samba - Oct 2006 - change passwd from windows--more grief

Hi group,

I can't seem to get passwd change from windows to work.  I am running
samba 3.0.20-3.1.20060mdk installed from rpms on Mandriva 2006; the
clients are windows XP sp2.  When I try to change passwd from windows I
get "You do not have permission to change your password".

What am I doing wrong? 

My global smb.conf is below.  
>From log.smbd I think this error pertains to the windows error: 
[2006/10/02 15:25:00, 3] smbd/chgpasswd.c:chgpasswd(457)
  chgpasswd: Password change (as_root=Yes) for user: foo
  PAM: unable to obtain the new authentication token - is password to
weak?

This is while using a new passwd of 9 random letters/numbers.

Any suggestions welcome, thanks in advance
=======================================================

dos charset = 850
        unix charset = ISO8859-1
        workgroup = DELTAGRADING
        server string = %h server (Samba, Mandrake)
        passdb backend = tdbsam
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew
\sUNIX\spassword:* %n\n .
        passwd chat debug = Yes
        username map = /etc/samba/smbusers
        unix password sync = Yes
        log level = 3
        name resolve order = wins bcast hosts
        time server = Yes
        printcap name = CUPS
        add user script = /usr/sbin/useradd -m %u
        delete user script = /usr/sbin/userdel -r %u
        add group script = /usr/sbin/groupadd %g
        delete group script = /usr/sbin/groupdel %g
        add user to group script = /usr/sbin/usermod -G %g %u
        add machine script = /usr/sbin/useradd -s /bin/false
-d /dev/null %u
        logon script = scripts\%U.bat
        logon path         logon drive = H:
        domain logons = Yes
        os level = 128
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap passwd sync = Yes
        idmap uid = 15000-20000
        idmap gid = 15000-20000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/02/2006 07:50 PM, Steve Glasser escreveu:
> Hi group,
> 
> I can't seem to get passwd change from windows to work.  I am running
> samba 3.0.20-3.1.20060mdk installed from rpms on Mandriva 2006; the
> clients are windows XP sp2.  When I try to change passwd from windows I
> get "You do not have permission to change your password".
> 
> What am I doing wrong? 
	I saw that you are using "pam password change", are
you aware of [1]how it works?

1.http://lists.samba.org/archive/samba/2002-November/055729.html

> My global smb.conf is below.  
>>From log.smbd I think this error pertains to the windows error: 
> 
> [2006/10/02 15:25:00, 3] smbd/chgpasswd.c:chgpasswd(457)
>   chgpasswd: Password change (as_root=Yes) for user: foo
>   PAM: unable to obtain the new authentication token - is password to
> weak?
	It looks like something related with your pam options.
The manpage says that usually no change is needed in the
passwd chat, but maybe you found a corner case. ;)

	Does it works with you turn off the 'pam password change'
paramenter in smb.conf?

> This is while using a new passwd of 9 random letters/numbers.
> Any suggestions welcome, thanks in advance
> =======================================================> 
> 
> dos charset = 850
>         unix charset = ISO8859-1
>         workgroup = DELTAGRADING
>         server string = %h server (Samba, Mandrake)
>         passdb backend = tdbsam
>         pam password change = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew
> \sUNIX\spassword:* %n\n .
>         passwd chat debug = Yes
>         username map = /etc/samba/smbusers
>         unix password sync = Yes
>         log level = 3
>         name resolve order = wins bcast hosts
>         time server = Yes
>         printcap name = CUPS
>         add user script = /usr/sbin/useradd -m %u
>         delete user script = /usr/sbin/userdel -r %u
>         add group script = /usr/sbin/groupadd %g
>         delete group script = /usr/sbin/groupdel %g
>         add user to group script = /usr/sbin/usermod -G %g %u
>         add machine script = /usr/sbin/useradd -s /bin/false
> -d /dev/null %u
>         logon script = scripts\%U.bat
>         logon path >         logon drive = H:
>         domain logons = Yes
>         os level = 128
>         preferred master = Yes
>         domain master = Yes
>         wins support = Yes
>         ldap passwd sync = Yes
>         idmap uid = 15000-20000
>         idmap gid = 15000-20000
	I don't know if it has an impact, but you don't need
'ldap passwd sync' if you are not using LDAP, and looks like
you are not using it.

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFJQ9UCj65ZxU4gPQRAnoeAKCMdmVkHvIUX2WaR7RR7OO4VAiFkACfW9SC
3itThn6cPZc4pUkjU17By94=a6Jh
-----END PGP SIGNATURE-----