[Samba] Forcing password changes using SAMBA as PDC
Enrico Payne
enricop at pharma.co.za
Wed Aug 27 11:43:19 GMT 2003
Hi, I guess you thought this had been resolved? However I was busy testing a
new server with RH8.0 and Samba3.0.
I have compiled Samba 3.0 to use --with-pam, and now have the following
funnies.
When I setup the smb.conf to as below, the client recognises the need to
change the password, and asks for the new one. Once I have entered the new
passwords, I get an error message on the WinXP client: "The system cannot
change your password now because the domain JBPN is not available". ( I hav
not tested this on any other Windows platforms). Also, the following in the
/var/log/messages log file:
<----- snip ----->
Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
rpc_server/srv_pipe.c:api_pipe_netsec_process(1363)
Aug 27 13:17:15 test smbd[1455]: failed to decode PDU
Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
Aug 27 13:17:15 test smbd[1455]: process_request_pdu: failed to do
schannel processing.
Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
auth/pampass.c:smb_pam_account(573)
Aug 27 13:17:15 test smbd[1455]: smb_pam_account: PAM: UNKNOWN PAM ERROR
(12) during Account Management for User: enricop
Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
auth/pampass.c:smb_pam_accountcheck(781)
Aug 27 13:17:15 test smbd[1455]: smb_pam_accountcheck: PAM: Account
Validation Failed - Rejecting User enricop!
If I change the "encrypt password" to = no, then I get a message saying that
either my domain, username or password are incorrect.
I am not sure, but something makes me think that the problem lies with one
of 3 files, viz. smb.conf, /etc/pam.d/samba or the smbpasswd file
The smb.conf file looks like this:
# Global parameters
[global]
workgroup = JBPN
netbios name = JBPN7
server string = Samba Server 3.0beta1
obey pam restrictions = Yes
password server = jbpn1
root directory = /
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password*
%n\n *passwd:*all*authentication*tokens*updated*successfully*
username map = /etc/samba/smb.username.map
unix password sync = Yes
log file = /var/log/samba/log.%m
max log size = 50
name resolve order = host wins bcast
time server = Yes
change notify timeout = 10
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
show add printer wizard = No
logon script = start.bat
logon path = \\jbpn7\home\profiles\%u
logon drive = h:
domain logons = Yes
os level = 60
preferred master = No
dns proxy = No
wins server = 172.16.128.29
ldap ssl = no
[netlogon]
comment = Logon Profiles
path = /home/profiles/%u
admin users = +it
write list = +it
locking = No
[homes]
comment = Home Directories
path = /%H
read only = No
browseable = No
The /etc/pam.d/samba file looks like this:
#%PAM-1.0
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
The smbpasswd file is from our live server, and contains encrypted
passwords.
Any help would be greatly appreciated...
Regards
Enrico
----- Original Message -----
From: "Andreas" <andreas at conectiva.com.br>
To: "Andrew Bartlett" <abartlet at samba.org>
Cc: "Enrico Payne" <enricop at pharma.co.za>; <samba at lists.samba.org>
Sent: Tuesday, July 29, 2003 2:52 PM
Subject: Re: [Samba] Forcing password changes using SAMBA as PDC
> On Tue, Jul 29, 2003 at 09:19:01AM +1000, Andrew Bartlett wrote:
> > > But using PAM would require one to disable encrypted passwords, right?
> >
> > No. You may still use PAM's account-control functionality even if you
> > don't use it for passwords. Consider how SSH still asks PAM about
> > disabled accounts, even when the login is with a key.
>
> Ah, I see. Thanks for the tip :)
-
___________________________________________
This e-mail has been scanned for viruses.
Pharma Natura will not be held responsible
for the loss of data or any other loss
caused by the use of the information
contained in this e-mail.
More information about the samba
mailing list