Hi,
I recently migrated to a Samba3x domain. One issue that has been
reported to me is that XP users cannot change their password from
their PC. I have done some searching and I haven't seen a straight
forward answer to this.
My config is
ldap primary + Samba PDC on host A
ldap slave + samba BDC on host B
I see this error in the machine log when someone attempts to change
their password:
2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange)
smb_pam_passchange: PAM: Password Change Failed for user kreuze!
[2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok)
PAM: UNKNOWN PAM ERROR (8) for User: kreuze
[2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange)
smb_pam_passchange: PAM: Password Change Failed for user kreuze!
[2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok)
PAM: UNKNOWN PAM ERROR (8) for User: kreuze
[2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange)
smb_pam_passchange: PAM: Password Change Failed for user kreuze!
I have seen this article:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199
but I am not sure if it's appropriate for my environment. I suspect
the answer to this may very dependent on my config.
Can anyone offer any advice?
Thanks in advance.
Dermot.
=========== smb.conf on PDC ==========
dos charset = UTF-8
display charset = UTF-8
workgroup = FOO
server string = %h server
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
unix password sync = Yes
log level = 1
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
smb ports = 139 445
name resolve order = wins hosts bcast
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel '%u'
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u
logon script = logon.bat
logon path logon drive = U:
logon home domain logons = Yes
os level = 65
preferred master = Auto
domain master = Yes
dns proxy = No
ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=Computers, ou=Users
ldap passwd sync = yes
ldap suffix = dc=mydomain,dc=co,dc=uk
ldap ssl = no
ldap timeout = 20
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
idmap backend = ldap:"ldap://127.0.0.1/"
idmap uid = 15000-20000
idmap gid = 15000-20000
map acl inherit = Yes
case sensitive = No
hide unreadable = Yes
Am 16.08.2011 12:48, schrieb Dermot:> Hi, > > I recently migrated to a Samba3x domain. One issue that has been > reported to me is that XP users cannot change their password from > their PC. I have done some searching and I haven't seen a straight > forward answer to this. > > My config is > > ldap primary + Samba PDC on host A > ldap slave + samba BDC on host B > > I see this error in the machine log when someone attempts to change > their password: > > 2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) > smb_pam_passchange: PAM: Password Change Failed for user kreuze! > [2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) > PAM: UNKNOWN PAM ERROR (8) for User: kreuze > [2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) > smb_pam_passchange: PAM: Password Change Failed for user kreuze! > [2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) > PAM: UNKNOWN PAM ERROR (8) for User: kreuze > [2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) > smb_pam_passchange: PAM: Password Change Failed for user kreuze! > > > I have seen this article: > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199 > but I am not sure if it's appropriate for my environment. I suspect > the answer to this may very dependent on my config. > Can anyone offer any advice? > Thanks in advance. > Dermot. > > > =========== smb.conf on PDC ==========> > dos charset = UTF-8 > display charset = UTF-8 > workgroup = FOO > server string = %h server > map to guest = Bad User > passdb backend = ldapsam:ldap://127.0.0.1/ > pam password change = Yes > passwd program = /usr/sbin/smbldap-passwd -u %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *all*authentication*tokens*updated* > unix password sync = Yes > log level = 1 > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > smb ports = 139 445 > name resolve order = wins hosts bcast > time server = Yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > load printers = No > add user script = /usr/sbin/smbldap-useradd -m %u > delete user script = /usr/sbin/smbldap-userdel '%u' > delete group script = /usr/sbin/smbldap-groupdel %g > add user to group script = /usr/sbin/smbldap-groupmod -m %u %g > delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g > set primary group script = /usr/sbin/smbldap-usermod -g %g %u > add machine script = /usr/sbin/smbldap-useradd -w %u > logon script = logon.bat > logon path > logon drive = U: > logon home > domain logons = Yes > os level = 65 > preferred master = Auto > domain master = Yes > dns proxy = No > ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk > ldap delete dn = Yes > ldap group suffix = ou=Groups > ldap idmap suffix = ou=idmap > ldap machine suffix = ou=Computers, ou=Users > ldap passwd sync = yes > ldap suffix = dc=mydomain,dc=co,dc=uk > ldap ssl = no > ldap timeout = 20 > ldap user suffix = ou=Users > panic action = /usr/share/samba/panic-action %d > idmap backend = ldap:"ldap://127.0.0.1/" > idmap uid = 15000-20000 > idmap gid = 15000-20000 > map acl inherit = Yes > case sensitive = No > hide unreadable = YesHi, afaik, you have to authenticate users to change NTpasswd and stull like that. i have seen this example for slapd.conf # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=meinnetz,dc=xx" write by anonymous auth by self write by * none but i don't know how to add it to dynamically configured ldap. cheers juergen
