Jon Theil Nielsen
2008-Feb-13 17:02 UTC
[Samba] FreeBSD: Changing UNIX password - Password Chat?
I can't get my Samba PDC (FreeBSD 7,0-BETA3) changing UNIX passwords from Windows clients (Ctrl-Alt-Del). I now have the password chat debug active and I have loglevel 100. I am not certain about the syntax in the password chat. But if I from a console try to change the password of a given user (here testuser1), I see these lines: mflserver3# /usr/bin/passwd testuser1 Changing local password for testuser1 New Password: (entering the password) Retype New Password: (entering it again)>From that i guess the expression in the chat would be:*Changing*local*password*for* %u\n *New*Password* %n\n *Retype*New*Password* %n\n Selected parts of the log shows: [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(279) expect: expected [*Changing*local*password*for*] received [Changing local password for testuser1 New Password:] match yes [2008/02/13 17:47:07, 10] smbd/chgpasswd.c:expect(290) expect: returning True [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(242) expect: sending [testuser1 ] [2008/02/13 17:47:07, 10] lib/util_sock.c:read_socket_with_timeout(476) read_socket_with_timeout: timeout read. select timed out. [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(279) expect: expected [*New*Password*] received [ Retype New Password:] match yes [2008/02/13 17:47:07, 10] smbd/chgpasswd.c:expect(290) expect: returning True [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(242) expect: sending [VerySecret ] [2008/02/13 17:47:10, 10] lib/util_sock.c:read_socket_with_timeout(476) read_socket_with_timeout: timeout read. select timed out. [2008/02/13 17:47:10, 100] smbd/chgpasswd.c:expect(279) expect: expected [*Retype*New*Password*] received [ Mismatch; try again, EOF to quit. New Password:] match no [2008/02/13 17:47:10, 2] smbd/chgpasswd.c:expect(285) expect: Unknown error: 0 [2008/02/13 17:47:10, 3] smbd/chgpasswd.c:talktochild(316) Response 3 incorrect [2008/02/13 17:47:10, 3] smbd/chgpasswd.c:chat_with_program(372) chat_with_program: Child failed to change password: testuser1 [2008/02/13 17:47:10, 3] smbd/sec_ctx.c:pop_sec_ctx(415) pop_sec_ctx (1035, 1036) - sec_ctx_stack_ndx = 1 [2008/02/13 17:47:10, 5] rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7576) init_samr_r_chgpasswd_user [2008/02/13 17:47:10, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1581) _samr_chgpasswd_user: 1581 [2008/02/13 17:47:10, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 samr_io_r_chgpasswd_user [2008/02/13 17:47:10, 5] rpc_parse/parse_prs.c:prs_ntstatus(769) 0000 status: NT_STATUS_ACCESS_DENIED As told, I'm not confident with the syntax. Have I made it wrong? Or can you see anything else from the log that can pinpoint the problem? I would believe that there must be several admins out there who use the combination of of Samba and FreeBSD without having these problems. Cheers, Jon Theil Nielsen
Edmundo Valle Neto
2008-Feb-13 21:08 UTC
[Samba] FreeBSD: Changing UNIX password - Password Chat?
Jon Theil Nielsen escreveu:> I can't get my Samba PDC (FreeBSD 7,0-BETA3) changing UNIX passwords > from Windows clients (Ctrl-Alt-Del). > I now have the password chat debug active and I have loglevel 100. > I am not certain about the syntax in the password chat. But if I from > a console try to change the password of a given user (here testuser1), > I see these lines: > > mflserver3# /usr/bin/passwd testuser1 > Changing local password for testuser1 > New Password: (entering the password) > Retype New Password: (entering it again) > > >From that i guess the expression in the chat would be: > *Changing*local*password*for* %u\n *New*Password* %n\n > *Retype*New*Password* %n\n >No. %u is the username and %n is the newpassword. "What*to*expect" %n\n (send the password and a new line) "What*to*expect*then" %n\n (send the password again and a new line)> Selected parts of the log shows: > > [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(279) > expect: expected [*Changing*local*password*for*] received [Changing > local password for testuser1 > New Password:] match yes >It matched the two first lines stopping at (New Password:) as you have a * at the end. And wait.> [2008/02/13 17:47:07, 10] smbd/chgpasswd.c:expect(290) > expect: returning True > [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(242) > expect: sending [testuser1 > ] >You sent an username to the New password: prompt???> [2008/02/13 17:47:07, 10] lib/util_sock.c:read_socket_with_timeout(476) > read_socket_with_timeout: timeout read. select timed out. > [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(279) > expect: expected [*New*Password*] received [ > Retype New Password:] match yes >It matched the second line stopping at (Retype New Password:) And wait.