[Samba] changing passwords from win2k

Jeffrey R. Meyer jeffm at andersonlabs.com
Thu Dec 26 21:32:01 GMT 2002 

I having been trouble by this for a few days now and was wondering if anyone
else has had any luck with this?

I am currently running Samba 2.2.6pre2 on FreeBSD 4.7-RELEASE
I have successfully set up samba to be the PDC
I am unsuccessfully trying to change the passwords on the W2k box and I am
recieving the error that the user name/password are incorrect make sure the
caps lock is not on.
When I check the logs on the BSD box the following appears:

[2002/12/26 14:49:26, 0] passdb/pampass.c:smb_pam_chauthtok(697)
  PAM: Permission denied.
[2002/12/26 14:49:26, 2] passdb/pampass.c:smb_pam_error_handler(71)
  smb_pam_error_handler: PAM: Password Change Failed : Permission denied
[2002/12/26 14:49:26, 0] passdb/pampass.c:smb_pam_passchange(865)
  smb_pam_passchange: PAM: Password Change Failed for user root!

I am making the uneducated assumption that my problem is not with samba but
it is with PAM?
If anyone could help me with this problem it would be greatly appreciated!!!

Thanks,

Jeff Meyer

The smb.conf and pam.conf files that I am using are below.

pam.conf
login   auth    sufficient      pam_skey.so
login   auth    sufficient      pam_opie.so
no_fake_prompts
#login  auth    required        pam_opieaccess.so
login   auth    requisite       pam_cleartext_pass_ok.so
#login  auth    sufficient      pam_kerberosIV.so
try_first_pass
#login  auth    sufficient      pam_krb5.so
try_first_pass
login   auth    required        pam_unix.so
try_first_pass
login   account required        pam_unix.so
login   password required       pam_permit.so
login   session required        pam_permit.so

# Same requirement for ftpd as login
ftpd    auth    sufficient      pam_skey.so
ftpd    auth    sufficient      pam_opie.so
no_fake_prompts
#ftpd   auth    required        pam_opieaccess.so
ftpd    auth    requisite       pam_cleartext_pass_ok.so
#ftpd   auth    sufficient      pam_kerberosIV.so
try_first_pass
#ftpd   auth    sufficient      pam_krb5.so
try_first_pass
ftpd    auth    required        pam_unix.so
try_first_pass

# OpenSSH with PAM support requires similar modules.  The session one is
# a bit strange, though...
sshd    auth    sufficient      pam_skey.so
sshd    auth    sufficient      pam_opie.so
no_fake_prompts
#sshd   auth    required        pam_opieaccess.so
#sshd   auth    sufficient      pam_kerberosIV.so
try_first_pass
#sshd   auth    sufficient      pam_krb5.so
try_first_pass
sshd    auth    required        pam_unix.so
try_first_pass
sshd    account required        pam_unix.so
sshd    password required       pam_permit.so
sshd    session required        pam_permit.so

# "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login'
telnetd auth    required        pam_unix.so
try_first_pass

# Don't break startx
xserver auth    required        pam_permit.so

# XDM is difficult; it fails or moans unless there are modules for each
# of the four management groups; auth, account, session and password.
xdm     auth    required        pam_unix.so
#xdm    auth    sufficient      pam_kerberosIV.so
try_first_pass
#xdm    auth    sufficient      pam_krb5.so
try_first_pass
xdm     account required        pam_unix.so
try_first_pass
xdm     session required        pam_deny.so
xdm     password required       pam_deny.so

# GDM (GNOME Display Manager)
gdm     auth    required        pam_unix.so
#gdm    auth    sufficient      pam_kerberosIV.so
try_first_pass
#gdm    auth    sufficient      pam_krb5.so
try_first_pass
gdm     account required        pam_unix.so
try_first_pass
gdm     session required        pam_permit.so
gdm     password required       pam_deny.so

# Mail services
imap    auth    required        pam_unix.so
try_first_pass
pop3    auth    required        pam_unix.so
try_first_pass

# If we don't match anything else, default to using getpwnam().
other   auth    sufficient      pam_skey.so
other   auth    required        pam_unix.so
try_first_pass
other   account required        pam_unix.so
try_first_pass

samba   auth    required        pam_unix.so
try_first_pass
samba   account required        pam_unix.so
try_first_pass


smb.conf
# /usr/local/etc/smb.conf
# samba configuration file

[global]
# basic server settings
        workgroup = labnet
        netbios name = pdcsrv1
        server string = Samba PDC running %v
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
SO_RCVBUF=819
2

# PDC and master browser settings
        os level = 64
        preferred master = yes
        local master = yes
        domain master = yes

# security and logging settings
        security = user
        encrypt passwords = yes
        domain logons = yes
        log file = /var/log/samba/log.%m
        log level = 2
        max log size = 50
#       hosts allow = 127.0.0.1 192.168.0.0/255.255.255.0

# user profiles and home directory
#       logon home = \\%L\home\%U\.profile
#       logon drive = H:
#       logon path = \\%L\profiles\%U
        logon home = ""
        logon path = ""
        logon script = netlogon.bat

#sync UNIX passwords
        unix password sync = yes
        pam password change = yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password*
%n\n *
passwd: *all*authentication*tokens*updated*successfully*
        passwd chat debug = yes
#===Shares===

[homes]
        comment = Home Directories
        browseable = no
        writable = yes

#[profiles]
#       path = /home/samba/profiles
#       writeable = yes
#       browseable = no
#       create mask = 0600
#       directory mask = 0700

[netlogon]
        path = /home/netlogon
        read only = yes
        write list = jeffm

More information about the samba mailing list