Gianluca Cecchi
2006-Dec-12 11:14 UTC
[Samba] changing password only works the second time?
Env. is samba-3.0.9-1.3E.10 on CentOS 3.7 as PDC with WXP SP2 clients.
Situation:
1) a user receives notification at logon that the password is expiring
and that only few days remain to change it
2) he/she answers yes and puts old and new passwords and press ok
3) the system sends the error message:
authorization to change the password is missing
(real message is in italian: "Manca l'autorizzazione per cambiare la
password)
4) user presses ok in this window and receives the change password window again
5) he/she retypes old and new passwords and press ok
6) now the system changes the password!
it is the same if the user has local admin privileges or not.
relevant directives in smb.conf are:
passdb backend = tdbsam
unix password sync = yes
passwd program = /usr/local/bin/align_pwd.sh %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*auth
entication*tokens*updated*successfully*
There is a custom script align_pwd.sh that makes some things when
changing password.
The script is this:
#!/bin/bash
USER=$1
LOGFILE=/tmp/${USER}_pwdchange.log
SYSMAIL="our_mail@our_mail_domain"
export USER LOGFILE SYSMAIL
echo "New password"
read newpwd1
echo "Retype new password"
read newpwd2
if [ "$newpwd1" != "$newpwd2" ]
then
echo "Sorry, passwords do not match" > $LOGFILE
exit 1
fi
NEWPWD=$newpwd1
export USER NEWPWD
echo "updating pdc..." > $LOGFILE 2>&1
echo "$NEWPWD" | passwd --stdin $USER >> $LOGFILE 2>&1
if [ $? -eq 0 ]
then
echo "updating server2..." >> $LOGFILE 2>&1
echo "$NEWPWD" | ssh server2 "passwd --stdin $USER"
>> $LOGFILE 2>&1
FULLNAME=$(pdbedit -Lv $USER | grep "^Full Name" | awk
'{print $3" "$4}'
| sed "s/'/\\\'/") >> $LOGFILE 2>&1
echo "updating AD server..." >> $LOGFILE 2>&1
ssh adsrv "/usr/local/bin/set_adpwd.sh $FULLNAME $NEWPWD"
>>
$LOGFILE 2>&1
else
echo "an error occured in ssh ad script!" >> $LOGFILE
2>&1
exit 1
fi
echo "passwd: all authentication tokens updated successfully"
cat $LOGFILE | mail -s "$USER changed password" $SYSMAIL
In /var/log/messages I can only see
Dec 12 08:43:15 pevpdc smbd[25891]: [2006/12/12 08:43:15, 0]
lib/util_sock.c:get_peer_addr(1000)
Dec 12 08:43:15 pevpdc smbd[25891]: getpeername failed. Error was
Transport endpoint is not connected
Dec 12 08:43:15 pevpdc smbd[25891]: [2006/12/12 08:43:15, 0]
lib/util_sock.c:get_peer_addr(1000)
Dec 12 08:43:15 pevpdc smbd[25891]: getpeername failed. Error was
Transport endpoint is not connected
Dec 12 08:43:15 pevpdc smbd[25891]: [2006/12/12 08:43:15, 0]
lib/util_sock.c:write_socket_data(430)
Dec 12 08:43:15 pevpdc smbd[25891]: write_socket_data: write
failure. Error = Connessione abbattuta dal corrispondente
Dec 12 08:43:15 pevpdc smbd[25891]: [2006/12/12 08:43:15, 0]
lib/util_sock.c:write_socket(455)
Dec 12 08:43:15 pevpdc smbd[25891]: write_socket: Error writing 4
bytes to socket 22: ERRNO = Connessione abbattuta dal corrispondente
Dec 12 08:43:15 pevpdc smbd[25891]: [2006/12/12 08:43:15, 0]
lib/util_sock.c:send_smb(647)
Dec 12 08:43:15 pevpdc smbd[25891]: Error writing 4 bytes to client.
-1. (Connessione abbattuta dal corrispondente)
Dec 12 08:43:15 pevpdc passwd(pam_unix)[25904]: password changed for user_name
Dec 12 08:43:18 pevpdc passwd(pam_unix)[25915]: password changed for user_name
Any hints to debug?
Thanks in advance,
Gianluca
On Tuesday 12 December 2006 06:13, Gianluca Cecchi wrote:> Any hints to debug?May have nothing to do with your issue but I had a scenario where when I attepted to su from a secure shell it only took the password the second time. It was related to the pam/winbind setup as my username was both a local unix user and a domain (NT4 PDC) user (and with different passwords, but that may not have mattered). Seems my domain credentials were tried first (not in the wheel group) and on the second attempt my local creds were used (in the wheel group). Chris