Is it possible for a user to change his/her password from Windows? I tried it out last night as a test user against my PDC and it only changed for Samba; I was still able to log into the PDC via SSH using the previous password. (I changed it for the test user as root and it took for both SSH and Windows.) I tried to use smbldap-passwd as the test user, but I got a message back saying I had insufficient privileges: =================================================[testuser0 at server0 ~]$ smbldap-passwd Identity validation... enter your UNIX password: Changing UNIX and samba passwords for testuser0 New password: Retype new password: Failed to modify SMB password: Insufficient access at /usr/sbin/smbldap-passwd line 238, <STDIN> line 3. Failed to modify UNIX password: Insufficient access at /usr/sbin/smbldap-passwd line 285, <STDIN> line 3. ================================================= Thanks for everyone's help, - Joe If you type "Google" into Google, you can break the Internet. -- Jen Barber
2011/1/26 Joe Tseng <joe_tseng at hotmail.com>:> > Is it possible for a user to change his/her password from Windows? ?I tried it > out last night as a test user against my PDC and it only changed for Samba; I > was still able to log into the PDC via SSH using the previous password. ?(I > changed it for the test user as root and it took for both SSH and Windows.)Set "ldap password sync = yes" in LDAP environment or set "unix password sync = yes" and "pam password change = yes" in normal environment with PAM enabled.> I tried to use smbldap-passwd as the test user, but I got a message back saying > I had insufficient privileges:Have you set "by self write" to both sambaLMPassword and sambaNTPassword? --- TAKAHASHI Motonobu <monyo at samba.gr.jp>
On 27 janv. 11, at 16:55, TAKAHASHI Motonobu wrote:> 2011/1/26 Joe Tseng <joe_tseng at hotmail.com>: >> >> Is it possible for a user to change his/her password from Windows? >> I tried it >> out last night as a test user against my PDC and it only changed >> for Samba; I >> was still able to log into the PDC via SSH using the previous >> password. (I >> changed it for the test user as root and it took for both SSH and >> Windows.) > > Set "ldap password sync = yes" in LDAP environment or set "unix > password sync = yes" > and "pam password change = yes" in normal environment with PAM > enabled. > >> I tried to use smbldap-passwd as the test user, but I got a message >> back saying >> I had insufficient privileges: > > Have you set "by self write" to both sambaLMPassword and > sambaNTPassword?AFAICT this is not needed. The user never accesses theses hashes for himself. The samba "ldap admin dn" and the smbldap-tools "masterDN" need write access to them. I believe the smbldap-tools "masterDN" (and probably the samba "ldap admin dn") also needs write access to : - sambaPwdLastSet - sambaPwdCanChange - sambaPwdMustChange - sambaAcctFlags Regards, Thierry
2011/1/28 Thierry Lacoste <lacoste at u-pec.fr>:> > On 27 janv. 11, at 16:55, TAKAHASHI Motonobu wrote: >>> I tried to use smbldap-passwd as the test user, but I got a message back >>> saying I had insufficient privileges: >> >> Have you set "by self write" to both sambaLMPassword and sambaNTPassword? > > AFAICT this is not needed. The user never accesses theses hashes for > himself. > The samba "ldap admin dn" and the smbldap-tools "masterDN" need write access > to them.Have you examined? As far as I examined smbldap-tools 0.9.5, to set "by self write" to both sambaLMPassword and sambaNTPassword is needed for a user to change his own password with smbldap-passwd. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>