LDAP Ctrl-Alt-Del Password Change

rossp at ppc.ucsc.edu rossp at ppc.ucsc.edu
Thu Mar 20 22:40:09 GMT 2003


I hope this isn't too horrible of me to mail this to this list.  I'm
ready to give up on this problem, but I thought I should at least
report it somewhere in case its a real bug.  I have tried the regular
samba list and #samba repeatedly, with no response.  I have also
scoured all docs I could find.

The problem is with changing passwords by Ctrl-Alt-Del from a Windows
XP Pro machine.  Samba 2.2.7a (haven't been able to get the Debian
packaging for 2.2.8 to work yet and I'm a purist) using --with-ldapsam
--with-pam_smbpass.  The LDAP server is OpenLDAP.  Password change
using pam_smbpass from the UNIX side works just fine.  I verified that
the change works using a WinXP Pro client.  smb.conf has:

security	       = user
encrypt passwords      = true
unix password sync     = true
pam passwd change      = yes
obey pam restrictions  = yes

Logging onto the samba server from a WinXP machine works just fine.

If I try to Ctrl-Alt-Del Change Password... from a WinXP machine where
the username or password of the currently logged in (WinXP) user is
different from the username or password being used on the samba
server, then the password change fails with "1727: the remote
procedure call failed and did not execute".

If I try it when the username and password of the currently logged in
user is the same as the current username and password being used on
the samba server, then the password change succeeds.  And it really
succeeds.  I close the connection and log back in and only the *new*
password works.

>From an strace, I verififed what I suspected which is that its only
when samba falls back on the lanman password that authentication
succeeds and the password change can go forward, which, of course,
explains this behavior.

An odd thing is that an strace of the samba daemons while simply
connecting to a share shows pam.d files being consulted, while an
strace of the daemons during a failed Ctrl-Alt-Del Change
Password... session shows no pam.d files consulted.

I would love to hear that someone has indeed used samba with LDAP and
gotten Ctrl-Alt-Del password change working with the pam stuff
enabled.  Then at least I know its possbile.

Again, sorry to post to this list.  Just in case this is useful.

Thanks.

Ross Patterson
Programmer/Analyst
831-459-2792
rossp at ucsc.edu
1156 High St, Barn G, PP&C
Santa Cruz, CA 95064

On Wed, 19 Feb 2003, rossp at ppc.ucsc.edu wrote:

> On a Debian 3.0 system with user accounts stored in openldap, I have
> unix and windows auth working just fine through ldap.  smbpasswd can
> change the samba passwd attributes, and passwd can change the unix
> password attributes.
>
> I'm trying to get pam_smbpass to work to keep everything in sync, but
> it only says "Failed to find entry for user test0." which indicates to
> me that its looking in the smbpasswd file which has, of course,
> nothing.  "ldd /lib/security/pam_smbpass.so" gives libpam and libldap
> among other things.
>
> Can someone tell me if pam_smbpass is using the SAM DB API?  If
> pam_smbpass is hardwired for the smbpasswd file, that would explain my
> troubles.
>
> If it is using the SAM DB API, can anyone give me any direction?
>
> Ross Patterson
> Programmer/Analyst
> 831-459-2792
> rossp at ucsc.edu
> 1156 High St, Barn G, PP&C
> Santa Cruz, CA 95064
>
>




More information about the samba-technical mailing list