Yes
> 	ldap admin dn = cn=name,o=organization
> 	ldap group suffix = ou=Groups
> 	ldap idmap suffix = ou=IDMap
> 	ldap machine suffix = ou=Workstations
> 	ldap user suffix = 
> 	ldap filter = (uid=%u)
> 	ldap suffix = o=organization
> 	ldap passwd sync = No 
> 	unix password sync = Yes
> 	passwd program = /usr/sbin/smbldap-passwd -u %u
> 	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> 	idmap backend = "ldaps://ip.goes.here ldaps://ip.goes.here"
> 	idmap uid = 10000-20000
> 	idmap gid = 10000-20000
> 	veto files = /.?*/
> 	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> 	wins support = Yes 
> 	encrypt passwords = Yes
> 	logon script = %U.bat
> 	map to guest = Bad User
>
> ======== BDC smb.conf (global section only) ========> [global]
> 	workgroup = DOMAIN
> 	server string = Samba BDC %v %h
> 	obey pam restrictions = Yes
> 	passdb backend = "ldapsam:ldaps://ip.goes.here
ldaps://ip.goes.here"
> 	log level = 2 
> 	log file = /var/log/samba/%m.log
> 	max log size = 1000
> 	logon path = 
> 	logon home > 	domain logons = Yes
> 	domain master = No
> 	preferred master = Yes
> 	ldap admin dn = cn=name,o=organization
> 	ldap group suffix = ou=Groups
> 	ldap idmap suffix = ou=IDMap
> 	ldap machine suffix = ou=Workstations
> 	ldap suffix = o=organization
> 	ldap passwd sync = No
> 	ldap filter = (uid=%u)
> 	unix password sync = Yes
> 	passwd program = /usr/sbin/smbldap-passwd -u %u
> 	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> 	idmap backend = "ldaps://ip.goes.here ldaps://ip.goes.here"
> 	idmap uid = 10000-20000
> 	idmap gid = 10000-20000
> 	veto files = /.?*/
> 	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> 	wins server = ip.of.PDC.here
> 	map to guest = Bad User
>
>

Matt Anderson <sokkerstud_11 <at> hotmail.com> writes:
> However, users located in the branch offices (where the BDCs are located),
they
> have no trouble authenticating (via logging into windows and accessing
shares)
> BUT are unable to change their password through the Windows interface,
getting
> the error that "The system cannot change your password now because the
domain
> <name> is not available".  All clients are Windows XP with SP2
installed.
Okay, so I figured out why it wasn't working.  I needed to add the IP
address of
the PDC to the WINS tab in the user's TCP/IP connection settings for it to
be
able to resolve the Primary domain controller to change the password (at least,
that's what I'm assuming the problem was).  Once I added the PDC's
IP address to
the WINS tab I could change passwords no problem.

However, we currently assign all IP addresses manually (no DHCP server).  Is
there any way (I'm guessing not) I can accomplish this without having to
physically change the network connection settings on hundreds of client PCs
manually?  On a side note, I tried adding the BDC's IP address to the WINS
tab
first and was unsuccessful... which I think is expected.

Again, any thoughts would be greatly appreciated.  Thanks!

-Matt

Matt Anderson <sokkerstud_11 <at> hotmail.com> writes:
> However, users located in the branch offices (where the BDCs are located),
they
> have no trouble authenticating (via logging into windows and accessing
shares)
> BUT are unable to change their password through the Windows interface,
getting
> the error that "The system cannot change your password now because the
domain
> <name> is not available".  All clients are Windows XP with SP2
installed.
Is it true that user password changes (when initiated from Windows) have to go
through the PDC and can't be done through the BDC?

Thanks in advance,
Matt

On Thu, 2008-05-01 at 15:45 -0500, Adam Williams wrote:
> in the BDC, take out:
> 
> 	passwd program = /usr/sbin/smbldap-passwd -u %u
> 	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> 	unix password sync = yes
> 
> 
> add:
> 
> ldap passwd sync = yes
> encrypt passwords = yes
Just a quick note that:
> update encrypted = Yes
This option does nothing these days.  It was for when we accepted
plaintext passwords (which we do not, as you have set encrypt passwords
= yes). 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20080506/ebcfd93b/attachment.bin

On Thu, 2008-05-01 at 19:38 +0000, Matt Anderson wrote:
> Dear Help,
> 
> We are currently running Samba 3.0.22 on a distributed network/domain as a
PDC
> (primary domain controller) and several as BDCs (Backup domain controllers)
in
> our branch offices located around the country.
> 
> At this point, the PDC is set up in our corporate office (where I'm
located) and
> users have no trouble authenticating (via logging into windows and
accessing
> shares) and also have no trouble changing passwords (either when they
expire or
> manually) through the Windows interface.
> 
> However, users located in the branch offices (where the BDCs are located),
they
> have no trouble authenticating (via logging into windows and accessing
shares)
> BUT are unable to change their password through the Windows interface,
getting
> the error that "The system cannot change your password now because the
domain
> <name> is not available".  All clients are Windows XP with SP2
installed.
> 
> I have added (see below) the smb.conf for our PDC as well as the BDC
that's
> causing problems -- all BDCs basically have the exact same config.
If your PDC and BDC are *not* in the name netbios name space, because
for example they do not use WINS, or use only local WINS servers, then
you can set each remote 'BDC' as if it was a PDC.

The only think that enforced the 'one PDC' requirement in Samba is the
netbios namespace, and many sites have been set up where there are
multiple PDCs for exactly this (being distributed with an LDAP backend)
reason.

Note that this does not make any changes to how you have LDAP configured
- it may still be master/slave, and it will work just as it did before,
as long as the BDCs can write (by following the LDAP referrals).

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20080506/0096eb34/attachment.bin