[Samba] changing passwords from Windows XP Pro workstations

Gary Dale garydale at torfree.net
Thu Mar 30 17:28:09 GMT 2006

Craig White wrote:

>I'm keeping this on list.
>On Thu, 2006-03-30 at 08:52 -0500, Gary Dale wrote:
>>Craig White wrote:
>>>if I was going to guess...I think your problems are...
>>>see items #3 through #7
>>>you don't have a passwd chat script as I recall. That's probably
>>>your setup should track this setup as I see it.
>>>since you have no interest in advancing your skills, count me out next
>>>time unless you learn to ask simple questions. The simple truth is, if
>>>you want know little, point and click Windows network administration,
>>>you are probably better off using a Microsoft Windows server. 
>>>My interest is in helping people that actually are interested in
>>>learning something, yes gasp, those that actually do want to become
>>>expert. Lastly, I would heavily suggest you forget about LDAP until your
>>>attitude changes because it is hostile to administrators that don't want
>>>to become knowledgdable.
>>Thanks Craig. I think you'll see a problem here. You suggest that the 
>>issue may be a lack of a passwd chat script, while two others suggest I 
>>remove the passwd chat script - which is almost identical to the one in 
>>the second URL you just gave.
>>The issue isn't about whether people want to learn. It's about how much 
>>they have to learn to get things to work. If something takes too much 
>>effort, in the real world it doesn't get done. There is nothing 
>>inherently complicated about managing a directory service. Look at the 
>>simple Linux tools for user  or printer administration for proof. I see 
>>no virtue in making Samba-LDAP configuration a black art. A basic setup 
>>should be easy to achieve. In fact, from what I have been reading, LDAP 
>>should be the standard Samba backend. That won't happen if people have 
>>to spend a week or more learning how to use it.
>You completely do not get it.
>Samba is infinitely configurable.
>Windows - at the moment of setup you have to choose the role for a
>server, whether a domain controller or a member server. The workstation
>is sold separately. 
>Samba provides all of those roles including a Windows 95/98 server too.
>There is no way that anyone can solve your problem with any certainty
>without suitable logs, an inspection of your tdbsam and your /etc/passwd
>files AND the smb.conf, the whole of which you dumped on us last night
>and undoubtedly have changed many times since. Proper mail list
>etiquette and a commitment to demonstrating that you are actually
>focused on the problem would dictate that you limit those items to only
>the minimum necessary logs, smb.conf, etc.
>Your information is incomplete and as I stated last night, I am not
>going to speculate any further on your problems. In fact, your reply has
>made me sorry that I even speculated on the solution to your problem. 
>As for my 'seeing' the problem - that being in your mind - different
>suggestions to solve your problem - that is absolutely absurd. 
>***The problem*** is you don't know how to provide the information with
>which someone can tell you what the definitive solution would be.
>As for your suggestion that Samba-LDAP a black art...Samba is Samba and
>LDAP is LDAP - you understand neither package so expecting them to work
>for you is a rather pointless endeavor. Knowledge is power and you
>appear to be lacking both. Yet you expect them to work for you even
>though you don't understand them nor wish to understand them - I wish
>you luck.
>Let me be blunt - you are a help vampire. Please don't email me any more
>until you change your ways.
Under your rules, it is up to the patient to figure out what tests need 
to be performed before visiting the doctor. :)

I have always regarded the help process as a dialogue - maybe that comes 
from my having worked in systems support at one time, or maybe it comes 
from my being a systems consultant (both inhouse and contract at various 
times) - but I have never expected the customer to tell me what is wrong 
in a manner that I can immediately say "here's what you have to do".

In my experience, the customer/patient comes to the experts with a 
problem. The experts dig around to determine what the issue really is, 
including asking for specific tests or more information. Then they make 
a diagnosis and prescribe a treatment/solution.

Insulting the patient/customer is usually not a good way to go about 
things. I've been working with PCs since 1978 and with Linux since 1998. 
I put a lot of effort into learning about making things work. And 
according the the Mensa test, I'm not stupid. :) But I'm also not 
someone who has a narrowly defined role. My customers expect me to be 
broadly knowledgeable on just about every topic associated with 
computers. Even if I became an LDAP guru, I'd be unlikely to maintain 
that level of expertice for long. That is a fact of life in the real world.

Responding to your particular criticism about what I did post: You have 
demonstrated on several occaisions that you haven't read or understood 
my posts. You have said that you weren't sure what setup I was using 
LDAP or tdbsam) when my post stated I was using tdbsam. You said I 
didn't have a passwd change dialogue, when the smb.conf I posted did. 
And you said that I posted the entire smb.conf when I clearly indicated 
that I had trimmed unnecessary parts from it.

I note however that this exchange has generated some helpful tips on 
resolving the problem. This is in sharp contrast to my earlier posts on 
the topic last September, and my recent posts on problems with LDAP, 
both of which were largely ignored (except for an exchange with Jeremy 
Allison which didn't resolve the problem). My "style" of posting this 
time seems to have achieved results, so if you object to it, perhaps you 
should look at your "style" of figuring out who to respond to. :) If I'd 
had this level of response last year, or even in my LDAP posts, things 
would have been a lot simpler for me.

BTW: Windows, the last time I looked (which was W2K), allows you to 
change server roles. You can add or remove domain control functionality 
easily. And I recall using a third-party tool to promote and demote NT 
domain controllers before W2K (actually, it was helpful in moving the 
organization from NT to W2K and in restructuring the domain setup).

I'm not going to defend Windows, but I'm also not going to resort to 
hyperbole about Linux being "infinitely configurable". There are only a 
small number of reasonable backends for Samba. They are tdbsam, LDAP and 
MySQL. Clear, straightforward configuration of each is not unachievable. 
It's only one more backend than Windows domains have (NT and ADS).

Anyway Craig, thanks for your input. You've been quite helpful.

More information about the samba mailing list