> [2008/02/13 17:47:07, 10] smbd/chgpasswd.c:expect(290) > expect: returning True > [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(242) > expect: sending [VerySecret > ] >You sent a "VerySecret" password (that obviously will not match the first)> [2008/02/13 17:47:10, 10] lib/util_sock.c:read_socket_with_timeout(476) > read_socket_with_timeout: timeout read. select timed out. > [2008/02/13 17:47:10, 100] smbd/chgpasswd.c:expect(279) > expect: expected [*Retype*New*Password*] received [ > Mismatch; try again, EOF to quit. > New Password:] match no >Mismatch. Try again. (your chat doesn't expected that this will happens and don't have more expressions to match.> [2008/02/13 17:47:10, 2] smbd/chgpasswd.c:expect(285) > expect: Unknown error: 0 >Error.> [2008/02/13 17:47:10, 3] smbd/chgpasswd.c:talktochild(316) > Response 3 incorrect > [2008/02/13 17:47:10, 3] smbd/chgpasswd.c:chat_with_program(372) > chat_with_program: Child failed to change password: testuser1 > [2008/02/13 17:47:10, 3] smbd/sec_ctx.c:pop_sec_ctx(415) > pop_sec_ctx (1035, 1036) - sec_ctx_stack_ndx = 1 > [2008/02/13 17:47:10, 5] rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7576) > init_samr_r_chgpasswd_user > [2008/02/13 17:47:10, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1581) > _samr_chgpasswd_user: 1581 > [2008/02/13 17:47:10, 5] rpc_parse/parse_prs.c:prs_debug(84) > 000000 samr_io_r_chgpasswd_user > [2008/02/13 17:47:10, 5] rpc_parse/parse_prs.c:prs_ntstatus(769) > 0000 status: NT_STATUS_ACCESS_DENIED > >And so on.> As told, I'm not confident with the syntax. Have I made it wrong? Or > can you see anything else from the log that can pinpoint the problem? > I would believe that there must be several admins out there who use > the combination of of Samba and FreeBSD without having these problems. > > Cheers, > Jon Theil Nielsen >Regards. Edmundo Valle Neto
Under solaris we had a similar situation (wrong password chat) where the hint from http://lists-archives.org/samba/34236-passwd-change-with-3-0-27a.html 'Adding "pam password change = yes" worked around the problem for me.' solved the problem for us also Bardo Jon Theil Nielsen schrieb:> I can't get my Samba PDC (FreeBSD 7,0-BETA3) changing UNIX passwords > from Windows clients (Ctrl-Alt-Del). > I now have the password chat debug active and I have loglevel 100. > I am not certain about the syntax in the password chat. But if I from > a console try to change the password of a given user (here testuser1), > I see these lines: > > mflserver3# /usr/bin/passwd testuser1 > Changing local password for testuser1 > New Password: (entering the password) > Retype New Password: (entering it again) > >>From that i guess the expression in the chat would be: > *Changing*local*password*for* %u\n *New*Password* %n\n > *Retype*New*Password* %n\n > > Selected parts of the log shows: > > [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(279) > expect: expected [*Changing*local*password*for*] received [Changing > local password for testuser1 > New Password:] match yes > [2008/02/13 17:47:07, 10] smbd/chgpasswd.c:expect(290) > expect: returning True > [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(242) > expect: sending [testuser1 > ] > [2008/02/13 17:47:07, 10] lib/util_sock.c:read_socket_with_timeout(476) > read_socket_with_timeout: timeout read. select timed out. > [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(279) > expect: expected [*New*Password*] received [ > Retype New Password:] match yes > [2008/02/13 17:47:07, 10] smbd/chgpasswd.c:expect(290) > expect: returning True > [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(242) > expect: sending [VerySecret > ] > [2008/02/13 17:47:10, 10] lib/util_sock.c:read_socket_with_timeout(476) > read_socket_with_timeout: timeout read. select timed out. > [2008/02/13 17:47:10, 100] smbd/chgpasswd.c:expect(279) > expect: expected [*Retype*New*Password*] received [ > Mismatch; try again, EOF to quit. > New Password:] match no > [2008/02/13 17:47:10, 2] smbd/chgpasswd.c:expect(285) > expect: Unknown error: 0 > [2008/02/13 17:47:10, 3] smbd/chgpasswd.c:talktochild(316) > Response 3 incorrect > [2008/02/13 17:47:10, 3] smbd/chgpasswd.c:chat_with_program(372) > chat_with_program: Child failed to change password: testuser1 > [2008/02/13 17:47:10, 3] smbd/sec_ctx.c:pop_sec_ctx(415) > pop_sec_ctx (1035, 1036) - sec_ctx_stack_ndx = 1 > [2008/02/13 17:47:10, 5] rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7576) > init_samr_r_chgpasswd_user > [2008/02/13 17:47:10, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1581) > _samr_chgpasswd_user: 1581 > [2008/02/13 17:47:10, 5] rpc_parse/parse_prs.c:prs_debug(84) > 000000 samr_io_r_chgpasswd_user > [2008/02/13 17:47:10, 5] rpc_parse/parse_prs.c:prs_ntstatus(769) > 0000 status: NT_STATUS_ACCESS_DENIED > > As told, I'm not confident with the syntax. Have I made it wrong? Or > can you see anything else from the log that can pinpoint the problem? > I would believe that there must be several admins out there who use > the combination of of Samba and FreeBSD without having these problems. > > Cheers, > Jon Theil Nielsen
Rob Mason
2008-Feb-22 09:00 UTC
[Samba] Re: FreeBSD: Changing UNIX password - Password Chat?
