Hello,
I have setup a Samba server with CentOS 5.2 and Samba 3.0.28-1.el5_2.1 (the
CentOS included versi?n).
I have configured Samba as a PDC following "Samba-3 by example"
chapter 3,
"Secure Office Networking". No DNS or DHCP active, as far as for now
this is
just a test environment.
Most of it works fine, but trying to change user passwords for a MS-Windows
test computer (USRMGR.EXE from SRVTOOLS), has proved to be a nightmare. I
always get an Access Denied (Aceso denegado) error message. Connection from
MS-Windows computer is done as "Administrator" (root).
I have googled for hours, and the problem does not seem to be new, but no
advice has helped appart from NOT syncing Samba and Linux passwords, which I
do not want to do.
My smb.conf is as follows:
[global]
workgroup = MICASA
netbios name = TESTSERVER
interfaces = eth0, lo
bind interfaces only = Yes
passdb backend = tdbsam
unix password sync = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = "New UNIX password:*" %n\n "Retype new UNIX
password:*" %n\n "passwd: all authentication to
username map = /etc/samba/smbusers
;syslog = 0
log file = /var/log/samba/%m
max log size = 150
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g'
'%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /tmp
'%u'
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
logon home = \\%L\%U
domain logons = Yes
.............
(I do not think rest of smb.conf may be of efect in the problem)
/etc/pam.d/samba is as follows (just like CentOS install leaves it):
#%PAM-1.0
auth required pam_nologin.so
auth include system-auth
account include system-auth
session include system-auth
password include system-auth
/etc/pam.d/system-auth is as follows (also like CentOS install leaves it):
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
When trying to change password, messages are ....
>From /var/log/samba/pc-prueba (pc-prueba is the name of the MS-Windows test
computer):
[2009/03/26 00:17:17, 1] smbd/service.c:make_connection_snum(1033)
pc-prueba (192.168.1.100) connect to service root initially as user root
(uid=0, gid=0) (pid 17133)
[2009/03/26 00:17:55, 0] auth/pampass.c:smb_pam_chauthtok(691)
PAM: UNKNOWN PAM ERROR (19) for User: arturo
[2009/03/26 00:17:55, 0] auth/pampass.c:smb_pam_passchange(847)
smb_pam_passchange: PAM: Password Change Failed for user arturo!
No error messages in smbd.log or nmbd.log.
I have tried with "password chat debug = Yes" and found no clue of
what the
problem could be. Commenting out "pam password change = Yes" or
changing it
to "No" have not helped. Only switching to "No" the
"Unix password sync".
I can't believe it does not work, I think something must be wrong somewhere,
or in what I am doing. I have spent several hours trying and it is quite
frustrating. Any help will be greatly appreciated.
Thanks in advance.
Regards.
Arturo.
John H Terpstra - Samba Team
2009-Mar-25 23:52 UTC
[Samba] Win XP Client password change nightmare.
Arturo Limon wrote:> Hello, > > I have setup a Samba server with CentOS 5.2 and Samba 3.0.28-1.el5_2.1 (the > CentOS included versi?n). > > I have configured Samba as a PDC following "Samba-3 by example" chapter 3, > "Secure Office Networking". No DNS or DHCP active, as far as for now this is > just a test environment. > > Most of it works fine, but trying to change user passwords for a MS-Windows > test computer (USRMGR.EXE from SRVTOOLS), has proved to be a nightmare. I > always get an Access Denied (Aceso denegado) error message. Connection from > MS-Windows computer is done as "Administrator" (root). > > I have googled for hours, and the problem does not seem to be new, but no > advice has helped appart from NOT syncing Samba and Linux passwords, which I > do not want to do. > > My smb.conf is as follows: > > [global] > workgroup = MICASA > netbios name = TESTSERVER > interfaces = eth0, lo > bind interfaces only = Yes > passdb backend = tdbsam > > unix password sync = Yes > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = "New UNIX password:*" %n\n "Retype new UNIX > password:*" %n\n "passwd: all authentication to > > username map = /etc/samba/smbusers > ;syslog = 0 > log file = /var/log/samba/%m > max log size = 150 > smb ports = 139 > name resolve order = wins bcast hosts > time server = Yes > printcap name = CUPS > show add printer wizard = No > > add user script = /usr/sbin/useradd -m '%u' > delete user script = /usr/sbin/userdel -r '%u' > add group script = /usr/sbin/groupadd '%g' > delete group script = /usr/sbin/groupdel '%g' > add user to group script = /usr/sbin/usermod -G '%g' '%u' > add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u' > shutdown script = /var/lib/samba/scripts/shutdown.sh > abort shutdown script = /sbin/shutdown -c > > logon script = scripts\logon.bat > logon path = \\%L\profiles\%U > logon drive = X: > logon home = \\%L\%U > domain logons = Yes > ............. > (I do not think rest of smb.conf may be of efect in the problem) > > /etc/pam.d/samba is as follows (just like CentOS install leaves it): > > #%PAM-1.0 > auth required pam_nologin.so > auth include system-auth > account include system-auth > session include system-auth > password include system-auth > > /etc/pam.d/system-auth is as follows (also like CentOS install leaves it): > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_succeed_if.so uid < 500 quiet > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > > When trying to change password, messages are .... > >>From /var/log/samba/pc-prueba (pc-prueba is the name of the MS-Windows test > computer): > > [2009/03/26 00:17:17, 1] smbd/service.c:make_connection_snum(1033) > pc-prueba (192.168.1.100) connect to service root initially as user root > (uid=0, gid=0) (pid 17133) > [2009/03/26 00:17:55, 0] auth/pampass.c:smb_pam_chauthtok(691) > PAM: UNKNOWN PAM ERROR (19) for User: arturo > [2009/03/26 00:17:55, 0] auth/pampass.c:smb_pam_passchange(847) > smb_pam_passchange: PAM: Password Change Failed for user arturo! > > No error messages in smbd.log or nmbd.log. > > I have tried with "password chat debug = Yes" and found no clue of what the > problem could be. Commenting out "pam password change = Yes" or changing it > to "No" have not helped. Only switching to "No" the "Unix password sync". > > I can't believe it does not work, I think something must be wrong somewhere, > or in what I am doing. I have spent several hours trying and it is quite > frustrating. Any help will be greatly appreciated. > > Thanks in advance. > > Regards. > > Arturo.Arturo, I wrote Samba3-ByExample - I assure you that the examples did work - and should work with 3.0.28 as well as all current 3.2.x and 3.3.x releases. Please contact me off-line. I will help you to get this working, then you can update everyone on-line with the solution. Please email me direct. Cheers, John T.
"Arturo Limon" <limonavila@gmail.com> wrote in message news:a8671ab0903251632ob882235ofbd1c4e92bd6e6ec@mail.gmail.com... Hello, I have setup a Samba server with CentOS 5.2 and Samba 3.0.28-1.el5_2.1 (the CentOS included versiĆ³n). I have configured Samba as a PDC following "Samba-3 by example" chapter 3, "Secure Office Networking". No DNS or DHCP active, as far as for now this is just a test environment. Most of it works fine, but trying to change user passwords for a MS-Windows test computer (USRMGR.EXE from SRVTOOLS), has proved to be a nightmare. I always get an Access Denied (Aceso denegado) error message. Connection from MS-Windows computer is done as "Administrator" (root). Make sure that the usrmgr.exe and srvtools.exe are located on a Samba share and not on the workstation. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba