[Samba] Changing Windows Passwords

Mike Cauble mcauble at lufkin.com
Wed Apr 26 18:05:20 GMT 2006


Solved
I had "unix password sync = yes"  apparently  "ldap passwd sync = yes" 
is all that is needed to update passwords. I set "unix password sync = 
no" and things started to magically work. Not sure why, but it makes 
sense to let ldap handle the passwords. Sorry for the wasted bandwidth.

mikec





Mike Cauble wrote:

> I have 6 domain controllers that were running samba-tng using 
> openldap, Six months ago I converted one of the controllers to 
> Samba3.0.20 and exported my ldap information to be compatible with 
> Samba, every works fine. Specifically I could change passwords at the 
> local windows machine. Two weeks ago I converted my other 5 
> controllers to Samba3.0.21b everything works except changing passwords 
> at the windows machine. I have found that there has been a schema 
> change from .20 to 21 and am wondering if this could be the problem. I 
> am using Openldap 2.3.11. I am using the schema from Samba3.0.20 in 
> Samba3.0.21b. I know account policies were/are stored in 
> account_policy.tdb, but several things I read said that information 
> was moving to LDAP I can't find any information on how to make that 
> happen. I realize the schema could be the problem. My domains are 
> purely Samba, and I need the to be able to change passwords because of 
> Sorbanes-Oxley.
>
> I get these error messages on the domain controller when I try to 
> change the password
> [2006/04/24 21:23:22, 0] lib/debug.c:reopen_logs(597)
>  Unable to open new log file /var/log/samba/mcauble-lt.log: Permission 
> denied
> [2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
>  smb_pam_passchange: PAM: Password Change Failed for user mikec!
> [2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
>  smb_pam_passchange: PAM: Password Change Failed for user mikec!
> [2006/04/24 21:23:22, 0] lib/debug.c:reopen_logs(597)
>  Unable to open new log file /var/log/samba/mcauble-lt.log: Permission 
> denied
> [2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
>  smb_pam_passchange: PAM: Password Change Failed for user mikec!
> [2006/04/24 21:23:22, 0] auth/pampass.c:smb_pam_passchange(848)
>  smb_pam_passchange: PAM: Password Change Failed for user mikec!
>
> The windows machine says "You don't have permission to change the 
> password"
>
>
> Below is my slapd.conf file:
>
> # This file should NOT be world readable.
> #
> include         /usr/local/etc/openldap/schema/core.schema
> include         /usr/local/etc/openldap/schema/cosine.schema
> include         /usr/local/etc/openldap/schema/inetorgperson.schema
> include         /usr/local/etc/openldap/schema/nis.schema
> include         /usr/local/etc/openldap/schema/samba.schema
>
> #######################################################################
> # ldbm database definitions
> #######################################################################
>
> database        bdb
> suffix              "dc=lufkin,dc=com"
> rootdn             "cn=Manager,dc=lufkin,dc=com"
> rootpw            XXXXXX
> directory        /var/lib/ldap
> loglevel          0
> cachesize       100000
> idlcachesize   300000
> checkpoint     1024 5
>
> limits dn.exact="cn=Replica,dc=lufkin,dc=com" size=unlimited
> time=unlimited
>
> overlay syncprov
> syncprov-checkpoint 100 10
> syncprov-sessionlog 1000
>
> # Indices to maintain
> ## required by OpenLDAP
> index objectclass                eq
> index entryUUID                 eq
> index cn                               pres,sub,eq
> index sn                               pres,sub,eq
> index uid                              pres,sub,eq
> index displayName              pres,sub,eq
> index uidNumber                 eq
> index gidNumber                 eq
> index memberUid                eq
> index sambaSID                   eq
> index sambaPrimaryGroupSID      eq
> index sambaDomainName           eq
> index uniqueMember              eq
> index default                   sub
>
> access to dn.base=""
>                by self write
>                by dn.exact="cn=Replica,dc=lufkin,dc=com" write
>                by * auth
>
> access to attr=userPassword,sambaNTPassword,sambaLMPassword
>                by self write
>                by * auth
>
> access to attr=shadowLastChange
>                by self write
>                by * read
>
> access to *
>                by * read
>                by anonymous auth
>
>
> Thanks for any help
> mikec
>



More information about the samba mailing list