Hi list,
Windows 7 Pro, joined to an NT-style domain hosted by Samba 4.5.16-Debian,
installed by Apt. A user had issues authenticating with FreeRADIUS on the
server, so I changed the password from terminal to a generic password, and
logged her in. I then asked her to change her password by pressing
Ctrl+Alt+Delete -> Change Password. I typed in the generic password, and
told her to type in her new password, following our password rules, and
pressing Enter. She keeps getting "Username or password incorrect".
Below is my smb.conf file, as outputted by "testparm -s":
# Global parameters
[global]
bind interfaces only = Yes
interfaces = eth0 127.0.0.1
netbios name = SAMBA
server string = ""
workgroup = WORKGROUPNAME
domain master = Yes
preferred master = Yes
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s
/bin/false -M %u
domain logons = Yes
logon drive = h:
logon script = login.bat
allow insecure wide links = Yes
name resolve order = wins host bcast
server max protocol = NT1
unix extensions = No
check password script = /usr/local/sbin/complex_PW_check
pam password change = Yes
passwd chat = *new*password* %n\n *new*password* %n\n *updated*
passwd program = /usr/bin/passwd %u
security = USER
unix password sync = Yes
wins support = Yes
idmap config * : backend = tdb
printing = lprng
admin users = machine
(Yes, I know insecure wide links are vulnerable, but I was over-ruled)
Thoughts on why Windows 7 won't let the user change their own password? I
don't know when this issue started.
On 31/05/2019 18:03, Luke Barone via samba wrote:> Hi list, > > Windows 7 Pro, joined to an NT-style domain hosted by Samba 4.5.16-Debian, > installed by Apt. A user had issues authenticating with FreeRADIUS on the > server, so I changed the password from terminal to a generic password, and > logged her in. I then asked her to change her password by pressing > Ctrl+Alt+Delete -> Change Password. I typed in the generic password, and > told her to type in her new password, following our password rules, and > pressing Enter. She keeps getting "Username or password incorrect". > > Below is my smb.conf file, as outputted by "testparm -s": > # Global parameters > [global] > bind interfaces only = Yes > interfaces = eth0 127.0.0.1 > netbios name = SAMBA > server string = "" > workgroup = WORKGROUPNAME > domain master = Yes > preferred master = Yes > add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s > /bin/false -M %u > domain logons = Yes > logon drive = h: > logon script = login.bat > allow insecure wide links = Yes > name resolve order = wins host bcast > server max protocol = NT1 > unix extensions = No > check password script = /usr/local/sbin/complex_PW_check > pam password change = Yes > passwd chat = *new*password* %n\n *new*password* %n\n *updated* > passwd program = /usr/bin/passwd %u > security = USER > unix password sync = Yes > wins support = Yes > idmap config * : backend = tdb > printing = lprng > admin users = machine > > (Yes, I know insecure wide links are vulnerable, but I was over-ruled) > > Thoughts on why Windows 7 won't let the user change their own password? I > don't know when this issue started.Anything in /var/log/auth.log or /var/log/syslog on the Samba server ? Rowland
On 31/05/2019 19:47, Luke Barone wrote:> When I grep for the username, syslog shows no results, and auth.log > shows: > May 31 09:52:35 SERVERNAME passwd[27085]: pam_unix(passwd:chauthtok): > password changed for USERNAME > > ... which is when I manually ran "passwd USERNAME" and "smbpasswd > USERNAME" on the console.Hmm, you have 'pam password change = Yes' which means it is PAM that is doing the password change, so you need to debug this, you could also try commenting that line out and see if Samba can change the password. Rowland