[Samba] Changing Windows Passwords
Mike Cauble
mcauble at lufkin.com
Tue Apr 25 16:27:31 GMT 2006
I have 6 domain controllers that were running samba-tng using openldap,
Six months ago I converted one of the controllers to Samba3.0.20 and
exported my ldap information to be compatible with Samba, every works
fine. Specifically I could change passwords at the local windows
machine. Two weeks ago I converted my other 5 controllers to
Samba3.0.21b everything works except changing passwords at the windows
machine. I have found that there has been a schema change from .20 to
21 and am wondering if this could be the problem. I am using Openldap
2.3.11. I am using the schema from Samba3.0.20 in Samba3.0.21b. I know
account policies were/are stored in account_policy.tdb, but several
things I read said that information was moving to LDAP I can't find any
information on how to make that happen. I realize the schema could be
the problem. My domains are purely Samba, and I need the to be able to
change passwords because of Sorbanes-Oxley.
I get these error messages on the domain controller when I try to change
the password
[2006/04/24 21:23:22, 0] lib/debug.c:reopen_logs(597)
Unable to open new log file /var/log/samba/mcauble-lt.log: Permission
denied
[2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
smb_pam_passchange: PAM: Password Change Failed for user mikec!
[2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
smb_pam_passchange: PAM: Password Change Failed for user mikec!
[2006/04/24 21:23:22, 0] lib/debug.c:reopen_logs(597)
Unable to open new log file /var/log/samba/mcauble-lt.log: Permission
denied
[2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
smb_pam_passchange: PAM: Password Change Failed for user mikec!
[2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
smb_pam_passchange: PAM: Password Change Failed for user mikec!
The windows machine says "You don't have permission to change the password"
Below is my slapd.conf file:
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
#######################################################################
# ldbm database definitions
#######################################################################
database bdb
suffix "dc=lufkin,dc=com"
rootdn "cn=Manager,dc=lufkin,dc=com"
rootpw XXXXXX
directory /var/lib/ldap
loglevel 0
cachesize 100000
idlcachesize 300000
checkpoint 1024 5
limits dn.exact="cn=Replica,dc=lufkin,dc=com" size=unlimited
time=unlimited
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 1000
# Indices to maintain
## required by OpenLDAP
index objectclass eq
index entryUUID eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index uniqueMember eq
index default sub
access to dn.base=""
by self write
by dn.exact="cn=Replica,dc=lufkin,dc=com" write
by * auth
access to attr=userPassword,sambaNTPassword,sambaLMPassword
by self write
by * auth
access to attr=shadowLastChange
by self write
by * read
access to *
by * read
by anonymous auth
Thanks for any help
mikec
More information about the samba
mailing list