samba - Sep 2008 - Samba, pam, NIS and password changes

Hi

I have a customer who is having a problem with Samba password changes.

The samba server (server12) is set up as a PDC for a WIndows domain with 
XP clients. Samba is Version 3.0.26a-SerNet-RedHat. OS is Centos 3.9.

There is also a separate mail server (server56) running FC6 which uses 
NIS for user validation.

NIS server is running on server12.

Generally speaking, everything is working and has been since the server 
was set up by root.

When a user tries to change their password from their XP workstation 
they get the following error "You do not have permission to change your 
password".

If I log on to the server and do an "su -" to the user's account,
I get
the following:
> [robynw@sydsrv12 robynw]$ smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> machine 127.0.0.1 rejected the password change: Error was : RAP86: The 
> specified password is invalid.
> Password changed for user robynw (Note: everything remains unchanged).

When I look in /var/log/messages I see the following:
> Sep 10 11:53:08 sydsrv12 ypserv[905]: refused connect from 
> 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1)
> Sep 10 11:53:17 sydsrv12 ypserv[905]: refused connect from 
> 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1)
> Sep 10 11:54:16 sydsrv12 named[4727]: client 192.168.0.210#2081: 
> update 'jamesons.com.au/IN' denied
> Sep 10 11:54:43 sydsrv12 su(pam_unix)[1859]: session opened for user 
> robynw by prosmart(uid=0)
> Sep 10 11:55:28 sydsrv12 named[4727]: client 192.168.0.242#1430: 
> update 'jamesons.com.au/IN' denied
> Sep 10 11:55:38 sydsrv12 ypserv[905]: refused connect from 
> 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1)
> Sep 10 11:56:09 sydsrv12 su(pam_unix)[1859]: session closed for user 
> robynw
> Sep 10 11:56:23 sydsrv12 ypserv[905]: refused connect from 
> 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1)

In the workstation log in /var/log/samba/pc004 I see the following:
> [2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
>   smb_pam_passchange: PAM: Password Change Failed for user robynw!
> [2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
>   smb_pam_passchange: PAM: Password Change Failed for user robynw!
> [2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
>   smb_pam_passchange: PAM: Password Change Failed for user robynw!
> [2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
>   smb_pam_passchange: PAM: Password Change Failed for user robynw!

Here is the contents of /etc/pam.d/samba:
> #%PAM-1.0
> auth     required       pam_unix.so
> account  required       pam_unix.so
and the global section of /etc/samba/smb.conf

# Date: 2008/09/10 11:01:30
> [global]
>         workgroup = MYDOMAIN
>         passdb backend = tdbsam
>         pam password change = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n 
> *Password*changed*
>         username map = /etc/samba/smbusers
>         unix password sync = Yes
>         log level = 1
>         syslog = 0
>         log file = /var/log/samba/%m
>         max log size = 50
>         smb ports = 139
>         name resolve order = wins bcast hosts
>         time server = Yes
>         show add printer wizard = No
>         add user script = /usr/sbin/useradd -m '%u'
>         delete user script = /usr/sbin/userdel -r '%u'
>         add group script = /usr/sbin/groupadd '%g'
>         delete group script = /usr/sbin/groupdel '%g'
>         add user to group script = /usr/sbin/usermod -G '%g'
'%u'
>         add machine script = /usr/sbin/useradd -s /bin/false -d /tmp
'%u'
>         logon script = scripts\logon.bat
>         logon path = \\%L\profiles\%U
>         logon drive = X:
>         logon home = \\%L\%U
>         domain logons = Yes
>         preferred master = Yes
>         wins support = Yes
>         ldap ssl = no
>         utmp = Yes
>         map acl inherit = Yes
>         cups options = Raw
>         veto files = /*.eml/*.nws/*.{*}/
>         veto oplock files = /*.doc/*.xls/*.mdb/
>         strict locking = No
I would really appreciate anyone's input into where I should start 
looking. Although I would like a solution to this, I would /really/ like 
to understand the problem a little better. I have gone through the 
Official Samba-3 How To and Samba by Example but I don't feel any closer 
to the solution.

Any takers?

TIA

Nigel.


