samba - Jan 2004 - Samba 3.0.1 + LDAP + User Password Change failure

Samba 3.0.1-03 on mandrake 9.2 with LDAP and smbldap tools

Can log on from w2k workstation as user but user cant change password get
message
you do not have permission to change your password suspect this is whats
causing failure

[2004/01/13 09:36:53, 10] smbd/chgpasswd.c:dochild(217)
  Invoking '/usr/share/samba/scripts/smbldap-passwd -o
'tstuser1'' as
password change program.
[2004/01/13 09:36:53, 0] lib/util_sock.c:read_socket_with_timeout(279)
  read_socket_with_timeout: timeout read. read error = Input/output error.
[2004/01/13 09:36:53, 2] smbd/chgpasswd.c:expect(280)
  expect: Input/output error

Trying to use usermanager to change  password also fails but does allow
other info in LDAP to be changed
so assume that settting LDAP manager password in secrets has worked ok.

Have tried with and without password chat time out in smb.conf

smbldap-passwd works fine from command line on linux box so LDAP appears to
be working fine

Need help to see the error of my ways as am in process of setting up samba
as PDC for 130 user site
initially for exchange e-mail user authentication.

smb.conf, logs etc follow

smb.conf
[global]
        workgroup = SAMBA3
        server string = Samba Server %v
        map to guest = Bad User
        obey pam restrictions = No
        passdb backend = ldapsam:ldap://127.0.0.1:389
        idmap backend = ldapsam:ldap://127.0.0.1:389
        passwd program = /usr/share/samba/scripts/smbldap-passwd -o '%u'
#       passwd chat = *: %n\\n *: %n\\n
#       passwd chat timeout = 100
        unix password sync = Yes
        passwd chat debug = Yes
        log level = 10
        log file = /var/log/samba/log.%m
        max log size = 200
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        add user script = /usr/bin/smbldap-useradd -a '%u'
        delete user script = /usr/bin/smbldap-userdel -d '%u'
        add group script = /usr/bin/smbldap-groupadd -a -g '%g'
&&
/usr/bin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}
'
        delete group script = /usr/bin/smbldap-userdel -d -g '%g'
        add user to group script = /usr/bin/smbldap-groupmod -m '%u' -g
'%g'
        delete user from group script = /usr/bin/smbldap-groupmod -x
'%u' -g
'%g'
        set primary group script = /usr/bin/smbldap-usermod -u '%u' -g
'%g'
        add machine script = /usr/bin/smbldap-useradd -w -d /dev/null  -s
/bin/false '%m'
        logon script = test.bat
        logon path         logon drive = H:
        logon home         domain logons = Yes
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap suffix = dc=hill,dc=co.uk
        ldap machine suffix = ou=computers
        ldap user suffix = ou=users
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=idmap
        ldap admin dn = "cn=manager,dc=hill,dc=co.uk"
        ldap ssl = no
        ldap passwd sync = Yes
        printer admin = @"Domain Admins"
        hosts allow = 192.168.5., 127.
        printing = lprng

[homes]
        comment = Home Directories
        path = /V1/users_p
        read only = No
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /V1/netlogon
        guest ok = Yes
        writable = no

[Profiles]
        path = /V1/profiles
        guest ok = Yes
        browseable = No
        available = No

[users_s]
        path = /V1/users_s
        public = Yes
        read only = no
        browseable = Yes

[printers]
        comment = All Printers
        path = /var/spool/samba
        read only = No
        create mask = 0700
        guest ok = Yes
        printable = Yes
        use client driver = Yes
        browseable = No

