[Samba] LDAP Ctrl-Alt-Del Password Change

rossp at ppc.ucsc.edu rossp at ppc.ucsc.edu
Wed Mar 5 00:03:16 GMT 2003 

One fixed problem, one new problem.

Okay, I fixed the pam_smbpass problem by upgrading to 2.2.7a.  So for
anyone out there, pam_smbpass won't work with ldap (./configure
--with-ldapsam) on 2.2.3a and will work with 2.2.7a.

Now, onto the next problem, changing passwords by Ctrl-Alt-Del from a
Windows XP Pro machine.

Logging onto the samba server from a WinXP machine works just fine.

If I try to Ctrl-Alt-Del Change Password... from a WinXP machine where
the username or password of the currently logged in (WinXP) user is
different from the username or password being used on the samba
server, then the password change fails with "1727: the remote
procedure call failed and did not execute".

If I try it when the username and password of the currently logged in
user is the same as the current username and password being used on
the samba server, then the password change succeeds.

>From an strace, I verififed what I suspected which is that its only
when samba falls back on the lanman password that authentication
succeeds and the password change can go forward, which, of course,
explains this behavior.

I suppose it could be that pam is misconfigured on some auth component
somewhere.  But the odd thing is that an strace of the samba daemons
while simply connecting to a share shows pam.d files being consulted,
while an strace of the daemons during a failed Ctrl-Alt-Del Change
Password... session shows no pam.d files consulted.

Can anyone help here?  Can anyone at least verify that they were able
to do Ctrl-Alt-Del Change Password... against a samba/LDAP server?

Thanks.

Ross Patterson
Programmer/Analyst
831-459-2792
rossp at ucsc.edu
1156 High St, Barn G, PP&C
Santa Cruz, CA 95064

On Wed, 19 Feb 2003, rossp at ppc.ucsc.edu wrote:

> On a Debian 3.0 system with user accounts stored in openldap, I have
> unix and windows auth working just fine through ldap.  smbpasswd can
> change the samba passwd attributes, and passwd can change the unix
> password attributes.
>
> I'm trying to get pam_smbpass to work to keep everything in sync, but
> it only says "Failed to find entry for user test0." which indicates to
> me that its looking in the smbpasswd file which has, of course,
> nothing.  "ldd /lib/security/pam_smbpass.so" gives libpam and libldap
> among other things.
>
> Can someone tell me if pam_smbpass is using the SAM DB API?  If
> pam_smbpass is hardwired for the smbpasswd file, that would explain my
> troubles.
>
> If it is using the SAM DB API, can anyone give me any direction?
>
> Ross Patterson
> Programmer/Analyst
> 831-459-2792
> rossp at ucsc.edu
> 1156 High St, Barn G, PP&C
> Santa Cruz, CA 95064
>
>

More information about the samba mailing list