[Samba] changing passwords from Windows XP Pro workstations
Craig White
craigwhite at azapple.com
Thu Mar 30 05:04:47 GMT 2006
On Wed, 2006-03-29 at 23:33 -0500, Gary Dale wrote:
> Craig White wrote:
>
> >On Wed, 2006-03-29 at 21:49 -0500, Gary Dale wrote:
> >
> >
> >>Craig White wrote:
> >>
> >>
> >>
> >>>On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote:
> >>>
> >>>
> >>>
> >>>
> >>>>Back to square 1! I stripped out my unsuccessful attempts to get Samba
> >>>>working with LDAP on my Debian Sarge server and am back with a tdbsam
> >>>>backend. I actually tried to purge as much of the old Samba & LDAP as I
> >>>>could then reinstalled fresh. This included removing the Windows groups
> >>>>and users and even the old tdbsam data.
> >>>>
> >>>>Unfortunately, I'm back where I started - users can't change their own
> >>>>passwords using the Windows password change dialogue. Their system will
> >>>>go away for a very long time (more than 15 minutes) then silently fail
> >>>>to change the password.
> >>>>
> >>>>For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian)
> >>>>on a 2.6.8 kernel. This should mean that this is NOT the old Windows
> >>>>security patch issue.
> >>>>
> >>>>I've attached my smb.conf (minus the shares definitions) if that helps.
> >>>>
> >>>>Also, for what it's worth, the user accounts are all in Domain Users and
> >>>>users. All but mine use /bin/false as the login shell (but none of us
> >>>>can change passwords). My account is also in Domain Admins - and I can
> >>>>add machine accounts with it.
> >>>>
> >>>>Any ideas anyone?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>----
> >>>I kept my mouth shut because you were following someone's step by step
> >>>and not the samba official documentation.
> >>>
> >>>If you want to follow the Samba By Example, methodology, you will
> >>>probably find a lot more people willing to help.
> >>>
> >>>Changing passwords seems to only require that samba, smbldap-tools be
> >>>properly configured for your ldap setup and a script referenced in your
> >>>smb.conf
> >>>
> >>>The smb.conf you attached of course has nothing to do with LDAP and it
> >>>isn't clear what you are trying to do.
> >>>
> >>>I would suggest that you familiarize yourself with the Samba By Example
> >>>book (dead tree form) or pdf or html from the samba.org web site and
> >>>figure out what you are trying to do so someone could actually help.
> >>>
> >>>Craig
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>I've followed the Samba by example in this case. It was not very
> >>helpful. Between the typos, omissions, errors, and general lack of
> >>content, it's hard to get anything to work following it. Sorry to be so
> >>negative about it, but it seems to assume that if you just install the
> >>packages, things work.
> >>
> >>Now a plain vanilla Debian Sarge system is hardly esoteric, but my
> >>experience has been that things only work if you are doing a virgin
> >>setup. In my case, Samba was originally vampired from my old W2K server
> >>and I've always had the password problem. Trying to install LDAP on a
> >>system that previously had a not-quite-working tdbsam backend also isn't
> >>something that the howto writers seem to have tried.
> >>
> >>The other howto I followed was one of several that were written
> >>specifically for people trying to get Samba+LDAP to work on a Debian
> >>system. After several days of trying to get it to work, even following
> >>idealx.org's howto, it still wouldn't. So I ripped everything out and
> >>went back to a basic Samba setup without LDAP. And now I'm back to the
> >>same old problem I had before - users can't change their passwords.
> >>
> >>And yes, my current setup was following the Samba by Example - html
> >>form. I also have the dead-tree Samba Howto collection. According to
> >>them, I have a working system. :)
> >>
> >>The basic "by example" says in some very elegant story telling, after
> >>assuming that you have Samba installed, to smbpasswd -a root, map the
> >>Administrator account to it, add some groupmaps, stir in some users and
> >>voila, everything works. My setup passes the validation and the
> >>troubleshooting. It works, except that it doesn't.