Hi, I've had this problem on FreeBSD. Basically the behaviour of 'passwd' changed somewhere between releases 5 and 7. I solved this by writing a shell wrapper for the passwd tool. As simple as: #!/bin/sh /usr/bin/passwd -l $1 echo "Password Changed" Call the file "smbpass.sh" and alter smb.conf accordingly: passwd program = /root/smbpass.sh %u passwd chat = *Password* %n\n *Password* %n\n *Changed* unix password sync = Yes Using wrappers makes a great deal of sense... For a mission critical production system you may want to put more error checking into the shell script, but hey, you get the idea ;-) Hope this helps. R Jon Theil Nielsen wrote:> I can't get my Samba PDC (FreeBSD 7,0-BETA3) changing UNIX passwords > from Windows clients (Ctrl-Alt-Del). > I now have the password chat debug active and I have loglevel 100. > I am not certain about the syntax in the password chat. But if I from > a console try to change the password of a given user (here testuser1), > I see these lines: > > mflserver3# /usr/bin/passwd testuser1 > Changing local password for testuser1 > New Password: (entering the password) > Retype New Password: (entering it again) > >>From that i guess the expression in the chat would be: > *Changing*local*password*for* %u\n *New*Password* %n\n > *Retype*New*Password* %n\n > > Selected parts of the log shows: > > [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(279) > expect: expected [*Changing*local*password*for*] received [Changing > local password for testuser1 > New Password:] match yes > [2008/02/13 17:47:07, 10] smbd/chgpasswd.c:expect(290) > expect: returning True > [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(242) > expect: sending [testuser1 > ] > [2008/02/13 17:47:07, 10] lib/util_sock.c:read_socket_with_timeout(476) > read_socket_with_timeout: timeout read. select timed out. > [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(279) > expect: expected [*New*Password*] received [ > Retype New Password:] match yes > [2008/02/13 17:47:07, 10] smbd/chgpasswd.c:expect(290) > expect: returning True > [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(242) > expect: sending [VerySecret > ] > [2008/02/13 17:47:10, 10] lib/util_sock.c:read_socket_with_timeout(476) > read_socket_with_timeout: timeout read. select timed out. > [2008/02/13 17:47:10, 100] smbd/chgpasswd.c:expect(279) > expect: expected [*Retype*New*Password*] received [ > Mismatch; try again, EOF to quit. > New Password:] match no > [2008/02/13 17:47:10, 2] smbd/chgpasswd.c:expect(285) > expect: Unknown error: 0 > [2008/02/13 17:47:10, 3] smbd/chgpasswd.c:talktochild(316) > Response 3 incorrect > [2008/02/13 17:47:10, 3] smbd/chgpasswd.c:chat_with_program(372) > chat_with_program: Child failed to change password: testuser1 > [2008/02/13 17:47:10, 3] smbd/sec_ctx.c:pop_sec_ctx(415) > pop_sec_ctx (1035, 1036) - sec_ctx_stack_ndx = 1 > [2008/02/13 17:47:10, 5] rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7576) > init_samr_r_chgpasswd_user > [2008/02/13 17:47:10, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1581) > _samr_chgpasswd_user: 1581 > [2008/02/13 17:47:10, 5] rpc_parse/parse_prs.c:prs_debug(84) > 000000 samr_io_r_chgpasswd_user > [2008/02/13 17:47:10, 5] rpc_parse/parse_prs.c:prs_ntstatus(769) > 0000 status: NT_STATUS_ACCESS_DENIED > > As told, I'm not confident with the syntax. Have I made it wrong? Or > can you see anything else from the log that can pinpoint the problem? > I would believe that there must be several admins out there who use > the combination of of Samba and FreeBSD without having these problems. > > Cheers, > Jon Theil Nielsen
Jon Theil Nielsen
2008-Feb-27 07:21 UTC
[Samba] FreeBSD: Changing UNIX password - Password Chat?
