[Samba] Samba 3.0.1 + LDAP + User Password Change failure
David Hill
dh at dial.pipex.com
Tue Jan 13 12:04:32 GMT 2004
Samba 3.0.1-03 on mandrake 9.2 with LDAP and smbldap tools
Can log on from w2k workstation as user but user cant change password get
message
you do not have permission to change your password suspect this is whats
causing failure
[2004/01/13 09:36:53, 10] smbd/chgpasswd.c:dochild(217)
Invoking '/usr/share/samba/scripts/smbldap-passwd -o 'tstuser1'' as
password change program.
[2004/01/13 09:36:53, 0] lib/util_sock.c:read_socket_with_timeout(279)
read_socket_with_timeout: timeout read. read error = Input/output error.
[2004/01/13 09:36:53, 2] smbd/chgpasswd.c:expect(280)
expect: Input/output error
Trying to use usermanager to change password also fails but does allow
other info in LDAP to be changed
so assume that settting LDAP manager password in secrets has worked ok.
Have tried with and without password chat time out in smb.conf
smbldap-passwd works fine from command line on linux box so LDAP appears to
be working fine
Need help to see the error of my ways as am in process of setting up samba
as PDC for 130 user site
initially for exchange e-mail user authentication.
smb.conf, logs etc follow
smb.conf
[global]
workgroup = SAMBA3
server string = Samba Server %v
map to guest = Bad User
obey pam restrictions = No
passdb backend = ldapsam:ldap://127.0.0.1:389
idmap backend = ldapsam:ldap://127.0.0.1:389
passwd program = /usr/share/samba/scripts/smbldap-passwd -o '%u'
# passwd chat = *: %n\\n *: %n\\n
# passwd chat timeout = 100
unix password sync = Yes
passwd chat debug = Yes
log level = 10
log file = /var/log/samba/log.%m
max log size = 200
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/bin/smbldap-useradd -a '%u'
delete user script = /usr/bin/smbldap-userdel -d '%u'
add group script = /usr/bin/smbldap-groupadd -a -g '%g' &&
/usr/bin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}
'
delete group script = /usr/bin/smbldap-userdel -d -g '%g'
add user to group script = /usr/bin/smbldap-groupmod -m '%u' -g '%g'
delete user from group script = /usr/bin/smbldap-groupmod -x '%u' -g
'%g'
set primary group script = /usr/bin/smbldap-usermod -u '%u' -g '%g'
add machine script = /usr/bin/smbldap-useradd -w -d /dev/null -s
/bin/false '%m'
logon script = test.bat
logon path =
logon drive = H:
logon home =
domain logons = Yes
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap suffix = dc=hill,dc=co.uk
ldap machine suffix = ou=computers
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap admin dn = "cn=manager,dc=hill,dc=co.uk"
ldap ssl = no
ldap passwd sync = Yes
printer admin = @"Domain Admins"
hosts allow = 192.168.5., 127.
printing = lprng
[homes]
comment = Home Directories
path = /V1/users_p
read only = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /V1/netlogon
guest ok = Yes
writable = no
[Profiles]
path = /V1/profiles
guest ok = Yes
browseable = No
available = No
[users_s]
path = /V1/users_s
public = Yes
read only = no
browseable = Yes
[printers]
comment = All Printers
path = /var/spool/samba
read only = No
create mask = 0700
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No
Samba log - relevant section - I hope
Trying _Get_Pwnam(), username as lowercase is tstuser1
[2004/01/13 09:36:53, 5] lib/username.c:Get_Pwnam_internals(251)
Get_Pwnam_internals did find user [tstuser1]!
[2004/01/13 09:36:53, 3] smbd/chgpasswd.c:chgpasswd(465)
Password change (as_root=Yes) for user: tstuser1
[2004/01/13 09:36:53, 10] smbd/chgpasswd.c:findpty(87)
findpty: Allocated slave pty /dev/pts/1
[2004/01/13 09:36:53, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2004/01/13 09:36:53, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(103) : conn_ctx_stack_ndx = 1
[2004/01/13 09:36:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2004/01/13 09:36:53, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/01/13 09:36:53, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/01/13 09:36:53, 3] smbd/chgpasswd.c:chat_with_program(422)
Dochild for user tstuser1 (uid=0,gid=0) (as_root = Yes)
[2004/01/13 09:36:53, 10] smbd/chgpasswd.c:dochild(217)
Invoking '/usr/share/samba/scripts/smbldap-passwd -o 'tstuser1'' as
password change program.