> >>
> >>Again, I'll admit that this probably does work on a fresh system. I've
> >>set up Samba PDCs from scratch before without problems. However, it
> >>doesn't seem to want to work on this existing server, even after I
> >>sacrificed my old accounts vampired from W2K to try to get this working.
> >>I shouldn't have to rebuild my entire server just to be able to change
> >>passwords!
> >>
> >>Finally, you need to recognize that Debian does things its way. It has
> >>installation scripts that ask you questions up front and put the answers
> >>in multiple files scattered across your system. Samba by Example doesn't
> >>actually tell you what to put where or why. In fact, it's actually
> >>difficult to tell exactly which program or file you need to be using at
> >>any given moment. We're not all Samba developers, after all. SWAT,
> >>smbpasswd, pdbedit, etc. all seem to do the similar things but heaven
> >>help the poor user who's trying to find out when or why you should use
> >>one over the other.
> >>
> >>What I'm basically trying to say is you can't assume that everyone is
> >>going to get to place by a particular route. Debian howtos are useful
> >>for those of us with Debian-based systems because they give Debian
> >>package names and follow Debian installation dialogues. If there is
> >>something in the howto that you think is wrong or missing, then identify
> >>it. It's not as if the "official" Samba documentation is all
> >>encompassing and perfect. I've had to consult a couple of dozen
> >>different guides in trying to get LDAP working. The official Samba ones
> >>were less detailed and less informative than many of the others. And the
> >>By Example guides spend far too much time in narrative and talking about
> >>other software. Plus it's too Red Hat specific. A lot of the stuff it
> >>tells you to do isn't right for Debian.
> >>
> >>Rant off. :)
> >>
> >>Do you have any suggestions other than rebuilding my entire server?
> >>Under what conditions can a password change fail that doesn't
> >>(apparently) affect other Samba services?
> >>
> >>
> >----
> >#1 - you are asking general questions and posting general issues which
> >can only at best get general answers. If you have a specific issue, you
> >have to ask a specific question. That is how this thing works.
> >
> >As for your question about changing passwords...you give neither the
> >context of how you are trying to change the password (the methodology),
> >what you expect to happen and what is happening except in the most
> >general way. You offer not a single piece of logs, don't mention that
> >you checked the logs, in fact, don't give the slightest impression that
> >you know what logs do and how they work.
> >
> >The point is...focus your problem to as simple a question that you can
> >ask and ask it. If you go more than 3 paragraphs, the likelihood of
> >getting and answer drops a lot. Specific questions get specific answers.
> >
> >#2 - The official samba documentation is what it is. It is what you and
> >I make it and I know that JHT is gonna say, if there is something wrong
> >with the documentation, please let him know what it is and he is only
> >too glad to fix it.
> >
> >My personal impression of the samba documentation is that it is far and
> >away the best documentation for any open source project that I have ever
> >used. Is it perfect...probably not, but probably close. Does it
> >anticipate all the things that you could possibly do wrong and then tell
> >you how to fix them - no probably not.
> >
> >#3 - When I did my first migration from NT4 to Samba 3 (it was samba
> >3.0.0) and I remember it clearly because I was trying to learn how to
> >use LDAP at the same time. It was a nightmare and I'm sure the archives
> >showed I asked a lot of questions that evidenced the fact that I didn't
> >understand what I was doing. I put off the migration for a week until I
> >grasped LDAP first and then the integration with samba and the vampire
> >migration went a whole lot smoother. Still, I ended up doing the vampire
> >probably about 15 times because I wanted to get it right up front
> >because fixing it later was likely to be a bitch.
> >
> >#4 - I recognize your frustration and general lack of patience with
> >this...might I suggest that you take a few days off and work on
> >something else while you get a breather, let go of your frustration and
> >can approach this with less of an attitude. I have to do this all the
> >time - in fact, I have learned to almost institutionalize the process
> >when I am learning something new because if I sit and keep pounding on
> >it, I am not likely to see what I am doing wrong.
> >
> >Consider this - samba works - it works for thousands if not millions of
> >people.
> >
> >I use LDAP everywhere since I learned how to get it done...I use it even
> >on very small offices. I actually have 1 client that still does use tdb
> >and I don't think that they ever change their passwords but if you are
> >patient, I will try to change a users password via Windows which I
> >surmise is what you are attempting to do.
