Sync issue with encrypted passwords

Lonnie J. Borntreger lonnie at borntreger.com
Wed Sep 29 01:41:02 GMT 1999


OK.  How about this problem.

>From smb.conf:
passwd program = /usr/bin/passwd %u
passwd chat = New*password:* %n\n *enter*password:* %n\n
*passwd*passwd*successfully*
(the above is one contiguous line)

>From the log:
[1999/09/28 20:29:55, 10] smbd/chgpasswd.c:dochild(204)
  Invoking '/usr/bin/passwd 67goat' as password change program.
[1999/09/28 20:29:56, 100] smbd/chgpasswd.c:talktochild(278)
  talktochild: chatbuf=[New*password:*] responsebuf=[New password: ]
[1999/09/28 20:29:56, 100] smbd/chgpasswd.c:talktochild(291)
  talktochild: sendbuf=[<passwd>
  ]
[1999/09/28 20:29:56, 100] smbd/chgpasswd.c:talktochild(278)
  talktochild: chatbuf=[*enter*password:*] responsebuf=[
  Re-enter new password: ]
[1999/09/28 20:29:56, 100] smbd/chgpasswd.c:talktochild(291)
  talktochild: sendbuf=[<passwd>
  ]
[1999/09/28 20:29:56, 100] smbd/chgpasswd.c:talktochild(278)
  talktochild: chatbuf=[*passwd*passwd*successfully*] responsebuf=[
  passwd (SYSTEM): passwd successfully changed for 67goat]
[1999/09/28 20:29:56, 3] smbd/chgpasswd.c:chat_with_program(328)
  The process is no longer waiting!


I get a window with "password incorrect", and the samba password isn't
changed, even though the UNIX password IS changed correctly.

Any ideas on why the final chat line is marked as failing?  It looks OK to
me.

Lonnie Borntreger

> -----Original Message-----
> From: samba-ntdom at samba.org [mailto:samba-ntdom at samba.org]On Behalf Of
> Lisa Becktold {CADIG STAFF}
> Sent: Tuesday, September 28, 1999 8:12 AM
> To: Multiple recipients of list SAMBA-NTDOM
> Subject: Re: Sync issue with encrypted passwords
>
>
> Hi:
>
> I'm not sure of all the details concerning your configuration...
> are you running Samba as an NT PDC?
>
> We are running Samba on both an SGI and SUN server.  Both are
> acting as PDCs of different domains.
>
> On the Sun server, I have "unix password sync" set and it works!
> (Thanks to a lot of help from this mailing list).  This means
> that users can sit down at NT workstations that are members
> of the Sun server Samba domain, and when they change their
> password it changes both smbpasswd AND /etc/passwd.
>
> Is this what you're trying to do?
>
> If so, then you must rewrite your "passwd chat" script so that
> it doesn't prompt for the old password.  I think this may be
> necessary because you can't decrypt that old password across
> NT/Samba/UNIX.
>
> These are the settings that worked for me:
>
>         unix password sync = yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat    = *New*password* %n\n *new*password*
> %n\n *passw*d*d*on*
>
> Run the UNIX "passwd username" program as root.  What prompts
> do you see?
> Incorporate parts of those prompts with wild cards in your
> "passwd chat"
> script.
>
> One wrinkle - if you're running NIS, then you must run "unix
> password sync"
> on the NIS master.  IT WILL NOT WORK ON AN NIS SLAVE, because
> the slave
> NIS server will prompt for the old password and will NOT
> change a user's
> password unless it gets the old password first.
>
> On the NT workstation, you will be prompted for the old
> password.  Enter it,
> but don't worry - it doesn't percolate up to the UNIX passwd
> level.  Samba
> is smart enough to parse out the old password, and just grab
> the new ones
> to pass to /usr/bin/passwd.
>
> Lisa
>
> > Originator: samba-ntdom at samba.org
> > From: Karl Dane <karl at rince.net>
> > To: Multiple recipients of list SAMBA-NTDOM <samba-ntdom at samba.org>
> > Subject: Sync issue with encrypted passwords
> > MIME-Version: 1.0
> > X-Listprocessor-Version: 6.0d -- ListProcessor by
> Anastasios Kotsikonas
> > X-URL: http://samba.anu.edu.au/listproc
> > X-Comment: Discussion of NT domain controller support in Samba
> > Date: Mon, 27 Sep 1999 22:31:14 +1000
> >
> > Hi guys,
> >
> >     I get the following error when I run testparm against
> my smb.conf
> > file:
> >
> > "ERROR: the 'passwd chat' script [*old*password* %o\n *new*password*
> > %n\n *new*password* %n\n *changed*] expects to use the old plaintext
> > password via the %o substitution. With encrypted passwords
> this is not
> > possible."
> >
> > I assume that this will cause problems when it comes to NT4w users
> > trying to change their passwords.
> >
> > How do I resolve this? Am I forced to use plaintext passwords when
> > syncing passwords with unix accounts? Or is the whole issue
> moot if I
> > were to use an LDAP backend?
> >
> > Any help is much appreciated.
> >
> > Thanks,
> >
> > --
> > Karl Dane
> > Systems Administrator, Bibliotech
> >
> > Steinbach's Guideline for Systems Programming:
> >         Never test for an error condition you don't know how to
> > handle.
> >
> > p.s. I attach my smb.conf for the sake of clarity.
> >
> > # Global parameters
> >         workgroup = <snip>
> >         netbios name = <snip>
> >         server string = <snip>
> >         interfaces = <snip>
> >         encrypt passwords = Yes
> >         log level = 1
> >         log file = /var/log/samba/log.%m
> >         max log size = 200
> >         time server = Yes
> >         socket options = TCP_NODELAY
> >         printcap name = /etc/printcap
> >         domain logons = Yes
> >         os level = 65
> >         preferred master = Yes
> >         domain master = Yes
> >         dns proxy = No
> >         printing = bsd
> >         print command = lpr -r -P%p %s
> >         lpq command = lpq -P%p
> >         lprm command = lprm -P%p %j
> >         passwd program = /usr/bin/passwd
> >         unix password sync = True
> >         domain admin users = rince gwen atomix terence olly
> >         domain admin group = rince gwen atomix terence olly
> >
> > [netlogon]
> >         locking = no
> >         public = no
> >         browseable = yes
> >
> >
>
>     ----------------------------------------------------------
>       Lisa M. Becktold - lisa at usna.navy.mil, (410) 293-6480
>                United States Naval Academy - CADIG
>     590 Holloway Road, Rickover Hall, Annapolis, MD 21402-5000
>



More information about the samba-ntdom mailing list