[Samba] changing passwords from Windows XP Pro workstations

Gary Dale garydale at torfree.net
Thu Mar 30 02:49:59 GMT 2006

Craig White wrote:

>On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote:
>>Back to square 1!  I stripped out my unsuccessful attempts to get Samba 
>>working with LDAP on my Debian Sarge server and am back with a tdbsam 
>>backend. I actually tried to purge as much of the old Samba & LDAP as I 
>>could then reinstalled fresh. This included removing the Windows groups 
>>and users and even the old tdbsam data.
>>Unfortunately, I'm back where I started - users can't change their own 
>>passwords using the Windows password change dialogue. Their system will 
>>go away for a very long time (more than 15 minutes) then silently fail 
>>to change the password.
>>For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) 
>>on a 2.6.8 kernel. This should mean that this is NOT the old Windows 
>>security patch issue.
>>I've attached my smb.conf (minus the shares definitions) if that helps.
>>Also, for what it's worth, the user accounts are all in Domain Users and 
>>users. All but mine use /bin/false as the login shell (but none of us 
>>can change passwords). My account is also in Domain Admins - and I can 
>>add machine accounts with it.
>>Any ideas anyone?
>I kept my mouth shut because you were following someone's step by step
>and not the samba official documentation.
>If you want to follow the Samba By Example, methodology, you will
>probably find a lot more people willing to help.
>Changing passwords seems to only require that samba, smbldap-tools be
>properly configured for your ldap setup and a script referenced in your
>The smb.conf you attached of course has nothing to do with LDAP and it
>isn't clear what you are trying to do.
>I would suggest that you familiarize yourself with the Samba By Example
>book (dead tree form) or pdf or html from the samba.org web site and
>figure out what you are trying to do so someone could actually help.
I've followed the Samba by example in this case. It  was not very 
helpful. Between the typos, omissions, errors, and general lack of 
content, it's hard to get anything to work following it. Sorry to be so 
negative about it, but it seems to assume that if you just install the 
packages, things work.

Now a plain vanilla Debian Sarge system is hardly esoteric, but my 
experience has been that things only work if you are doing a virgin 
setup. In my case, Samba was originally vampired from my old W2K server 
and I've always had the password problem. Trying to install LDAP on a 
system that previously had a not-quite-working tdbsam backend also isn't 
something that the howto writers seem to have tried.

The other howto I followed was one of several that were written 
specifically for people trying to get Samba+LDAP to work on a Debian 
system. After several days of trying to get it to work, even following 
idealx.org's howto, it still wouldn't. So I ripped everything out and 
went back to a basic Samba setup without LDAP. And now I'm back to the 
same old problem I had before - users can't change their passwords.

And yes, my current setup was following the Samba by Example - html 
form. I also have the dead-tree Samba Howto collection. According to 
them, I have a working system.  :)

The basic "by example" says in some very elegant story telling, after 
assuming that you have Samba installed, to smbpasswd -a root, map the 
Administrator account to it, add some groupmaps, stir in some users and 
voila, everything works. My setup passes the validation and the 
troubleshooting. It works, except that it doesn't.

Again, I'll admit that this probably does work on a fresh system. I've 
set up Samba PDCs from scratch before without problems. However, it 
doesn't seem to want to work on this existing server, even after I 
sacrificed my old accounts vampired from W2K to try to get this working. 
I shouldn't have to rebuild my entire server just to be able to change 

Finally, you need to recognize that Debian does things its way. It has 
installation scripts that ask you questions up front and put the answers 
in multiple files scattered across your system. Samba by Example doesn't 
actually tell you what to put where or why. In fact, it's actually 
difficult to tell exactly which program or file you need to be using at 
any given moment. We're not all Samba developers, after all. SWAT, 
smbpasswd, pdbedit, etc. all seem to do the similar things but heaven 
help the poor user who's trying to find out when or why you should use 
one over the other.

What I'm basically trying to say is you can't assume that everyone is 
going to get to place by a particular route. Debian howtos are useful 
for those of us with Debian-based systems because they give Debian 
package names and follow Debian installation dialogues. If there is 
something in the howto that you think is wrong or missing, then identify 
it. It's not as if the "official" Samba documentation is all 
encompassing and perfect. I've had to consult a couple of dozen 
different guides in trying to get LDAP working. The official Samba ones 
were less detailed and less informative than many of the others. And the 
By Example guides spend far too much time in narrative and talking about 
other software. Plus it's too Red Hat specific. A lot of the stuff it 
tells you to do isn't right for Debian.

Rant off. :)

Do you have any suggestions other than rebuilding my entire server? 
Under what conditions can a password change fail that doesn't 
(apparently) affect other Samba services?

More information about the samba mailing list