> >
> >In the meantime, perhaps you want to get specific with what you are
> >trying to do, what you expect to happen, what does happen, and what the
> >logs say - perhaps you have to increase the log level to get a better
> >picture. Perhaps someone else with great knowledge of samba PDC's with
> >tdb passdb can answer what your issue is.
> >
> >Craig
> >
> >
> >
> 1) I thought that my question was rather specific:
> - Windows XP Pro password change dialogue doesn't work - goes away, does
> nothing, then quits without reporting an error.
> - Samba version 3.0.14a (Debian) running on a Sarge system.
> re. logs: as per my previous posts ages ago, when I initially tried to
> get this fixed, the logs on the domain controller don't show anything. I
> sent in some samba logs with the loglevel set to 100 to Jeremy for his
> perusal. He never replied.
>
> 2) No documentation can be all things to everyone. I'm sure there are
> people who like the nice story-telling style of the Samba docs. However,
> for me they are mixing in too many variables. I prefer to keep things
> separate, as in "here's how to set up LDAP", "here's how to configure
> CUPS", etc., along with some side discussion on how the parts fit
> together. The Samba docs flit from topic to topic, repeating unnecessary
> details and leaving out key bits of information. Sorry, but I've been
> too busy trying to get this to work to write down all the problems I've
> found with the docs. :)
>
> 3) I didn't find out about the password change problem until the
> passwords started expiring. By then my old server was history. This
> isn't a large network so it was a couple of weeks before the problem
> showed up. I was more concerned with testing the services, like file
> sharing, printing and faxing. Who'da thunk that you couldn't change a
> password?
>
> 4) As I said, I'm sure this does work. I've done it many times on clean
> servers. I'd love to get LDAP to work, since it can handle my Linux
> accounts too. However, I'm the only one here using Linux and so far the
> others can put up with coming to me to use SWAT to change their passwords.
>
> However, people shouldn't have to become experts in the technology to
> use something. Samba, LDAP, ssl, PAM and a pile of other software is a
> lot to ask people to understand in detail just so they can log onto a
> network. :)
>
>
> -----------------------------------
>
> OK, the logs aren't quite silent. Here's one when I tried to change my
> password from a workstation (the log fragment is from
> samba/log.<netbiosname> - log.nmbd and log.smbd are silent for the
> period). This time it came back with "you do not have permission to
> change your password" after only a few seconds. The other passwords I've
> been trying to change (and this password in previous attempts) have gone
> away for more than 15 minutes before the dialogue box closed (without
> changing the password):
>
>
> [2006/03/29 23:13:45, 0] lib/util_sock.c:read_socket_with_timeout(321)
> read_socket_with_timeout: timeout read. read error = Input/output error.
> [2006/03/29 23:13:46, 0] lib/util_sock.c:read_socket_with_timeout(321)
> read_socket_with_timeout: timeout read. read error = Input/output error.
> [2006/03/29 23:13:46, 0] lib/util_sock.c:read_socket_with_timeout(321)
> read_socket_with_timeout: timeout read. read error = Input/output error.
> [2006/03/29 23:13:47, 0] lib/util_sock.c:read_socket_with_timeout(321)
> read_socket_with_timeout: timeout read. read error = Input/output error.
----
if I was going to guess...I think your problems are...
http://samba.org/samba/docs/man/Samba3-ByExample/small.html#id2525330
see items #3 through #7
you don't have a passwd chat script as I recall. That's probably
important.
your setup should track this setup as I see it.
http://samba.org/samba/docs/man/Samba3-ByExample/secure.html
since you have no interest in advancing your skills, count me out next
time unless you learn to ask simple questions. The simple truth is, if
you want know little, point and click Windows network administration,
you are probably better off using a Microsoft Windows server.
My interest is in helping people that actually are interested in
learning something, yes gasp, those that actually do want to become
expert. Lastly, I would heavily suggest you forget about LDAP until your
attitude changes because it is hostile to administrators that don't want
to become knowledgdable.
Craig
More information about the samba
mailing list