[Samba] Users changing samba passwords directly from windowsclient

Buchan Milne bgmilne at cae.co.za
Mon Nov 18 13:29:01 GMT 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Message: 9
> From: "Michael" <michael at theasian.net>
> To: <samba at lists.samba.org>
> Subject: Re: [Samba] Users changing samba passwords directly from
windowsclient
> Date: Mon, 18 Nov 2002 14:41:02 +0800
>
> Hi Mark,
>
> Thank you for your reply.
> I supposed this would be the way to go with win98 clients.
> But most of my users are using Windows NT4.0 SP6 and Windows 2000
> Professional as clients.
> With these clients, most of them enter as administrator account at their
> workstation.

This is a very bad habit, you should really not have users use an
administrator account on any operating system. Would you run as root on
your linux box (I hope not)?

You can still (if you are really brave) have them use administrative
accounts, but it is really not a good idea to have users using the same
account/user name.

> The moment they attempt to connect to the shared Linux box, a
> window will pop up and prompt for BOTH username and password. This
username
> and password does not necessarily correspond to the Windows username and
> password, but is what was previously set up on the Linux box. In such
> scenarios, how can we change the smb password?

It's not the password that is the problem, it's the fact that you are
connecting with an account that does not authenticate (ie
username/password supplied by windows does not match an account in
samba). Windows only knows the username and password that they have
logged in with, so the accounts *must* match, otherwise they will get a
password propmt (windows95/98/me can remember a password here AFAICR,
but not winnt/win2k).

You really need to make individualy accounts on the workstations, or
implement a windows domain (possibly using a samba machine as a domain
controller). This will drastically simplify your life, since you only
need to create one domain account per user.

Take a look at http://ranger.dnsalias.com/mandrake/muo/connect/csamba6.html

If you don't want to implement a windows domain, you need to:
1)Create accounts with different usernames for each user on their machine
2)Make a matching account on the samba machine (via useradd for example)
3)Assign a samba password (via smbpasswd -a <username>

Then, when they change their local password, they must change the
password on the samba machine via the same method (CTRL-ALT-DEL), just
change the machine name. However, if you have a windows domain, they
would only have to change it once, and windows would only change it on
the domain controller.

In your scenario, if you want to keep operating as you are at the
moment, the only way you are going to avoid a password prompt is if all
the users use the same windows password on the administrator accounts!

> ----- Original Message -----
> From: "Mark Belfanti" <mark at belfanti.com>
> To: "Michael" <michael at theasian.net>
> Cc: <samba at lists.samba.org>
> Sent: Monday, November 18, 2002 2:27 PM
> Subject: Re: [Samba] Users changing samba passwords directly from
windowsclient

>> you need to set the password chat option in the global section. This is
>> what I use and it works well. Users just hit cntl-alt-del to change
>> password or use the previously mentioned applet in win98
>>
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
>
> *passwd:*all*authentication*tokens*updated*successfully*
>

This is incorrect advice, passwd program and passwd chat are only
necessary if you want to change the user's unix password when they
change their samba password ('unix password sync' option).

Regards,
Buchan

- --
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQE92OvkrJK6UGDSBKcRAsx8AJdI/wtJ8AoU5wiT6VPDt8jrUX2xAKCyBTXY
cRtZ6x6VVgsc3uRKI237Fg==
=9P3v
-----END PGP SIGNATURE-----

More information about the samba mailing list