Hello, remove the line 'passwd program = /usr/sbin/smbldap-passwd %u' for testing. On my Suse 10.1 I do not need this and m y users can change their passwords. greetings daniel -------- Original-Nachricht -------- Datum: Fri, 2 Mar 2007 11:55:06 -0600 (CST) Von: "Andy Colvin" <acolvin@enkitec.com> An: samba@lists.samba.org CC: Betreff: [Samba] Changing LDAP password from Windows XP I've got a very simple setup with Samba 3.0.24 running on Fedora Core 6, talking to Fedora Directory Server 1.0.4. I've got everything set up so that I can add computers to the domain, add users using the smbldap- tools, and have users logging in. When a user tries to change their password from within Windows (ctrl-alt-del) they get the error "the user name or old password is incorrect. letters in passwords must be typed using the correct case." The strange thing is that the samba passwords (sambalmpassword, sambantpassword) are changed in the LDAP server, but the general account password (userpassword) is not changed. I looked everywhere I could, and couldn't find anything to cause this. I can set passwords just fine using smbldap-passwd and it will set all passwords. Here is a copy of my smb.conf: [global] workgroup = MAIL netbios name = YOURMOM security = user passdb backend = ldapsam:ldap://mail.yourmom.net ldap admin dn = cn=Directory Manager ldap suffix = dc=yourmom,dc=net ldap user suffix = ou=People ldap idmap suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap passwd sync = yes ldap delete dn = no obey pam restrictions = no encrypt passwords = yes passwd program = /usr/sbin/smbldap-passwd %u add machine script = /usr/sbin/smbldap-useradd -w "%u" log file = /var/log/samba/log.%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 255 domain logons = yes domain master = yes local master = yes preferred master = yes wins support = yes template shell = /bin/false winbind use default domain = no logon path logon home [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon read only = yes browseable = no [homes] comment = Home Directories browseable = no read only = no guest ok = no create mode = 0664 directory mode = 0775 Thanks, Andy Colvin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- "Feel free" - 5 GB Mailbox, 50 FreeSMS/Monat ... Jetzt GMX ProMail testen: www.gmx.net/de/go/mailfooter/promail-out
Daniel M?ller wrote: Hi your smb.conf file seems to be OK, however to be able to sync sambapasswords with userPassword try to add unix password sync = yes to your smb.conf Regards, Marcin> Hello, > > remove the line 'passwd program = /usr/sbin/smbldap-passwd %u' > for testing. > On my Suse 10.1 I do not need this and m y users can change their passwords. > > greetings > daniel > > > > > > > -------- Original-Nachricht -------- > Datum: Fri, 2 Mar 2007 11:55:06 -0600 (CST) > Von: "Andy Colvin" <acolvin@enkitec.com> > An: samba@lists.samba.org > CC: > Betreff: [Samba] Changing LDAP password from Windows XP > > I've got a very simple setup with Samba 3.0.24 running on Fedora Core 6, > talking to Fedora Directory Server 1.0.4. I've got everything set up so > that I can add computers to the domain, add users using the smbldap- > tools, and have users logging in. When a user tries to change their > password from within Windows (ctrl-alt-del) they get the error > > "the user name or old password is incorrect. letters in passwords must > be typed using the correct case." > > The strange thing is that the samba passwords (sambalmpassword, > sambantpassword) are changed in the LDAP server, but the general account > password (userpassword) is not changed. I looked everywhere I could, and > couldn't find anything to cause this. I can set passwords just fine using > smbldap-passwd and it will set all passwords. > > Here is a copy of my smb.conf: > > [global] > workgroup = MAIL > netbios name = YOURMOM > security = user > passdb backend = ldapsam:ldap://mail.yourmom.net > ldap admin dn = cn=Directory Manager > ldap suffix = dc=yourmom,dc=net > ldap user suffix = ou=People > ldap idmap suffix = ou=People > ldap machine suffix = ou=Computers > ldap group suffix = ou=Groups > ldap passwd sync = yes > ldap delete dn = no > obey pam restrictions = no > encrypt passwords = yes > passwd program = /usr/sbin/smbldap-passwd %u > add machine script = /usr/sbin/smbldap-useradd -w "%u" > log file = /var/log/samba/log.%m > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > os level = 255 > domain logons = yes > domain master = yes > local master = yes > preferred master = yes > wins support = yes > template shell = /bin/false > winbind use default domain = no > logon path > logon home > > [netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > read only = yes > browseable = no > > [homes] > comment = Home Directories > browseable = no > read only = no > guest ok = no > create mode = 0664 > directory mode = 0775 > > > > Thanks, > > > > Andy Colvin > >
