[Samba] SOLVED: Win XP Client password change nightmare.

Arturo Limon limonavila at gmail.com
Mon Mar 30 16:51:36 GMT 2009 

First of all, thanks a lot to John H Terpstra for his kind and useful help.
The problem was something quite simple, the password chat. It really needs
asterisks even at the beginning of each line.

For CentOS (Red-Hat), this works (notice the red asterisks):

password chat = "*New*password*" %n\n "*Retype*password*"
%n\n "*updated*successfully*"

This does not:

password chat = "New*password*" %n\n "*Retype*password*"
%n\n "*updated*successfully*"

This not either:

password chat = "*New*password*" %n\n "Retype*password*"
%n\n "*updated*successfully*"

Regards,

Arturo Limon



2009/3/26 Arturo Limon <limonavila at gmail.com>

> Hello,
>
> I have setup a Samba server with CentOS 5.2 and Samba 3.0.28-1.el5_2.1 (the
> CentOS included versión).
>
> I have configured Samba as a PDC following "Samba-3 by example" chapter 3,
> "Secure Office Networking". No DNS or DHCP active, as far as for now this is
> just a test environment.
>
> Most of it works fine, but trying to change user passwords for a MS-Windows
> test computer (USRMGR.EXE from SRVTOOLS), has proved to be a nightmare. I
> always get an Access Denied (Aceso denegado) error message. Connection from
> MS-Windows computer is done as "Administrator" (root).
>
> I have googled for hours, and the problem does not seem to be new, but no
> advice has helped appart from NOT syncing Samba and Linux passwords, which I
> do not want to do.
>
> My smb.conf is as follows:
>
> [global]
>         workgroup = MICASA
>         netbios name = TESTSERVER
>         interfaces = eth0, lo
>         bind interfaces only = Yes
>         passdb backend = tdbsam
>
>         unix password sync = Yes
>         pam password change = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = "New UNIX password:*" %n\n "Retype new UNIX
> password:*" %n\n "passwd: all authentication to
>
>         username map = /etc/samba/smbusers
>         ;syslog = 0
>         log file = /var/log/samba/%m
>         max log size = 150
>         smb ports = 139
>         name resolve order = wins bcast hosts
>         time server = Yes
>         printcap name = CUPS
>         show add printer wizard = No
>
>         add user script = /usr/sbin/useradd -m '%u'
>         delete user script = /usr/sbin/userdel -r '%u'
>         add group script = /usr/sbin/groupadd '%g'
>         delete group script = /usr/sbin/groupdel '%g'
>         add user to group script = /usr/sbin/usermod -G '%g' '%u'
>         add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'
>         shutdown script = /var/lib/samba/scripts/shutdown.sh
>         abort shutdown script = /sbin/shutdown -c
>
>         logon script = scripts\logon.bat
>         logon path = \\%L\profiles\%U
>         logon drive = X:
>         logon home = \\%L\%U
>         domain logons = Yes
>         .............
>         (I do not think rest of smb.conf may be of efect in the problem)
>
> /etc/pam.d/samba is as follows (just like CentOS install leaves it):
>
> #%PAM-1.0
> auth       required     pam_nologin.so
> auth       include      system-auth
> account    include      system-auth
> session    include      system-auth
> password   include      system-auth
>
> /etc/pam.d/system-auth is as follows (also like CentOS install leaves it):
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        required      pam_deny.so
>
> account     required      pam_unix.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
>
> When trying to change password, messages are ....
>
> From /var/log/samba/pc-prueba (pc-prueba is the name of the MS-Windows test
> computer):
>
> [2009/03/26 00:17:17, 1] smbd/service.c:make_connection_snum(1033)
>   pc-prueba (192.168.1.100) connect to service root initially as user root
> (uid=0, gid=0) (pid 17133)
> [2009/03/26 00:17:55, 0] auth/pampass.c:smb_pam_chauthtok(691)
>   PAM: UNKNOWN PAM ERROR (19) for User: arturo
> [2009/03/26 00:17:55, 0] auth/pampass.c:smb_pam_passchange(847)
>   smb_pam_passchange: PAM: Password Change Failed for user arturo!
>
> No error messages in smbd.log or nmbd.log.
>
> I have tried with "password chat debug = Yes" and found no clue of what the
> problem could be. Commenting out "pam password change = Yes" or changing it
> to "No" have not helped. Only switching to "No" the "Unix password sync".
>
> I can't believe it does not work, I think something must be wrong
> somewhere, or in what I am doing. I have spent several hours trying and it
> is quite frustrating. Any help will be greatly appreciated.
>
> Thanks in advance.
>
> Regards.
>
> Arturo.
>

More information about the samba mailing list