[Samba] Forcing password changes using SAMBA as PDC

Enrico Payne enricop at pharma.co.za
Wed Aug 27 11:43:19 GMT 2003


Hi, I guess you thought this had been resolved? However I was busy testing a
new server with RH8.0 and Samba3.0.

I have compiled Samba 3.0 to use --with-pam, and now have the following
funnies.

When I setup the smb.conf to as below, the client recognises the need to
change the password, and asks for the new one. Once I have entered the new
passwords, I get an error message on the WinXP client: "The system cannot
change your password now because the domain JBPN is not available". ( I hav
not tested this on any other Windows platforms). Also, the following in the
/var/log/messages log file:

<----- snip ----->
Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
rpc_server/srv_pipe.c:api_pipe_netsec_process(1363)
Aug 27 13:17:15 test smbd[1455]:   failed to decode PDU
Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
Aug 27 13:17:15 test smbd[1455]:   process_request_pdu: failed to do
schannel processing.
Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
auth/pampass.c:smb_pam_account(573)
Aug 27 13:17:15 test smbd[1455]:   smb_pam_account: PAM: UNKNOWN PAM ERROR
(12) during Account Management for User: enricop
Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
auth/pampass.c:smb_pam_accountcheck(781)
Aug 27 13:17:15 test smbd[1455]:   smb_pam_accountcheck: PAM: Account
Validation Failed - Rejecting User enricop!


If I change the "encrypt password" to = no, then I get a message saying that
either my domain, username or password are incorrect.

I am not sure, but something makes me think that the problem lies with one
of 3 files, viz. smb.conf, /etc/pam.d/samba or the smbpasswd file

The smb.conf file looks like this:

# Global parameters
[global]
        workgroup = JBPN
        netbios name = JBPN7
        server string = Samba Server 3.0beta1
        obey pam restrictions = Yes
        password server = jbpn1
        root directory = /
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password*
%n\n *passwd:*all*authentication*tokens*updated*successfully*
        username map = /etc/samba/smb.username.map
        unix password sync = Yes
        log file = /var/log/samba/log.%m
        max log size = 50
        name resolve order = host wins bcast
        time server = Yes
        change notify timeout = 10
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        show add printer wizard = No
        logon script = start.bat
        logon path = \\jbpn7\home\profiles\%u
        logon drive = h:
        domain logons = Yes
        os level = 60
        preferred master = No
        dns proxy = No
        wins server = 172.16.128.29
        ldap ssl = no

[netlogon]
        comment = Logon Profiles
        path = /home/profiles/%u
        admin users = +it
        write list = +it
        locking = No

[homes]
        comment = Home Directories
        path = /%H
        read only = No
        browseable = No


The /etc/pam.d/samba file looks like this:

#%PAM-1.0
auth       required     pam_nologin.so
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth


The smbpasswd file is from our live server, and contains encrypted
passwords.

Any help would be greatly appreciated...

Regards
Enrico


----- Original Message ----- 
From: "Andreas" <andreas at conectiva.com.br>
To: "Andrew Bartlett" <abartlet at samba.org>
Cc: "Enrico Payne" <enricop at pharma.co.za>; <samba at lists.samba.org>
Sent: Tuesday, July 29, 2003 2:52 PM
Subject: Re: [Samba] Forcing password changes using SAMBA as PDC


> On Tue, Jul 29, 2003 at 09:19:01AM +1000, Andrew Bartlett wrote:
> > > But using PAM would require one to disable encrypted passwords, right?
> >
> > No.  You may still use PAM's account-control functionality even if you
> > don't use it for passwords.  Consider how SSH still asks PAM about
> > disabled accounts, even when the login is with a key.
>
> Ah, I see. Thanks for the tip :)


-
___________________________________________
This e-mail has been scanned for viruses.
Pharma Natura will not be held responsible
for the loss of data or any other loss
caused by the use of the information
contained in this e-mail.



More information about the samba mailing list