2008/2/14, Fabiano Caixeta Duarte <fcd.listas@gmail.com>:> Jon Theil Nielsen escreveu: > > 2008/2/13, Edmundo Valle Neto <edmundo.valle@terra.com.br>: > >> Jon Theil Nielsen escreveu: > >>> I can't get my Samba PDC (FreeBSD 7,0-BETA3) changing UNIX passwords > >>> from Windows clients (Ctrl-Alt-Del). > >>> I now have the password chat debug active and I have loglevel 100. > >>> I am not certain about the syntax in the password chat. But if I from > >>> a console try to change the password of a given user (here testuser1), > >>> I see these lines: > >>> > >>> mflserver3# /usr/bin/passwd testuser1 > >>> Changing local password for testuser1 > >>> New Password: (entering the password) > >>> Retype New Password: (entering it again) > >>> > >>> >From that i guess the expression in the chat would be: > >>> *Changing*local*password*for* %u\n *New*Password* %n\n > >>> *Retype*New*Password* %n\n > >>> > >> No. > >> > >> %u is the username and %n is the newpassword. > >> > >> "What*to*expect" > >> %n\n (send the password and a new line) > >> "What*to*expect*then" > >> %n\n (send the password again and a new line) > >> > >> > >>> Selected parts of the log shows: > >>> > >>> [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(279) > >>> expect: expected [*Changing*local*password*for*] received [Changing > >>> local password for testuser1 > >>> New Password:] match yes > >>> > >> It matched the two first lines stopping at (New Password:) as you have a > >> * at the end. > > > > Okay, I shoulden't have that trailing "*"? > > > >> And wait. > >> > >>> [2008/02/13 17:47:07, 10] smbd/chgpasswd.c:expect(290) > >>> expect: returning True > >>> [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(242) > >>> expect: sending [testuser1 > >>> ] > >>> > >> You sent an username to the New password: prompt??? > > > > It wasn't my intention, but I can see that's what happened. > > You seem to have three macros in your passwd chat: %u %u and %n. > Instead, you need %u %n %n. > > See? > > > > > >>> [2008/02/13 17:47:07, 10] lib/util_sock.c:read_socket_with_timeout(476) > >>> read_socket_with_timeout: timeout read. select timed out. > >>> [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(279) > >>> expect: expected [*New*Password*] received [ > >>> Retype New Password:] match yes > >>> > >> It matched the second line stopping at (Retype New Password:) > >> And wait. > >> > >>> [2008/02/13 17:47:07, 10] smbd/chgpasswd.c:expect(290) > >>> expect: returning True > >>> [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(242) > >>> expect: sending [VerySecret > >>> ] > >>> > >> You sent a "VerySecret" password (that obviously will not match the first) > > > > So, that part seemed to work. But obviously not compared to what happened above. > > > >>> [2008/02/13 17:47:10, 10] lib/util_sock.c:read_socket_with_timeout(476) > >>> read_socket_with_timeout: timeout read. select timed out. > >>> [2008/02/13 17:47:10, 100] smbd/chgpasswd.c:expect(279) > >>> expect: expected [*Retype*New*Password*] received [ > >>> Mismatch; try again, EOF to quit. > >>> New Password:] match no > > > > And again something is completely wrong, I see. > > > > As I said, I am far from confident with the syntax/mecanism here. So I > > would really appreciate some more explicit help. I have tried to > > modify the chat by removing the trailing "*" or by putting the > > expressions into double quotes - but with no luck. > > Again, what is going on in the console is exactely what I wrote above. > > What would then be tbe correct chat? > > > > Regards, > > Jon Theil Nielsen > > Look for my answer in the middle of the above post ;)I give up. My chat was: *Changing*local*password*for* %u\n *New*Password* %n\n *Retype*New*Password* %n\n As I see it, three macro substitutions %u, %n and %n You said above:> "What*to*expect" > %n\n (send the password and a new line) > "What*to*expect*then" > %n\n (send the password again and a new line)Do I not need to include the output from the system (e.g. "Changing local password....")? I feel really stupid. I have just tried to adjust the example from the man page to the FreeBSD reality. Maybe I should just sleep on it and try again with some other combinations... But thanks, anyway..! Regards, Jon Theil Nielsen
Reasonably Related Threads
- Samba 3 PDC with LDAP - Error when changing userpasswordfrom windows
- Changing password from Windows
- probleb with 'passwd chat' and 'passwd program'
- %o passwd chat parameter - Samba-3.0.0beta3 - bug?
- ldapsync, Samba LDAP bug?: win clients return error when change passwd in samba3 PDC