-- 
Nigel Allen
Managing Director
Electronic Document Registry Systems 	
EDRS
Phone:
Fax:
Mobile:
Web:
	+61 2 9450 2690
+61 2 9450 2691
+61 4 1494 5269
http://www.edrs.com.au

DataSafe^(TM) - Saving over 80% of your postage costs

<bump?>

Nigel Allen wrote:
>
> Hi
>
> I have a customer who is having a problem with Samba password changes.
>
> The samba server (server12) is set up as a PDC for a WIndows domain 
> with XP clients. Samba is Version 3.0.26a-SerNet-RedHat. OS is Centos 
> 3.9.
>
> There is also a separate mail server (server56) running FC6 which uses 
> NIS for user validation.
>
> NIS server is running on server12.
>
> Generally speaking, everything is working and has been since the 
> server was set up by root.
>
> When a user tries to change their password from their XP workstation 
> they get the following error "You do not have permission to change 
> your password".
>
> If I log on to the server and do an "su -" to the user's
account, I
> get the following:
>
>> [robynw@sydsrv12 robynw]$ smbpasswd
>> Old SMB password:
>> New SMB password:
>> Retype new SMB password:
>> machine 127.0.0.1 rejected the password change: Error was : RAP86: 
>> The specified password is invalid.
>> Password changed for user robynw (Note: everything remains unchanged).
>
>
> When I look in /var/log/messages I see the following:
>
>> Sep 10 11:53:08 sydsrv12 ypserv[905]: refused connect from 
>> 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1)
>> Sep 10 11:53:17 sydsrv12 ypserv[905]: refused connect from 
>> 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1)
>> Sep 10 11:54:16 sydsrv12 named[4727]: client 192.168.0.210#2081: 
>> update 'jamesons.com.au/IN' denied
>> Sep 10 11:54:43 sydsrv12 su(pam_unix)[1859]: session opened for user 
>> robynw by prosmart(uid=0)
>> Sep 10 11:55:28 sydsrv12 named[4727]: client 192.168.0.242#1430: 
>> update 'jamesons.com.au/IN' denied
>> Sep 10 11:55:38 sydsrv12 ypserv[905]: refused connect from 
>> 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1)
>> Sep 10 11:56:09 sydsrv12 su(pam_unix)[1859]: session closed for user 
>> robynw
>> Sep 10 11:56:23 sydsrv12 ypserv[905]: refused connect from 
>> 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1)
>
>
> In the workstation log in /var/log/samba/pc004 I see the following:
>
>> [2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
>>   smb_pam_passchange: PAM: Password Change Failed for user robynw!
>> [2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
>>   smb_pam_passchange: PAM: Password Change Failed for user robynw!
>> [2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
>>   smb_pam_passchange: PAM: Password Change Failed for user robynw!
>> [2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
>>   smb_pam_passchange: PAM: Password Change Failed for user robynw!
>
>
> Here is the contents of /etc/pam.d/samba:
>
>> #%PAM-1.0
>> auth     required       pam_unix.so
>> account  required       pam_unix.so
> and the global section of /etc/samba/smb.conf
>
> # Date: 2008/09/10 11:01:30
>
>> [global]
>>         workgroup = MYDOMAIN
>>         passdb backend = tdbsam
>>         pam password change = Yes
>>         passwd program = /usr/bin/passwd %u
>>         passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n 
>> *Password*changed*
>>         username map = /etc/samba/smbusers
>>         unix password sync = Yes
>>         log level = 1
>>         syslog = 0
>>         log file = /var/log/samba/%m
>>         max log size = 50
>>         smb ports = 139
>>         name resolve order = wins bcast hosts
>>         time server = Yes
>>         show add printer wizard = No
>>         add user script = /usr/sbin/useradd -m '%u'
>>         delete user script = /usr/sbin/userdel -r '%u'
>>         add group script = /usr/sbin/groupadd '%g'
>>         delete group script = /usr/sbin/groupdel '%g'
>>         add user to group script = /usr/sbin/usermod -G '%g'
'%u'
>>         add machine script = /usr/sbin/useradd -s /bin/false -d /tmp 
>> '%u'
>>         logon script = scripts\logon.bat
>>         logon path = \\%L\profiles\%U
>>         logon drive = X:
>>         logon home = \\%L\%U
>>         domain logons = Yes
>>         preferred master = Yes
>>         wins support = Yes
>>         ldap ssl = no
>>         utmp = Yes
>>         map acl inherit = Yes
>>         cups options = Raw
>>         veto files = /*.eml/*.nws/*.{*}/
>>         veto oplock files = /*.doc/*.xls/*.mdb/
>>         strict locking = No
>
> I would really appreciate anyone's input into where I should start 
> looking. Although I would like a solution to this, I would /really/ 
> like to understand the problem a little better. I have gone through 
> the Official Samba-3 How To and Samba by Example but I don't feel any 
> closer to the solution.
>
> Any takers?
>
> TIA
>
> Nigel.
>
>