Hai, on your master, in smb.conf change these settings. ( im also running debian with pdc/bdc ldap master and multiple slaves through syncrepl ) passwd program = /usr/sbin/smbldap-passwd "%u" passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* remove : unix password sync = Yes and try again. Louis>-----Oorspronkelijk bericht----- >Van: paikkos at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Dermot >Verzonden: 2011-08-16 12:48 >Aan: samba at lists.samba.org >Onderwerp: [Samba] window, samba and ldap passwords > >Hi, > >I recently migrated to a Samba3x domain. One issue that has been >reported to me is that XP users cannot change their password from >their PC. I have done some searching and I haven't seen a straight >forward answer to this. > >My config is > >ldap primary + Samba PDC on host A >ldap slave + samba BDC on host B > >I see this error in the machine log when someone attempts to change >their password: > >2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) > smb_pam_passchange: PAM: Password Change Failed for user kreuze! >[2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) > PAM: UNKNOWN PAM ERROR (8) for User: kreuze >[2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) > smb_pam_passchange: PAM: Password Change Failed for user kreuze! >[2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) > PAM: UNKNOWN PAM ERROR (8) for User: kreuze >[2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) > smb_pam_passchange: PAM: Password Change Failed for user kreuze! > > >I have seen this article: >http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam. >html#id2667199 >but I am not sure if it's appropriate for my environment. I suspect >the answer to this may very dependent on my config. >Can anyone offer any advice? >Thanks in advance. >Dermot. > > >=========== smb.conf on PDC ==========> > dos charset = UTF-8 > display charset = UTF-8 > workgroup = FOO > server string = %h server > map to guest = Bad User > passdb backend = ldapsam:ldap://127.0.0.1/ > pam password change = Yes > passwd program = /usr/sbin/smbldap-passwd -u %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n >*all*authentication*tokens*updated* > unix password sync = Yes > log level = 1 > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > smb ports = 139 445 > name resolve order = wins hosts bcast > time server = Yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > load printers = No > add user script = /usr/sbin/smbldap-useradd -m %u > delete user script = /usr/sbin/smbldap-userdel '%u' > delete group script = /usr/sbin/smbldap-groupdel %g > add user to group script = /usr/sbin/smbldap-groupmod -m %u %g > delete user from group script = >/usr/sbin/smbldap-groupmod -x %u %g > set primary group script = /usr/sbin/smbldap-usermod -g %g %u > add machine script = /usr/sbin/smbldap-useradd -w %u > logon script = logon.bat > logon path > logon drive = U: > logon home > domain logons = Yes > os level = 65 > preferred master = Auto > domain master = Yes > dns proxy = No > ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk > ldap delete dn = Yes > ldap group suffix = ou=Groups > ldap idmap suffix = ou=idmap > ldap machine suffix = ou=Computers, ou=Users > ldap passwd sync = yes > ldap suffix = dc=mydomain,dc=co,dc=uk > ldap ssl = no > ldap timeout = 20 > ldap user suffix = ou=Users > panic action = /usr/share/samba/panic-action %d > idmap backend = ldap:"ldap://127.0.0.1/" > idmap uid = 15000-20000 > idmap gid = 15000-20000 > map acl inherit = Yes > case sensitive = No > hide unreadable = Yes >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 16-08-2011 08:40, L.P.H. van Belle wrote:> Hai, > > on your master, in smb.conf > > change these settings. ( im also running debian with > pdc/bdc ldap master and multiple slaves through syncrepl ) > > passwd program = /usr/sbin/smbldap-passwd "%u" > passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* > remove : unix password sync = Yes > > and try again.I would like to avoid using smbldap-tools, did you manage to get it working without it? Kind regards, - -- Felipe Augusto van de Wiel <felipe.wiel at complexopequenoprincipe.org.br> Tecnologia da Informa??o (TI) - Complexo Pequeno Pr?ncipe http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJOTuicAAoJECCPPxLgxLxPhKEP/0kGEtDJ3Wwv2ZL2mWR5YAaV I8ma78RBcEn+Tix88bK7lPsLwi+ZVGuyWlzIuQZYDyqxr3LhQYutv4sIFdDKi3OK wHg0ud4vQi8AGlnaeJAZEsvvFmJFCYdgCZWiU27zn1l/6NAA1Uvl/8OhADcOsE9u jkklocHOG5C7t48a1eAb2RKiprWBkdM4YrDjhPXIaHe3jgL9LeEJ1jdMe9AbVp3L bYxiSwCSjLg66URPUbf26eSTsVkz4ZUL8LOR04aCIYnXG14cT6zx8SzcPJfZtL+p wl1xygrVJzdl/rdmLjW5V+yqB/cac+zFhs3fVciHaWDlZtQ9ABIw+4e0MXuIbkwM F5h/N9BTNX8PwccuADwwLXPgOOW+dE/zCiW6b0MjxP8aFlA5A9hgaPaaKDFBFN3/ fm4ti61bKjpZX8Ii538KRX7OHeszkKT/yXogGBxLn7TRrrr4oYccg9Wtm48DGQfh 5AbmBUOPzgROYhZpJDxMYBcPKtTKgUCoH+jpJJT9Tr6p1gaEduKDhl8aD1nTYYlc 1BS9Z3CWwOqcIdzPAdJKGm28FGBR+Khuo6Behm1YwK+PQRdW7zkqgxXS+Ra/3itI r/zwAGiKKGksiv06N2UVq+xQ7PNw9pO+9Q9BKCewSsTd9mmwCrtEoOwxQ90zCI6a Baks02kCfpM2SRYW9df/ =orz1 -----END PGP SIGNATURE-----