[Samba] window, samba and ldap passwords

Dermot paikkos at googlemail.com
Tue Aug 16 04:48:05 MDT 2011 

Hi,

I recently migrated to a Samba3x domain. One issue that has been
reported to me is that XP users cannot change their password from
their PC. I have done some searching and I haven't seen a straight
forward answer to this.

My config is

ldap primary + Samba PDC on host A
ldap slave + samba BDC on host B

I see this error in the machine log when someone attempts to change
their password:

2011/08/16 10:04:11.137313,  0] auth/pampass.c:861(smb_pam_passchange)
  smb_pam_passchange: PAM: Password Change Failed for user kreuze!
[2011/08/16 10:04:11.200891,  0] auth/pampass.c:705(smb_pam_chauthtok)
  PAM: UNKNOWN PAM ERROR (8) for User: kreuze
[2011/08/16 10:04:11.201002,  0] auth/pampass.c:861(smb_pam_passchange)
  smb_pam_passchange: PAM: Password Change Failed for user kreuze!
[2011/08/16 10:04:11.215657,  0] auth/pampass.c:705(smb_pam_chauthtok)
  PAM: UNKNOWN PAM ERROR (8) for User: kreuze
[2011/08/16 10:04:11.215741,  0] auth/pampass.c:861(smb_pam_passchange)
  smb_pam_passchange: PAM: Password Change Failed for user kreuze!


I have seen this article:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199
but I am not sure if it's appropriate for my environment. I suspect
the answer to this may very dependent on my config.
Can anyone offer any advice?
Thanks in advance.
Dermot.


=========== smb.conf on PDC ===========

       dos charset = UTF-8
       display charset = UTF-8
       workgroup = FOO
       server string = %h server
       map to guest = Bad User
       passdb backend = ldapsam:ldap://127.0.0.1/
       pam password change = Yes
       passwd program = /usr/sbin/smbldap-passwd -u %u
       passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
       unix password sync = Yes
       log level = 1
       syslog = 0
       log file = /var/log/samba/log.%m
       max log size = 1000
       smb ports = 139 445
       name resolve order = wins hosts bcast
       time server = Yes
       socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
       load printers = No
       add user script = /usr/sbin/smbldap-useradd -m %u
       delete user script = /usr/sbin/smbldap-userdel '%u'
       delete group script = /usr/sbin/smbldap-groupdel %g
       add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
       delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
       set primary group script = /usr/sbin/smbldap-usermod -g %g %u
       add machine script = /usr/sbin/smbldap-useradd -w %u
       logon script = logon.bat
       logon path =
       logon drive = U:
       logon home =
       domain logons = Yes
       os level = 65
       preferred master = Auto
       domain master = Yes
       dns proxy = No
       ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk
       ldap delete dn = Yes
       ldap group suffix = ou=Groups
       ldap idmap suffix = ou=idmap
       ldap machine suffix = ou=Computers, ou=Users
       ldap passwd sync = yes
       ldap suffix = dc=mydomain,dc=co,dc=uk
       ldap ssl = no
       ldap timeout = 20
       ldap user suffix = ou=Users
       panic action = /usr/share/samba/panic-action %d
       idmap backend = ldap:"ldap://127.0.0.1/"
       idmap uid = 15000-20000
       idmap gid = 15000-20000
       map acl inherit = Yes
       case sensitive = No
       hide unreadable = Yes

More information about the samba mailing list