CentOS - Jun 2009 - How do I change passwords / remove users for Samba?

I've got a bit of a problem with Samba. I just can't work out how to 
change passwords or remove users.
I've just got user security.. lines in smb.conf are:

         security = user
         passdb backend = tdbsam

I've removed the user using pdbedit, I've removed the unix user, 
smbpasswd says the user doesn't exist
yet I can still connect to the shares. I'm obviously just missing 
something here. Can anyone point me in the
right direction?

thanks

On Tue, 2009-06-23 at 10:08 +0100, Kevin Thorpe wrote:
> I've got a bit of a problem with Samba. I just can't work out how
to
> change passwords or remove users.
> I've just got user security.. lines in smb.conf are:
> 
>          security = user
>          passdb backend = tdbsam
> 
> I've removed the user using pdbedit, I've removed the unix user, 
> smbpasswd says the user doesn't exist
> yet I can still connect to the shares. I'm obviously just missing 
> something here. Can anyone point me in the
> right direction?
> 
> thanks
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
check out smbpasswd

On 23/06/2009 10:25, Coert Waagmeester wrote:
> On Tue, 2009-06-23 at 10:08 +0100, Kevin Thorpe wrote:
>    
>> I've got a bit of a problem with Samba. I just can't work out
how to
>> change passwords or remove users.
>> I've just got user security.. lines in smb.conf are:
>>
>>           security = user
>>           passdb backend = tdbsam
>>
>> I've removed the user using pdbedit, I've removed the unix
user,
>> smbpasswd says the user doesn't exist
>> yet I can still connect to the shares. I'm obviously just missing
>> something here. Can anyone point me in the
>> right direction?
>>
>> tp://lists.centos.org/mailman/listinfo/centos
>>      
>
> check out smbpasswd
>
>    
[root at database samba]# smbpasswd kevin
New SMB password:
Retype new SMB password:
Failed to find entry for user kevin.
Failed to modify password entry for user kevin

Yet I can still connect to the shares as kevin..... strange
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20090623/c2db2a08/attachment.html>

On Tue, 2009-06-23 at 10:25 +0100, Kevin Thorpe wrote:
> On 23/06/2009 10:25, Coert Waagmeester wrote: 
> > On Tue, 2009-06-23 at 10:08 +0100, Kevin Thorpe wrote:
> [root at database samba]# smbpasswd kevin
> New SMB password:
> Retype new SMB password:
> Failed to find entry for user kevin.
> Failed to modify password entry for user kevin
> 
> Yet I can still connect to the shares as kevin..... strange
---
Post your Share Configuration. Restart samba? service smb restart. How
are you connecting to the share? VIA Linux or Windows?

john

On Tue, Jun 23, 2009 at 5:25 AM, Kevin Thorpe<kevin at pibenchmark.com>
wrote:
> Yet I can still connect to the shares as kevin..... strange
As root try:

# service smb reload

Brett

On Tue, 2009-06-23 at 10:25 +0100, Kevin Thorpe wrote:
> [root at database samba]# smbpasswd kevin
> New SMB password:
> Retype new SMB password:
> Failed to find entry for user kevin.
> Failed to modify password entry for user kevin
> 
> Yet I can still connect to the shares as kevin..... strange
---
And replying to you again if the user "kevin" is a System User You
will
still be able to connect to the share.

john

On 23/06/2009 10:39, Brett Serkez wrote:
> On Tue, Jun 23, 2009 at 5:25 AM, Kevin Thorpe<kevin at
pibenchmark.com>  wrote:
>
>    
>> Yet I can still connect to the shares as kevin..... strange
>>      
>
> As root try:
>
> # service smb reload
Curiouser and curiouser. That worked, I can't connect now. Why should 
Samba cache the password file?
Seems a bit of a security problem to me.

On 23/06/2009 10:43, JohnS wrote:
> On Tue, 2009-06-23 at 10:25 +0100, Kevin Thorpe wrote:
>
>    
>> [root at database samba]# smbpasswd kevin
>> New SMB password:
>> Retype new SMB password:
>> Failed to find entry for user kevin.
>> Failed to modify password entry for user kevin
>>
>> Yet I can still connect to the shares as kevin..... strange
>>      
> ---
> And replying to you again if the user "kevin" is a System User
You will
> still be able to connect to the share.
>    
Oh. Does that mean that Samba looks in passdb.tdb first then falls back 
to passwd/shadow?

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20090623/e5803726/attachment.html>

On 23/06/2009 11:00, JohnS wrote:
> On Tue, 2009-06-23 at 10:46 +0100, Kevin Thorpe wrote:
>    
>> On 23/06/2009 10:39, Brett Serkez wrote:
>>      
>>> On Tue, Jun 23, 2009 at 5:25 AM, Kevin Thorpe<kevin at
pibenchmark.com>   wrote:
>>>
>>>
>>>        
>>>> Yet I can still connect to the shares as kevin..... strange
>>>>
>>>>          
>>> As root try:
>>>
>>> # service smb reload
>>>        
>> Curiouser and curiouser. That worked, I can't connect now. Why
should
>> Samba cache the password file?
>> Seems a bit of a security problem to me.
>>      
> ---
> The samba Caching directory is in /var/cache/samba . Why should it Cache
> it? For quicker access. That is the way it is designed and I know of no
> security flaw in that. Just executing service smb reload will not
> disconnect a user. But using "restart" will dump all the users.
Oh, I didn't spot the distinction between 'reload' and
'restart'.
Personally I would have forced that after a password
change, or at the very least after deleting a user because otherwise 
they seem to still be able to get in.

