[Samba] Forcing password changes using SAMBA as PDC

George Farris farrisg at mala.bc.ca
Wed Aug 27 15:04:14 GMT 2003 

I've had this problem changing passwords and the only solution I've
found is setting:  "unix password sync = No"

Password changing right up to rc1 doesn't work unless this is turned
off.



On Wed, 2003-08-27 at 07:46, John H Terpstra wrote:
> Enrico,
> 
> Please test this with release candidate 2 when it is made available.
> If there is still a problem then file a bug report on bugzilla.samba.org.
> 
> Thanks.
> - John T.
> 
> On Wed, 27 Aug 2003, Enrico Payne wrote:
> 
> > Hi, I guess you thought this had been resolved? However I was busy testing a
> > new server with RH8.0 and Samba3.0.
> >
> > I have compiled Samba 3.0 to use --with-pam, and now have the following
> > funnies.
> >
> > When I setup the smb.conf to as below, the client recognises the need to
> > change the password, and asks for the new one. Once I have entered the new
> > passwords, I get an error message on the WinXP client: "The system cannot
> > change your password now because the domain JBPN is not available". ( I hav
> > not tested this on any other Windows platforms). Also, the following in the
> > /var/log/messages log file:
> >
> > <----- snip ----->
> > Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
> > rpc_server/srv_pipe.c:api_pipe_netsec_process(1363)
> > Aug 27 13:17:15 test smbd[1455]:   failed to decode PDU
> > Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
> > rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
> > Aug 27 13:17:15 test smbd[1455]:   process_request_pdu: failed to do
> > schannel processing.
> > Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
> > auth/pampass.c:smb_pam_account(573)
> > Aug 27 13:17:15 test smbd[1455]:   smb_pam_account: PAM: UNKNOWN PAM ERROR
> > (12) during Account Management for User: enricop
> > Aug 27 13:17:15 test smbd[1455]: [2003/08/27 13:17:15, 0]
> > auth/pampass.c:smb_pam_accountcheck(781)
> > Aug 27 13:17:15 test smbd[1455]:   smb_pam_accountcheck: PAM: Account
> > Validation Failed - Rejecting User enricop!
> >
> >
> > If I change the "encrypt password" to = no, then I get a message saying that
> > either my domain, username or password are incorrect.
> >
> > I am not sure, but something makes me think that the problem lies with one
> > of 3 files, viz. smb.conf, /etc/pam.d/samba or the smbpasswd file
> >
> > The smb.conf file looks like this:
> >
> > # Global parameters
> > [global]
> >         workgroup = JBPN
> >         netbios name = JBPN7
> >         server string = Samba Server 3.0beta1
> >         obey pam restrictions = Yes
> >         password server = jbpn1
> >         root directory = /
> >         pam password change = Yes
> >         passwd program = /usr/bin/passwd %u
> >         passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password*
> > %n\n *passwd:*all*authentication*tokens*updated*successfully*
> >         username map = /etc/samba/smb.username.map
> >         unix password sync = Yes
> >         log file = /var/log/samba/log.%m
> >         max log size = 50
> >         name resolve order = host wins bcast
> >         time server = Yes
> >         change notify timeout = 10
> >         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >         show add printer wizard = No
> >         logon script = start.bat
> >         logon path = \\jbpn7\home\profiles\%u
> >         logon drive = h:
> >         domain logons = Yes
> >         os level = 60
> >         preferred master = No
> >         dns proxy = No
> >         wins server = 172.16.128.29
> >         ldap ssl = no
> >
> > [netlogon]
> >         comment = Logon Profiles
> >         path = /home/profiles/%u
> >         admin users = +it
> >         write list = +it
> >         locking = No
> >
> > [homes]
> >         comment = Home Directories
> >         path = /%H
> >         read only = No
> >         browseable = No
> >
> >
> > The /etc/pam.d/samba file looks like this:
> >
> > #%PAM-1.0
> > auth       required     pam_nologin.so
> > auth       required     pam_stack.so service=system-auth
> > account    required     pam_stack.so service=system-auth
> > session    required     pam_stack.so service=system-auth
> > password   required     pam_stack.so service=system-auth
> >
> >
> > The smbpasswd file is from our live server, and contains encrypted
> > passwords.
> >
> > Any help would be greatly appreciated...
> >
> > Regards
> > Enrico
> >
> >
> > ----- Original Message -----
> > From: "Andreas" <andreas at conectiva.com.br>
> > To: "Andrew Bartlett" <abartlet at samba.org>
> > Cc: "Enrico Payne" <enricop at pharma.co.za>; <samba at lists.samba.org>
> > Sent: Tuesday, July 29, 2003 2:52 PM
> > Subject: Re: [Samba] Forcing password changes using SAMBA as PDC
> >
> >
> > > On Tue, Jul 29, 2003 at 09:19:01AM +1000, Andrew Bartlett wrote:
> > > > > But using PAM would require one to disable encrypted passwords, right?
> > > >
> > > > No.  You may still use PAM's account-control functionality even if you
> > > > don't use it for passwords.  Consider how SSH still asks PAM about
> > > > disabled accounts, even when the login is with a key.
> > >
> > > Ah, I see. Thanks for the tip :)
> >
> >
> > -
> > ___________________________________________
> > This e-mail has been scanned for viruses.
> > Pharma Natura will not be held responsible
> > for the loss of data or any other loss
> > caused by the use of the information
> > contained in this e-mail.
> >
> 
> -- 
> John H Terpstra
> Email: jht at samba.org
-- 
George Farris  farrisg at mala.bc.ca
Computer Support Cowichan.

More information about the samba mailing list