Samba log - relevant section - I hope

 Trying _Get_Pwnam(), username as lowercase is tstuser1
[2004/01/13 09:36:53, 5] lib/username.c:Get_Pwnam_internals(251)
  Get_Pwnam_internals did find user [tstuser1]!
[2004/01/13 09:36:53, 3] smbd/chgpasswd.c:chgpasswd(465)
  Password change (as_root=Yes) for user: tstuser1
[2004/01/13 09:36:53, 10] smbd/chgpasswd.c:findpty(87)
  findpty: Allocated slave pty /dev/pts/1
[2004/01/13 09:36:53, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2004/01/13 09:36:53, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(103) : conn_ctx_stack_ndx = 1
[2004/01/13 09:36:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2004/01/13 09:36:53, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/01/13 09:36:53, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/01/13 09:36:53, 3] smbd/chgpasswd.c:chat_with_program(422)
  Dochild for user tstuser1 (uid=0,gid=0) (as_root = Yes)
[2004/01/13 09:36:53, 10] smbd/chgpasswd.c:dochild(217)
  Invoking '/usr/share/samba/scripts/smbldap-passwd -o
'tstuser1'' as
password change program.
[2004/01/13 09:36:53, 0] lib/util_sock.c:read_socket_with_timeout(279)
  read_socket_with_timeout: timeout read. read error = Input/output error.
[2004/01/13 09:36:53, 2] smbd/chgpasswd.c:expect(280)
  expect: Input/output error
[2004/01/13 09:36:53, 3] smbd/chgpasswd.c:talktochild(311)
  Response 1 incorrect
[2004/01/13 09:36:53, 3] smbd/chgpasswd.c:chat_with_program(367)
  Child failed to change password: tstuser1
[2004/01/13 09:36:53, 3] smbd/chgpasswd.c:chat_with_program(403)
  The status of the process exiting was 32512
[2004/01/13 09:36:53, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (1003, 513) - sec_ctx_stack_ndx = 1
[2004/01/13 09:36:53, 5]
rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7120)
  init_r_chgpasswd_user
[2004/01/13 09:36:53, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1469)
  _samr_chgpasswd_user: 1469
[2004/01/13 09:36:53, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 samr_io_r_chgpasswd_user
[2004/01/13 09:36:53, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
      0000 status: NT_STATUS_ACCESS_DENIED
[2004/01/13 09:36:53, 5] rpc_server/srv_pipe.c:api_rpcTNP(1549)
  api_rpcTNP: called samr successfully

slapd.conf

include /usr/share/openldap/schema/core.schema
include /usr/share/openldap/schema/cosine.schema
#include        /usr/share/openldap/schema/corba.schema
include /usr/share/openldap/schema/nis.schema
include /usr/share/openldap/schema/inetorgperson.schema
#include        /usr/share/openldap/schema/java.schema
#include        /usr/share/openldap/schema/krb5-kdc.schema
#include /usr/share/openldap/schema/kerberosobject.schema
#include        /usr/share/openldap/schema/misc.schema
#include        /usr/share/openldap/schema/openldap.schema

#include /usr/share/openldap/schema/rfc822-MailMember.schema
#include /usr/share/openldap/schema/pilot.schema
#include /usr/share/openldap/schema/autofs.schema
include /usr/share/openldap/schema/samba3.schema
#include /usr/share/openldap/schema/qmail.schema
#include /usr/share/openldap/schema/mull.schema
#include /usr/share/openldap/schema/netscape-profile.schema
#include /usr/share/openldap/schema/trust.schema
#include /usr/share/openldap/schema/dns.schema
#include /usr/share/openldap/schema/cron.schema

#include        /etc/openldap/schema/local.schema



# Define global ACLs to disable default read access.
include         /etc/openldap/slapd.access.conf


# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/ldap/slapd.pid
argsfile        /var/run/ldap/slapd.args

modulepath      /usr/lib/openldap
#moduleload      back_dnssrv.la
#moduleload      back_ldap.la
#moduleload      back_passwd.la
#moduleload      back_sql.la

# SASL config
#sasl-host ldap.example.com

# To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem
# and uncomment the following lines.
#TLSRandFile            /dev/random
#TLSCipherSuite         HIGH:MEDIUM:+SSLv2
TLSCertificateFile      /etc/ssl/openldap/ldap.pem
TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
#TLSCACertificatePath   /etc/ssl/openldap/
TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
#TLSVerifyClient 0


#######################################################################
# ldbm database definitions
#######################################################################
database        ldbm
suffix          "dc=hill,dc=co.uk"
#suffix         "o=My Organization Name,c=US"
rootdn          "cn=manager,dc=hill,dc=co.uk"
#rootdn         "cn=Manager,o=My Organization Name,c=US"

# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          testing
# rootpw                {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain
index   objectClass                             eq
# from samba config
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   uid             pres,sub,eq
index   displayName     pres,sub,eq
index   uidNumber       eq
index   gidNumber       eq
index   memberUid       eq
index   sambaSID        eq
index   sambaPrimaryGroupSID    eq
index   sambaDomainName eq
index   default sub
# following line commented out from sample config file
#index  mail,surname,givenname          eq,subinitial
# logging
loglevel 256

# Basic ACL
# uid=root changed to cn=root
#
#access to attr=userPassword
#        by self write
#        by anonymous auth
#        by dn="cn=root,ou=People,dc=hill,dc=co.uk" write
#        by * none

#access to *
#        by dn="cn=root,ou=People,dc=hill,dc=co.uk" write
#        by * read
#
# /etc/nsswitch.conf
#


passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files nisplus nis dns



bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus

#
# system-auth
#
#%PAM-1.0

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so likeauth use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 minlen=4
dcredit=0  ucredit=0
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

Hi,

A possible workaround for this would be to drop all passwd change 
related lines in your smb.conf, and specify ldap password sync = yes. At 
least it worked for me (Mandrake 9.1 Samba3.01pre1)

Good Luck!

Geza