Christopher Springer
2010-Aug-18 12:49 UTC
[Samba] Error: You do not have permission to change your password
I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend and do the following... 1. Login as user on Windows system using domain user name and password - Login successful 2. Press Ctrl-Alt-Del 3. Press Change Password 4. Enter old and new password as prompted 5. Receive response "You do not have permission to change your password." I receive the following repeated twice in "/var/log/samba/log.smbd"... [2010/08/17 16:13:53.884482, 0] libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet) NTLMSSP NTLM1 packet check failed due to invalid signature! [2010/08/17 16:13:53.884592, 0] rpc_server/srv_pipe_hnd.c:398(process_request_pdu) process_request_pdu: failed to do auth processing. [2010/08/17 16:13:53.884668, 0] rpc_server/srv_pipe_hnd.c:399(process_request_pdu) process_request_pdu: error was NT_STATUS_ACCESS_DENIED. This was generated from a WindowsNT4 system. The issue can also be duplicated from Windows XP clients. My smb.conf file on this system (PDC): [global] log level = 1 workgroup = CORPDOM netbios name = CORPPDC passdb backend = ldapsam:ldap://127.0.0.1 enable privileges = yes #encrypt passwords = yes username map = /etc/samba/smbusers printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = scripts/%U.bat logon path logon drive security = user domain logons = Yes os level = 35 preferred master = Yes domain master = Yes wins support = Yes smb ports = 139 #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM 10.20.0.255/CORPDOM #remote browse sync = 10.20.255.255 10.30.255.255 #remote announce = 10.30.255.255 #remote browse sync = 10.30.255.255 ldap suffix = dc=brcrp,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=brcrp,dc=com ldap ssl = no #ldap passwd sync = yes unix password sync = yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n* #client lanman auth = yes #unix password sync = yes #passwd program = /usr/sbin/smbldap-passwd -u %u idmap backend = ldap:ldap://127.0.0.1 idmap uid = 15000-20000 idmap gid = 15000-20000 printing = cups [netlogon] comment = Network Logon Service path = /pub guest ok = Yes browseable = No
Gaiseric Vandal
2010-Aug-18 13:48 UTC
[Samba] Error: You do not have permission to change your password
I am pretty sure that the password command and script is run as root, not as the user changing the password. What happens if you run the password commands on the samba server? I don't have smbldap tools on my system (Solaris, so not provided by the Sun distro) so I had to rely on the OS password tools. By default, root is not going to have sufficient privledges to change ldap passwords. If you don't enable password sync, are you able to change your Windows password? On 08/18/2010 08:49 AM, Christopher Springer wrote:> I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend > and do the following... > > 1. Login as user on Windows system using domain user name and > password - Login successful > 2. Press Ctrl-Alt-Del > 3. Press Change Password > 4. Enter old and new password as prompted > 5. Receive response "You do not have permission to change your > password." > > I receive the following repeated twice in "/var/log/samba/log.smbd"... > > [2010/08/17 16:13:53.884482, 0] > libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet) > NTLMSSP NTLM1 packet check failed due to invalid signature! > [2010/08/17 16:13:53.884592, 0] > rpc_server/srv_pipe_hnd.c:398(process_request_pdu) > process_request_pdu: failed to do auth processing. > [2010/08/17 16:13:53.884668, 0] > rpc_server/srv_pipe_hnd.c:399(process_request_pdu) > process_request_pdu: error was NT_STATUS_ACCESS_DENIED. > > This was generated from a WindowsNT4 system. The issue can also be > duplicated from Windows XP clients. > > My smb.conf file on this system (PDC): > > [global] > log level = 1 > workgroup = CORPDOM > netbios name = CORPPDC > passdb backend = ldapsam:ldap://127.0.0.1 > enable privileges = yes > #encrypt passwords = yes > username map = /etc/samba/smbusers > printcap name = cups > add user script = /usr/sbin/smbldap-useradd -m '%u' > delete user script = /usr/sbin/smbldap-userdel '%u' > add group script = /usr/sbin/smbldap-groupadd -p '%g' > delete group script = /usr/sbin/smbldap-groupdel '%g' > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' > delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' > add machine script = /usr/sbin/smbldap-useradd -w '%u' > logon script = scripts/%U.bat > logon path > logon drive > security = user > domain logons = Yes > os level = 35 > preferred master = Yes > domain master = Yes > wins support = Yes > smb ports = 139 > #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM > 10.20.0.255/CORPDOM > #remote browse sync = 10.20.255.255 10.30.255.255 > #remote announce = 10.30.255.255 > #remote browse sync = 10.30.255.255 > ldap suffix = dc=brcrp,dc=com > ldap machine suffix = ou=Computers > ldap user suffix = ou=People > ldap group suffix = ou=Group > ldap idmap suffix = ou=Idmap > ldap admin dn = cn=Manager,dc=brcrp,dc=com > ldap ssl = no > #ldap passwd sync = yes > unix password sync = yes > passwd program = /usr/sbin/smbldap-passwd %u > passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n* > #client lanman auth = yes > #unix password sync = yes > #passwd program = /usr/sbin/smbldap-passwd -u %u > idmap backend = ldap:ldap://127.0.0.1 > idmap uid = 15000-20000 > idmap gid = 15000-20000 > printing = cups > > [netlogon] > comment = Network Logon Service > path = /pub > guest ok = Yes > browseable = No