[Samba] FW: Password change on Windows 2000 clients not working

james at jsquared.ca james at jsquared.ca
Sun Aug 18 15:20:01 GMT 2002 

Buchan,

I hope you don't mind me picking on you ;-)

I spent some time with this system today and was able to try many of
your suggestions.  I have eliminated some issues, but am still quite
confused as to what's happening ... I have commented your suggestions
below marked with "-->"

-----Original Message-----
From: Buchan Milne [mailto:bgmilne at cae.co.za] 
Sent: Wednesday, August 14, 2002 2:03 PM
To: james at jsquared.ca
Cc: samba at lists.samba.org
Subject: Re: [Samba] FW: Password change on Windows 2000 clients not
working

> From: <james at jsquared.ca>
> To: <samba at lists.samba.org>
> Date: Tue, 13 Aug 2002 21:47:45 -0400
> Subject: [Samba] FW: Password change on Windows 2000 clients not
working
> 
> Hi, I sent this in a couple of days ago and have only gotten one
> suggestion.  Can someone read the below problem and try to help me
out?
> I have searched everywhere for a solution to this and have tried
> numerous 'passwd chat' strings to no avail.

OK, lets take a look.

> 
> Help is much appreciated!
> 
> James Herschel
> JSquared Network Solutions
> (905)847-0799
> james at jsquared.ca
> 
> 
> -----Original Message-----
> From: James Herschel [mailto:jdh34 at cogeco.ca] On Behalf Of
> james at jsquared.ca
> Sent: Sunday, August 11, 2002 11:09 PM
> To: 'samba at lists.samba.org'
> Subject: Password change on Windows 2000 clients not working
> 
> Hello, I have searched hi and lo for a solution to being unable to
> change passwords from Windows 2000.  Everything seems to work fine,
> shares, etc.  but when I press ctrl-alt-del to bring up the Change
> Password dialogue, I get the message that "The user doesn't exist or
the
> password was entered incorrectly" from Windows.  

This is after attempting a password change I assume?

--> Yes, this is what I receive when I press ctrl-alt-delete and choose
"change password" from Windows 2000 sp2

> 
> I am running Samba 2.2.3a on Mandrake Linux 8.2

You may be interested in samba-2.2.5 (with or without LDAP support) 
compiled for Mandrake 8.0, 8.1 and 8.2, available from ftp.samba.org, 
http://ranger.dnsalias.com/mandrake/samba or 
http://people.mandrakesoft.com/~staburet/samba

--> I upgraded to 2.2.5 today and the issue still persists.

> 
> In my logs, I see the following at the computer I was testing on:
> 
> [2002/08/08 18:47:17, 0] smbd/chgpasswd.c:chgpasswd(474)
>   Password Change: user sralph, New password is shorter than minimum
> password length = 5

Looks like your password is too short for your cracklib options (set in 
/etc/pam.d/passwd

--> my cracklib options set a minimum password length of 2
--> when I 

> [2002/08/08 18:47:19, 0] smbd/chgpasswd.c:chgpasswd(474)
>   Password Change: user sralph, New password is shorter than minimum
> password length = 5
> [2002/08/08 18:47:24, 0] smbd/chgpasswd.c:check_oem_password(817)
>   check_oem_password: incorrect password length (-1576411271).
> [2002/08/08 18:48:03, 0] smbd/chgpasswd.c:check_oem_password(817)
>   check_oem_password: incorrect password length (-1576411277).

Anyway, are you sure you need to have samba change the unix password? We

haven't until recently when we switched to LDAP since some app can auth 
against unix passwords but not against pam. In most cases, pam_smb works

very well.

Also, you may want to investigate using "pam password change = yes".
--> I have not installed pam_smb yet and therefore thought this option
was unnecessary.  However, I tried it anyway - nothing changed.

> 
> This is using the commented out "passwd chat" line.  Using the
original
> "passwd chat" line that is listed below, these errors were logged:

The original one should work. If you are unsure, run your 'passwd 
program' on the command line and see.
--> I have reverted to the original passwd chat line that is included
with the Mandrake Samba RPM.


> 
> [2002/07/22 17:03:24, 0] smbd/chgpasswd.c:chgpasswd(541)
>   chgpasswd: Running as root the 'passwd program' parameter *MUST*
> contain the string %u, and the given string /bin/passwd does not.

Looks like you had changed 'passwd program' also, according to this.
--> Changed this back to default

> [2002/07/22 17:03:44, 0] smbd/chgpasswd.c:chgpasswd(541)
>   chgpasswd: Running as root the 'passwd program' parameter *MUST*
> contain the string %u, and the given string /bin/passwd does not.
> [2002/07/22 17:04:02, 0] smbd/chgpasswd.c:check_oem_password(878)
>   check_oem_password: old nt password doesn't match.

Are you sure you typed the right password?
--> Quite sure ;-)

> [2002/07/22 17:04:26, 0] smbd/chgpasswd.c:chgpasswd(474)
>   Password Change: user sralph, New password is shorter than minimum
> password length = 5

Once again, you need to use a longer password, or change the cracklib 
settings.
--> This is confusing because my cracklib options set this to minimum
password length to 2 ... is there somewhere else where this is set?  I
have tested a 4 character password and I receive the above error.
Perhaps the most confusing thing of all is the fact that NO errors show
up in the logs when I enter a password of 5+ characters ... I've turned
on passwd chat debug on, but I can't see where the process is failing
... would I have to put a sniffer on the line to see the process in
action? Or is there another log I should be looking at?

Here is my latest smb.conf file [global] section
#Samba Configuration file
  workgroup = pjglease.com
  netbios name = serve-on
  server string = Workgroup Server
  
  security = user
  encrypt passwords = yes
  smb passwd file = /etc/samba/smbpasswd
  #pam password change = yes
  unix password sync = yes
  passwd chat debug = true
  passwd program = /bin/passwd %u
  passwd chat  = *New*UNIX*password* %n\n *ReType*new*UNIX*password*
%n\n *passwd:*all*authenticatio
n*tokens*updated*successfully*

  local master = yes
  os level = 34
  domain master = yes
  preferred master = yes
  domain logons = yes
  logon script = logon.bat
  
  # auto-add machine accounts
  add user script = /usr/sbin/useradd -d /dev/null -g machines -c
'Machine Account' -s /bin/false -M
 %u
  
  #Logs
  log file = /var/log/samba/log.%m
  max log size = 50

  #Optimizations
  socket options = SO_RCVBUF=8192
  socket options = SO_SNDBUF=8192
  socket options = TCP_NODELAY
  
  #naming
  wins support = yes
  name resolve order = wins lmhosts hosts bcast

  #Home Dirs
  logon drive = Z:
  logon home = \\serve-on\%u

  #printing
  #printcap name = lpstat
  #load printers = yes
  #printing = cups


Thanks Buchan! Let me know if you would like any of my pam.d files.

James Herschel
JSquared Network Solutions
(905)847-0799
james at jsquared.ca

More information about the samba mailing list