[Samba] Forcing password changes using SAMBA as PDC

John H Terpstra jht at samba.org
Wed Aug 27 14:46:39 GMT 2003


Enrico,

Please test this with release candidate 2 when it is made available.
If there is still a problem then file a bug report on bugzilla.samba.org.

Thanks.
- John T.

On Wed, 27 Aug 2003, Enrico Payne wrote:

> Hi, I guess you thought this had been resolved? However I was busy testing a
> new server with RH8.0 and Samba3.0.
>
> I have compiled Samba 3.0 to use --with-pam, and now have the following
> funnies.
>
> When I setup the smb.conf to as below, the client recognises the need to
> change the password, and asks for the new one. Once I have entered the new
> passwords, I get an error message on the WinXP client: "The system cannot
> change your password now because the domain JBPN is not available". ( I hav
> not tested this on any other Windows platforms). Also, the following in the
> /var/log/messages log file:
>
> <----- snip ----->
> Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
> rpc_server/srv_pipe.c:api_pipe_netsec_process(1363)
> Aug 27 13:17:15 test smbd[1455]:   failed to decode PDU
> Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
> rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
> Aug 27 13:17:15 test smbd[1455]:   process_request_pdu: failed to do
> schannel processing.
> Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
> auth/pampass.c:smb_pam_account(573)
> Aug 27 13:17:15 test smbd[1455]:   smb_pam_account: PAM: UNKNOWN PAM ERROR
> (12) during Account Management for User: enricop
> Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
> auth/pampass.c:smb_pam_accountcheck(781)
> Aug 27 13:17:15 test smbd[1455]:   smb_pam_accountcheck: PAM: Account
> Validation Failed - Rejecting User enricop!
>
>
> If I change the "encrypt password" to = no, then I get a message saying that
> either my domain, username or password are incorrect.
>
> I am not sure, but something makes me think that the problem lies with one
> of 3 files, viz. smb.conf, /etc/pam.d/samba or the smbpasswd file
>
> The smb.conf file looks like this:
>
> # Global parameters
> [global]
>         workgroup = JBPN
>         netbios name = JBPN7
>         server string = Samba Server 3.0beta1
>         obey pam restrictions = Yes
>         password server = jbpn1
>         root directory = /
>         pam password change = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password*
> %n\n *passwd:*all*authentication*tokens*updated*successfully*
>         username map = /etc/samba/smb.username.map
>         unix password sync = Yes
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         name resolve order = host wins bcast
>         time server = Yes
>         change notify timeout = 10
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         show add printer wizard = No
>         logon script = start.bat
>         logon path = \\jbpn7\home\profiles\%u
>         logon drive = h:
>         domain logons = Yes
>         os level = 60
>         preferred master = No
>         dns proxy = No
>         wins server = 172.16.128.29
>         ldap ssl = no
>
> [netlogon]
>         comment = Logon Profiles
>         path = /home/profiles/%u
>         admin users = +it
>         write list = +it
>         locking = No
>
> [homes]
>         comment = Home Directories
>         path = /%H
>         read only = No
>         browseable = No
>
>
> The /etc/pam.d/samba file looks like this:
>
> #%PAM-1.0
> auth       required     pam_nologin.so
> auth       required     pam_stack.so service=system-auth
> account    required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
>
>
> The smbpasswd file is from our live server, and contains encrypted
> passwords.
>
> Any help would be greatly appreciated...
>
> Regards
> Enrico
>
>
> ----- Original Message -----
> From: "Andreas" <andreas at conectiva.com.br>
> To: "Andrew Bartlett" <abartlet at samba.org>
> Cc: "Enrico Payne" <enricop at pharma.co.za>; <samba at lists.samba.org>
> Sent: Tuesday, July 29, 2003 2:52 PM
> Subject: Re: [Samba] Forcing password changes using SAMBA as PDC
>
>
> > On Tue, Jul 29, 2003 at 09:19:01AM +1000, Andrew Bartlett wrote:
> > > > But using PAM would require one to disable encrypted passwords, right?
> > >
> > > No.  You may still use PAM's account-control functionality even if you
> > > don't use it for passwords.  Consider how SSH still asks PAM about
> > > disabled accounts, even when the login is with a key.
> >
> > Ah, I see. Thanks for the tip :)
>
>
> -
> ___________________________________________
> This e-mail has been scanned for viruses.
> Pharma Natura will not be held responsible
> for the loss of data or any other loss
> caused by the use of the information
> contained in this e-mail.
>

-- 
John H Terpstra
Email: jht at samba.org



More information about the samba mailing list