Hi Guys, We are getting the following error when the users are trying to change the password from their windows machine: "Configuration information could not be read from the domain controller, either machine is unavailable or access is denied" Our Samba PDC has LDAP backend. We have the following /etc/ldap/ldap.conf BASE dc=testdomain URI ldap://192.168.1.1 TLS_CACERT /etc/ldap/ca_certs.pem TLS_REQCERT allow access to attribute=userPassword by: access to attrs=userPassword,sambaNTPassword,sambaLMPassword smb.conf for the smldap-tools bit is here add user script = /usr/sbin/smbldap-useradd -m '%u' passwd program = /usr/sbin/smbldap-passwd -u "%u" passwd chat = "Changing *\nNew password*" %n\n "*Retype new password* "%n\n" Have the following in /etc/ldap/slapd.d/cn=config/olcDatabase{1}.hdb olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=testdomain Couldn't see anything in the /samba/logs so I guess it is an issue with LDAP? This is a fairly new setup and don't think it has worked before. Thank you.
Mandi! Robin G via samba In chel di` si favelave...> We are getting the following error when the users are trying to change the > password from their windows machine: "Configuration information could not > be read from the domain controller, either machine is unavailable or access > is denied"Meetoo. Also, is a bit ''misleading'' error, because actually the password change happen, users can simply ignore that error, press 'Esc' to return to logon page, and logon (with new password). All started while Microsoft emit the update that temporarly broke something in 'NT-like' domains (password changes for some month does not work), AFAI remember well in fall 2016. Then, fixed that, but still this error sometime pop up. If someone can fix it... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Tue, 24 Apr 2018 23:45:22 +1000 Robin G via samba <samba at lists.samba.org> wrote:> Hi Guys, > > We are getting the following error when the users are trying to > change the password from their windows machine: "Configuration > information could not be read from the domain controller, either > machine is unavailable or access is denied" > > Our Samba PDC has LDAP backend. We have the following > > Have the following in /etc/ldap/slapd.d/cn=config/olcDatabase{1}.hdb > > olcAccess: {0}to attrs=userPassword by self write by anonymous auth > by * noneThe line should be: olcAccess: {0}to attrs=sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=admin,dc=example,dc=com" write by self write by * none> This is a fairly new setup and don't think it has worked before.I suppose the real question is, if this is a fairly new setup, why was a PDC chosen instead of an AD DC ? Rowland
Hai, I suggest try avoiding smbldap-tools, the last update as far i know is done in 2012. So its unmaintained, my advice, is ... dont use it. Spend you time in setting up the AD, which also provide the ldap you need. That really the best advice... Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Robin G via samba > Verzonden: dinsdag 24 april 2018 15:45 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Password change > > Hi Guys, > > We are getting the following error when the users are trying > to change the > password from their windows machine: "Configuration > information could not > be read from the domain controller, either machine is > unavailable or access > is denied" > > Our Samba PDC has LDAP backend. We have the following > > /etc/ldap/ldap.conf > BASE dc=testdomain > URI ldap://192.168.1.1 > TLS_CACERT /etc/ldap/ca_certs.pem > TLS_REQCERT allow > > access to attribute=userPassword > by: > access to attrs=userPassword,sambaNTPassword,sambaLMPassword > > smb.conf for the smldap-tools bit is here > > add user script = /usr/sbin/smbldap-useradd -m '%u' > passwd program = /usr/sbin/smbldap-passwd -u "%u" > passwd chat = "Changing *\nNew password*" %n\n "*Retype new > password* "%n\n" > > Have the following in /etc/ldap/slapd.d/cn=config/olcDatabase{1}.hdb > > olcAccess: {0}to attrs=userPassword by self write by > anonymous auth by * > none > olcAccess: {1}to attrs=shadowLastChange by self write by * read > olcAccess: {2}to * by * read > olcLastMod: TRUE > olcRootDN: cn=admin,dc=testdomain > > Couldn't see anything in the /samba/logs so I guess it is an > issue with > LDAP? > > This is a fairly new setup and don't think it has worked before. > > Thank you. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hai Marco, In comment on.> > All started while Microsoft emit the update that temporarly broke > something in 'NT-like' domains (password changes for some month does > not work), AFAI remember well in fall 2016. > > Then, fixed that, but still this error sometime pop up. > > > If someone can fix it... >I'll bet this wil not get fixed, or get low prio, there is no reason to use NT-Domains anymore imo. AD is/has ldap. MS is dropping 32bit os'es slowly, same as others. NT-Dom support wil be dropped from win10, and remember... You cannot stop the windows 10 upgrades.. So it this happens and your not paying attention to this, you end up in a big mess. Just my option. Greetz, Louis