smbpasswd fails with unix password sync enabled

[Jeff Ballin]

Hello again,

I would like to thank Giant Wang and Miquel Bonastre for their responses
to my query in "Samba Digest 1734" regarding simultaneous passwd changing for 
users via Samba.  Their comments were helpful, but have not solved the
problem.


For those who do not have a back log of the Digests, the problem is that
with unix password sync=yes, users are not able to change their own password.
However, if I set unix password sync=no, they can.  I am running Red Hat 5.0,
using PAM encryption, and compiled Samba with ALLOW_CHANGE_PASSWORD enabled.
I am running Samba 1.9.18p8. Running passwd from the unix side of things
works fine.  The error reported to the user is

>smbpasswd: machine 127.0.0.1 rejected the password change: Error was : The 
>specified password is invalid.


Giant Wang's suggestion of chmod to 666 a few of the /dev/ptya? character 
devices eliminated several errors found in the level 3 debug log.  However,
the session still fails with (still at level 3)

>>>snip<<<<     

1998/07/08 15:59:53 Transaction 1 of length 168
switch message SMBnegprot (pid 5208)
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [MICROSOFT NETWORKS 1.03]
Requested protocol [MICROSOFT NETWORKS 3.0]
Requested protocol [LANMAN1.0]
Requested protocol [LM1.2X002]
Requested protocol [Samba]
Selected protocol NT LANMAN 1.0
1998/07/08 15:59:53 Transaction 2 of length 110
switch message SMBsesssetupX (pid 5208)
Domain=[]  NativeOS=[Unix] NativeLanMan=[Samba]
sesssetupX:name=[HOLBROOK]
adding home directory genuser at /home/genuser 
genuser is in 2 groups
504 100 
uid 503 registered to name genuser 
Clearing default real name
1998/07/08 15:59:53 Transaction 3 of length 63
switch message SMBtconX (pid 5208)
Trying username ipc$
ACCEPTED: validated uid ok as non-guest
found free connection number 42
Connect path is /tmp
chdir to /tmp
chdir to /etc
1998/07/08 15:59:53 monte (127.0.0.1) connect to service IPC$ as user genuser (uid=50
3,gid=504) (pid 5208)
1998/07/08 15:59:53 tconX service=ipc$ user=genuser cnum=42
1998/07/08 15:59:53 Transaction 4 of length 637
switch message SMBtrans (pid 5208)
chdir to /tmp
trans <\PIPE\LANMAN> data=532 params=25 setup=0
named pipe command on <LANMAN> name
Got API command 214 of form <zsT> <B516B16> (tdscnt=532,tpscnt=25,mdrcnt=0,mprcnt=2)
Doing SamOEMChangePassword
api_SamOEMChangePassword: Change password for <genuser>
Password change for user: genuser  
pty: try to open ptya0, line was /dev/ptyXX
pty: opened /dev/ptya0
Dochild for user genuser (uid=0,gid=0)
response 1 incorrect
Child failed to change password: genuser 
end of file from client
chdir to /etc
Closing connections
1998/07/08 15:59:58 monte (127.0.0.1) closed connection to service IPC$


>>>>>snip<<<<<

When I compare level 10 logs (i.e., with and without password sync), I see 
that samba scans the passwd file, but then searches through what seems to be 
every entry in the /dev directory, reporting the error

Doing SamOEMChangePassword
api_SamOEMChangePassword: Change password for <genuser>
get_smbpwd_entry: opening file /etc/smbpasswd
get_smbpwd_entry: search by name: genuser 
get_smbpwd_entry: skipping comment or blank line
get_smbpwd_entry: found by name: genuser 
get_smbpwd_entry: returning passwd entry for user genuser, uid 503
Password change for user: genuser 
is_in_path: .
is_in_path: no name list.
is_in_path: ..
is_in_path: no name list.
is_in_path: atibm
is_in_path: no name list.
is_in_path: audio
is_in_path: no name list.
is_in_path: audio1
is_in_path: no name list.
is_in_path: aztcd

<snip>

is_in_path: ttyI61
is_in_path: no name list.
is_in_path: ttyI62
Dochild for user genuser (uid=0,gid=0)
unbecome_user now uid=(0,0) gid=(0,0)
Closing connections
1998/07/10 20:27:42 monte (127.0.0.1) closed connection to service IPC$
Yielding connection to 42 IPC$
1998/07/10 20:27:42 Server exit  (normal exit)


As both Giant Wang and Miquel pointed out, smbpasswd is executed with uid
root.  Both suggested eliminating the request for "old password" from
the password chat.  This did not work and, if I read the documentation
correctly, is not necessary because samba automatically substitutes
a null string for the old password when executing as root to change the
password.

Below is a snipet of the global section of smb.conf:

=============

 smb passwd file= /etc/smbpasswd
   encrypt passwords= yes
   
;   passwd chat= "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n \
;               "*Reenter NEW password*" %n\n "*Password Changed*"

   passwd chat= *Enter*NEW*password* %n\n *Reenter*NEW*password* %n\n \
*Password*Changed*

   passwd program= /usr/bin/passwd %u 
   unix password sync= true
   passwd chat debug= yes 

   client code page= 437
   printing = bsd
   printcap name = /etc/printcap
   load printers = yes

debug level=3

  guest account = guest 

   log file = /var/log/samba-log.%m
   max log size = 50

    short preserve case = yes
    preserve case = yes

   lock directory = /var/lock/samba
   locking = yes
   strict locking = yes
   share modes = yes
   security = user 

   deadtime= 15
   logon home="\\%L\%U"
   logon drive= u:
   logon script= /etc/netlogon/STARTUP.BAT 

  message command= csh -c 'xedit %s;rm %s' &


   socket options = TCP_NODELAY 

   os level = 31
   local master= yes
   preferred master= yes
   domain master= no 

   wins support = yes


===========

Thank you all for your help.  I hope you have a good weekend.

Best wishes,

Jeff Ballin