[2004/01/13 09:36:53, 0] lib/util_sock.c:read_socket_with_timeout(279)
read_socket_with_timeout: timeout read. read error = Input/output error.
[2004/01/13 09:36:53, 2] smbd/chgpasswd.c:expect(280)
expect: Input/output error
[2004/01/13 09:36:53, 3] smbd/chgpasswd.c:talktochild(311)
Response 1 incorrect
[2004/01/13 09:36:53, 3] smbd/chgpasswd.c:chat_with_program(367)
Child failed to change password: tstuser1
[2004/01/13 09:36:53, 3] smbd/chgpasswd.c:chat_with_program(403)
The status of the process exiting was 32512
[2004/01/13 09:36:53, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (1003, 513) - sec_ctx_stack_ndx = 1
[2004/01/13 09:36:53, 5]
rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7120)
init_r_chgpasswd_user
[2004/01/13 09:36:53, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1469)
_samr_chgpasswd_user: 1469
[2004/01/13 09:36:53, 5] rpc_parse/parse_prs.c:prs_debug(82)
000000 samr_io_r_chgpasswd_user
[2004/01/13 09:36:53, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
0000 status: NT_STATUS_ACCESS_DENIED
[2004/01/13 09:36:53, 5] rpc_server/srv_pipe.c:api_rpcTNP(1549)
api_rpcTNP: called samr successfully
slapd.conf
include /usr/share/openldap/schema/core.schema
include /usr/share/openldap/schema/cosine.schema
#include /usr/share/openldap/schema/corba.schema
include /usr/share/openldap/schema/nis.schema
include /usr/share/openldap/schema/inetorgperson.schema
#include /usr/share/openldap/schema/java.schema
#include /usr/share/openldap/schema/krb5-kdc.schema
#include /usr/share/openldap/schema/kerberosobject.schema
#include /usr/share/openldap/schema/misc.schema
#include /usr/share/openldap/schema/openldap.schema
#include /usr/share/openldap/schema/rfc822-MailMember.schema
#include /usr/share/openldap/schema/pilot.schema
#include /usr/share/openldap/schema/autofs.schema
include /usr/share/openldap/schema/samba3.schema
#include /usr/share/openldap/schema/qmail.schema
#include /usr/share/openldap/schema/mull.schema
#include /usr/share/openldap/schema/netscape-profile.schema
#include /usr/share/openldap/schema/trust.schema
#include /usr/share/openldap/schema/dns.schema
#include /usr/share/openldap/schema/cron.schema
#include /etc/openldap/schema/local.schema
# Define global ACLs to disable default read access.
include /etc/openldap/slapd.access.conf
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/ldap/slapd.pid
argsfile /var/run/ldap/slapd.args
modulepath /usr/lib/openldap
#moduleload back_dnssrv.la
#moduleload back_ldap.la
#moduleload back_passwd.la
#moduleload back_sql.la
# SASL config
#sasl-host ldap.example.com
# To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem
# and uncomment the following lines.
#TLSRandFile /dev/random
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ssl/openldap/ldap.pem
TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem
#TLSCACertificatePath /etc/ssl/openldap/
TLSCACertificateFile /etc/ssl/openldap/ldap.pem
#TLSVerifyClient 0
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=hill,dc=co.uk"
#suffix "o=My Organization Name,c=US"
rootdn "cn=manager,dc=hill,dc=co.uk"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw testing
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass eq
# from samba config
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
# following line commented out from sample config file
#index mail,surname,givenname eq,subinitial
# logging
loglevel 256
# Basic ACL
# uid=root changed to cn=root
#
#access to attr=userPassword
# by self write
# by anonymous auth
# by dn="cn=root,ou=People,dc=hill,dc=co.uk" write
# by * none
#access to *
# by dn="cn=root,ou=People,dc=hill,dc=co.uk" write
# by * read
#
# /etc/nsswitch.conf
#
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files nisplus nis dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
#
# system-auth
#
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so likeauth use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 minlen=4
dcredit=0 ucredit=0
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
More information about the samba
mailing list