On Tue, 2009-06-23 at 10:48 +0100, Kevin Thorpe wrote:
> On 23/06/2009 10:43, JohnS wrote: 
> > On Tue, 2009-06-23 at 10:25 +0100, Kevin Thorpe wrote:
> > 
> >   
> > > [root at database samba]# smbpasswd kevin
> > > New SMB password:
> > > Retype new SMB password:
> > > Failed to find entry for user kevin.
> > > Failed to modify password entry for user kevin
> > > 
> > > Yet I can still connect to the shares as kevin..... strange
> > >     
> > ---
> > And replying to you again if the user "kevin" is a System
User You will
> > still be able to connect to the share.
> >   
> Oh. Does that mean that Samba looks in passdb.tdb first then falls
> back to passwd/shadow?
---
Ok, what I mean is when kevin is a system user. Then you do smbpasswd
kevin and enter a password samba uses the .tdb database when 
security = user.

When security = AD samba checks the Active Directory LDAP Database
first. This help on explaining it?

John

Sorry, I've still got problems.

I'm trying to set up a new Samba user. I've done useradd to put them in 
passwd, I've done smbpasswd to set a samba password. They're in the 
required group (spendtrak) for this share. I've even restarted samba. 
When I try and connect to the share with 'connect using a different 
username' form XP it just keeps asking me for the password. I can 
connect to the share as myself, but not if I define myself as the 
'different user name'. Is there a log anywhere which will tell me
what's
going wrong with the login.

Sorry, but this is frustrating the hell out of me.


  # share for spendtrak
[spendtrak]
         comment = Spendtrak Files
         path = /home/spendtrak
         writable = yes
         printable = no
         valid users = +spendtrak
         force group = spendtrak
         create mode = 0660
         create mask = 0660
         force create mode = 0660
         directory mode = 0770
         directory mask = 0770
         force directory mode = 0770
         inherit permissions = yes

On 23/06/2009 11:34, Kevin Thorpe wrote:
> Sorry, I've still got problems.
>
> I'm trying to set up a new Samba user. I've done useradd to put
them in
> passwd, I've done smbpasswd to set a samba password. They're in the
> required group (spendtrak) for this share. I've even restarted samba.
> When I try and connect to the share with 'connect using a different
> username' form XP it just keeps asking me for the password. I can
> connect to the share as myself, but not if I define myself as the
> 'different user name'. Is there a log anywhere which will tell me
what's
> going wrong with the login.
>
> Sorry, but this is frustrating the hell out of me.
>
>
>    # share for spendtrak
> [spendtrak]
>           comment = Spendtrak Files
>           path = /home/spendtrak
>           writable = yes
>           printable = no
>           valid users = +spendtrak
>           force group = spendtrak
>           create mode = 0660
>           create mask = 0660
>           force create mode = 0660
>           directory mode = 0770
>           directory mask = 0770
>           force directory mode = 0770
>           inherit permissions = yes
>
>    
Well smbclient seems to work fine so I guess it's Windows at fault (as 
per bloody usual).

On 23/06/2009 11:39, Kevin Thorpe wrote:
> On 23/06/2009 11:34, Kevin Thorpe wrote:
>    
>> Sorry, I've still got problems.
>>
>> I'm trying to set up a new Samba user. I've done useradd to put
them in
>> passwd, I've done smbpasswd to set a samba password. They're in
the
>> required group (spendtrak) for this share. I've even restarted
samba.
>> When I try and connect to the share with 'connect using a different
>> username' form XP it just keeps asking me for the password. I can
>> connect to the share as myself, but not if I define myself as the
>> 'different user name'. Is there a log anywhere which will tell
me what's
>> going wrong with the login.
>>
>> Sorry, but this is frustrating the hell out of me.
>>
>>
>>     # share for spendtrak
>> [spendtrak]
>>            comment = Spendtrak Files
>>            path = /home/spendtrak
>>            writable = yes
>>            printable = no
>>            valid users = +spendtrak
>>            force group = spendtrak
>>            create mode = 0660
>>            create mask = 0660
>>            force create mode = 0660
>>            directory mode = 0770
>>            directory mask = 0770
>>            force directory mode = 0770
>>            inherit permissions = yes
>>
>>
>>      
> Well smbclient seems to work fine so I guess it's Windows at fault (as
> per bloody usual).
Well I finally worked it out. Reboot Windows then it works. Bah! Stupid 
Microsoft. Wasted half my morning because Windows is broken.