[Samba] Re: changing passwords from win2k

Jeffrey R. Meyer jeffm at andersonlabs.com
Fri Dec 27 16:13:00 GMT 2002 

Well all I assumed wrong.......  The problem wasn't with PAM after all.  I
made the following changes to my smb.conf file and the stangest thing
happens.  The passwords are actually changed, however, an error still
appears on the windows client.

I added the following line under [global]
smb passwd = /usr/local/private/smbpasswd

I commented out the following lines under [global]
pam password change = yes
passwd chat debug = yes

I changed the following line under [global]
passwd program = /usr/local/bin/smbpasswd %u

If there are any ideas out there you help would be greatly appreciated.

Jeff Meyer





"Jeffrey R. Meyer" <jeffm at andersonlabs.com> wrote in message
news:aufr26$flr$1 at main.gmane.org...
> I having been trouble by this for a few days now and was wondering if
anyone
> else has had any luck with this?
>
> I am currently running Samba 2.2.6pre2 on FreeBSD 4.7-RELEASE
> I have successfully set up samba to be the PDC
> I am unsuccessfully trying to change the passwords on the W2k box and I am
> recieving the error that the user name/password are incorrect make sure
the
> caps lock is not on.
> When I check the logs on the BSD box the following appears:
>
> [2002/12/26 14:49:26, 0] passdb/pampass.c:smb_pam_chauthtok(697)
>   PAM: Permission denied.
> [2002/12/26 14:49:26, 2] passdb/pampass.c:smb_pam_error_handler(71)
>   smb_pam_error_handler: PAM: Password Change Failed : Permission denied
> [2002/12/26 14:49:26, 0] passdb/pampass.c:smb_pam_passchange(865)
>   smb_pam_passchange: PAM: Password Change Failed for user root!
>
> I am making the uneducated assumption that my problem is not with samba
but
> it is with PAM?
> If anyone could help me with this problem it would be greatly
appreciated!!!
>
> Thanks,
>
> Jeff Meyer
>
> The smb.conf and pam.conf files that I am using are below.
>
> pam.conf
> login   auth    sufficient      pam_skey.so
> login   auth    sufficient      pam_opie.so
> no_fake_prompts
> #login  auth    required        pam_opieaccess.so
> login   auth    requisite       pam_cleartext_pass_ok.so
> #login  auth    sufficient      pam_kerberosIV.so
> try_first_pass
> #login  auth    sufficient      pam_krb5.so
> try_first_pass
> login   auth    required        pam_unix.so
> try_first_pass
> login   account required        pam_unix.so
> login   password required       pam_permit.so
> login   session required        pam_permit.so
>
> # Same requirement for ftpd as login
> ftpd    auth    sufficient      pam_skey.so
> ftpd    auth    sufficient      pam_opie.so
> no_fake_prompts
> #ftpd   auth    required        pam_opieaccess.so
> ftpd    auth    requisite       pam_cleartext_pass_ok.so
> #ftpd   auth    sufficient      pam_kerberosIV.so
> try_first_pass
> #ftpd   auth    sufficient      pam_krb5.so
> try_first_pass
> ftpd    auth    required        pam_unix.so
> try_first_pass
>
> # OpenSSH with PAM support requires similar modules.  The session one is
> # a bit strange, though...
> sshd    auth    sufficient      pam_skey.so
> sshd    auth    sufficient      pam_opie.so
> no_fake_prompts
> #sshd   auth    required        pam_opieaccess.so
> #sshd   auth    sufficient      pam_kerberosIV.so
> try_first_pass
> #sshd   auth    sufficient      pam_krb5.so
> try_first_pass
> sshd    auth    required        pam_unix.so
> try_first_pass
> sshd    account required        pam_unix.so
> sshd    password required       pam_permit.so
> sshd    session required        pam_permit.so
>
> # "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login'
> telnetd auth    required        pam_unix.so
> try_first_pass
>
> # Don't break startx
> xserver auth    required        pam_permit.so
>
> # XDM is difficult; it fails or moans unless there are modules for each
> # of the four management groups; auth, account, session and password.
> xdm     auth    required        pam_unix.so
> #xdm    auth    sufficient      pam_kerberosIV.so
> try_first_pass
> #xdm    auth    sufficient      pam_krb5.so
> try_first_pass
> xdm     account required        pam_unix.so
> try_first_pass
> xdm     session required        pam_deny.so
> xdm     password required       pam_deny.so
>
> # GDM (GNOME Display Manager)
> gdm     auth    required        pam_unix.so
> #gdm    auth    sufficient      pam_kerberosIV.so
> try_first_pass
> #gdm    auth    sufficient      pam_krb5.so
> try_first_pass
> gdm     account required        pam_unix.so
> try_first_pass
> gdm     session required        pam_permit.so
> gdm     password required       pam_deny.so
>
> # Mail services
> imap    auth    required        pam_unix.so
> try_first_pass
> pop3    auth    required        pam_unix.so
> try_first_pass
>
> # If we don't match anything else, default to using getpwnam().
> other   auth    sufficient      pam_skey.so
> other   auth    required        pam_unix.so
> try_first_pass
> other   account required        pam_unix.so
> try_first_pass
>
> samba   auth    required        pam_unix.so
> try_first_pass
> samba   account required        pam_unix.so
> try_first_pass
>
>
> smb.conf
> # /usr/local/etc/smb.conf
> # samba configuration file
>
> [global]
> # basic server settings
>         workgroup = labnet
>         netbios name = pdcsrv1
>         server string = Samba PDC running %v
>         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
> SO_RCVBUF=819
> 2
>
> # PDC and master browser settings
>         os level = 64
>         preferred master = yes
>         local master = yes
>         domain master = yes
>
> # security and logging settings
>         security = user
>         encrypt passwords = yes
>         domain logons = yes
>         log file = /var/log/samba/log.%m
>         log level = 2
>         max log size = 50
> #       hosts allow = 127.0.0.1 192.168.0.0/255.255.255.0
>
> # user profiles and home directory
> #       logon home = \\%L\home\%U\.profile
> #       logon drive = H:
> #       logon path = \\%L\profiles\%U
>         logon home = ""
>         logon path = ""
>         logon script = netlogon.bat
>
> #sync UNIX passwords
>         unix password sync = yes
>         pam password change = yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password*
> %n\n *
> passwd: *all*authentication*tokens*updated*successfully*
>         passwd chat debug = yes
> #===Shares===
>
> [homes]
>         comment = Home Directories
>         browseable = no
>         writable = yes
>
> #[profiles]
> #       path = /home/samba/profiles
> #       writeable = yes
> #       browseable = no
> #       create mask = 0600
> #       directory mask = 0700
>
> [netlogon]
>         path = /home/netlogon
>         read only = yes
>         write list = jeffm
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list