Nope, no luck with that try...same error. Still changes the samba passwords but not the POSIX one. -----Original Message----- From: samba-bounces+acolvin=enkitec.com@lists.samba.org [mailto:samba-bounces+acolvin=enkitec.com@lists.samba.org] On Behalf Of "Daniel M?ller" Sent: Saturday, March 03, 2007 10:34 AM To: samba@lists.samba.org Subject: Fwd: [Samba] Changing LDAP password from Windows XP Hello, remove the line 'passwd program = /usr/sbin/smbldap-passwd %u' for testing. On my Suse 10.1 I do not need this and m y users can change their passwords. greetings daniel -------- Original-Nachricht -------- Datum: Fri, 2 Mar 2007 11:55:06 -0600 (CST) Von: "Andy Colvin" <acolvin@enkitec.com> An: samba@lists.samba.org CC: Betreff: [Samba] Changing LDAP password from Windows XP I've got a very simple setup with Samba 3.0.24 running on Fedora Core 6, talking to Fedora Directory Server 1.0.4. I've got everything set up so that I can add computers to the domain, add users using the smbldap- tools, and have users logging in. When a user tries to change their password from within Windows (ctrl-alt-del) they get the error "the user name or old password is incorrect. letters in passwords must be typed using the correct case." The strange thing is that the samba passwords (sambalmpassword, sambantpassword) are changed in the LDAP server, but the general account password (userpassword) is not changed. I looked everywhere I could, and couldn't find anything to cause this. I can set passwords just fine using smbldap-passwd and it will set all passwords. Here is a copy of my smb.conf: [global] workgroup = MAIL netbios name = YOURMOM security = user passdb backend = ldapsam:ldap://mail.yourmom.net ldap admin dn = cn=Directory Manager ldap suffix = dc=yourmom,dc=net ldap user suffix = ou=People ldap idmap suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap passwd sync = yes ldap delete dn = no obey pam restrictions = no encrypt passwords = yes passwd program = /usr/sbin/smbldap-passwd %u add machine script = /usr/sbin/smbldap-useradd -w "%u" log file = /var/log/samba/log.%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 255 domain logons = yes domain master = yes local master = yes preferred master = yes wins support = yes template shell = /bin/false winbind use default domain = no logon path logon home [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon read only = yes browseable = no [homes] comment = Home Directories browseable = no read only = no guest ok = no create mode = 0664 directory mode = 0775 Thanks, Andy Colvin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- "Feel free" - 5 GB Mailbox, 50 FreeSMS/Monat ... Jetzt GMX ProMail testen: www.gmx.net/de/go/mailfooter/promail-out -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Daniel M?ller escribi?:> Here is a copy of my smb.conf:You can accomplish this by two ways: using a password change script ala 'smbldap-passwd' or using the Samba goodies. I assume you have the appropiate group mappings between your linux server and your windows workstations: root@kasparov ~ # net groupmap list Domain Admins (S-1-5-21-2958930118-1012938775-211482674-512) -> Domain Admins Domain Users (S-1-5-21-2958930118-1012938775-211482674-513) -> Domain Users Domain Guests (S-1-5-21-2958930118-1012938775-211482674-514) -> Domain Guests Domain Computers (S-1-5-21-2958930118-1012938775-211482674-515) -> Domain Computers Administrators (S-1-5-32-544) -> Administrators Account Operators (S-1-5-32-548) -> Account Operators Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators root@kasparov ~ # My Samba relevant lines are this: > - [ /etc/samba/smb.conf ] - - - - - - - - - - - - - - - - - - - - - - [ ... ] enable privileges = yes obey pam restrictions = yes pam password change = no ldap passwd sync = yes ldap delete dn = yes ldap suffix = dc=example,dc=org ldap admin dn = cn=samba,ou=DSA,dc=example,dc=org ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap # Uncomment if you use TLS #ldap ssl = start_tls passdb backend = ldapsam:ldap://ldap.example.org/ idmap backend = ldap:ldap://ldap.example.org/ # Scripts add user script = /usr/sbin/smbldap-useradd -m -a "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you use LDAP as your backend make sure your ACLS work well. I follow the IDEALX HOWTO and find that if I don't add as the last line of the ACLS 'access to * by * read' the LDAP password synchronization didn't work well. This are my ACLs: > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Added 'shadowLastChange' to avoid some warnings with libpam-unix2 access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,shadowLastChange by dn="cn=samba,ou=DSA,dc=example,dc=org" write by dn="cn=nssldap,ou=DSA,dc=example,dc=org" write by self write by anonymous auth by * none # some attributes need to be readable anonymously so that 'id user' can answer correctly access to attrs=objectClass,homeDirectory,uid,uidNumber,gidNumber,memberUid by dn="cn=samba,ou=DSA,dc=example,dc=org" write by * read access to attrs=entry by dn="cn=samba,ou=DSA,dc=example,dc=org" write by users read by * none # Users can change some attributes of their profile access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname,mail by dn="cn=samba,ou=DSA,dc=example,dc=org" write by self write by users read by * none # some attributes need to be writable for samba access to attrs=cn,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption by dn="cn=samba,ou=DSA,dc=example,dc=org" write by self read by * none # samba gestiona: # -> Cuentas de dominio # -> Nuevos usuarios # -> Nuevos grupos # -> M?quinas en el dominio access to dn.base="dc=example,dc=org" by dn="cn=samba,ou=DSA,dc=example,dc=org" write by * none access to dn="ou=Users,dc=example,dc=org" by dn="cn=samba,ou=DSA,dc=example,dc=org" write by * none access to dn="ou=Groups,dc=example,dc=org" by dn="cn=samba,ou=DSA,dc=example,dc=org" write by * none access to dn="ou=Computers,dc=example,dc=org" by dn="cn=samba,ou=DSA,dc=example,dc=org" write by * none access to * by * read > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - And don't forget to adjust your PAM settings (install libpam-ldap or similar package) to allow users change their password with the passwd command: > - [ /etc/samba/smb.conf ] - - - - - - - - - - - - - - - - - - - - - - # # /etc/pam.d/common-password - password-related modules common to all services # password required pam_cracklib.so retry=3 minlen=4 difok=3 password sufficient pam_unix.so nullok use_authtok shadow md5 password sufficient pam_ldap.so use_authtok use_first_pass password required pam_deny.so > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -> [global] > workgroup = MAIL > netbios name = YOURMOM > security = user > passdb backend = ldapsam:ldap://mail.yourmom.net > ldap admin dn = cn=Directory Manager > ldap suffix = dc=yourmom,dc=net > ldap user suffix = ou=People > ldap idmap suffix = ou=People > ldap machine suffix = ou=Computers > ldap group suffix = ou=Groups > ldap passwd sync = yesMake sure this is set to 'yes'> ldap delete dn = no > obey pam restrictions = noSet this to 'yes' and add pam password change = no> encrypt passwords = yes > passwd program = /usr/sbin/smbldap-passwd %uComment this line, it's not needed.> add machine script = /usr/sbin/smbldap-useradd -w "%u"Make sure all the script lines are there. Good luck!
Daniel M?ller escribi?:
OOps! fat fingers come again! The ACL's were bad (exactly the 2nd and 3rd
ACL)
This are the correct ACLS (I don't use the 'smbldap-tools' user)
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Added 'shadowLastChange' to avoid some warnings with libpam-unix2
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,shadowLastChange
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by dn="cn=nssldap,ou=DSA,dc=example,dc=org" write
by self write
by anonymous auth
by * none
# some attributes need to be readable anonymously so that 'id user' can
answer correctly
access to
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * read
# Users can change some attributes of their profile
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname,mail
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by self write
by users read
by * none
# some attributes need to be writable for samba
access to
attrs=cn,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by self read
by * none
# samba gestiona:
# -> Cuentas de dominio
# -> Nuevos usuarios
# -> Nuevos grupos
# -> M?quinas en el dominio
access to dn.base="dc=example,dc=org"
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * none
access to dn="ou=Users,dc=example,dc=org"
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * none
access to dn="ou=Groups,dc=example,dc=org"
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * none
access to dn="ou=Computers,dc=example,dc=org"
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * none
access to *
by * read
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -