[Samba] change passwd from windows--more grief

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Thu Oct 5 13:57:40 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/02/2006 07:50 PM, Steve Glasser escreveu:
> Hi group,
> 
> I can't seem to get passwd change from windows to work.  I am running
> samba 3.0.20-3.1.20060mdk installed from rpms on Mandriva 2006; the
> clients are windows XP sp2.  When I try to change passwd from windows I
> get "You do not have permission to change your password".
> 
> What am I doing wrong? 

	I saw that you are using "pam password change", are
you aware of [1]how it works?

1.http://lists.samba.org/archive/samba/2002-November/055729.html


> My global smb.conf is below.  
>>From log.smbd I think this error pertains to the windows error: 
> 
> [2006/10/02 15:25:00, 3] smbd/chgpasswd.c:chgpasswd(457)
>   chgpasswd: Password change (as_root=Yes) for user: foo
>   PAM: unable to obtain the new authentication token - is password to
> weak?

	It looks like something related with your pam options.
The manpage says that usually no change is needed in the
passwd chat, but maybe you found a corner case. ;)

	Does it works with you turn off the 'pam password change'
paramenter in smb.conf?


> This is while using a new passwd of 9 random letters/numbers.
> Any suggestions welcome, thanks in advance
> ========================================================
> 
> 
> dos charset = 850
>         unix charset = ISO8859-1
>         workgroup = DELTAGRADING
>         server string = %h server (Samba, Mandrake)
>         passdb backend = tdbsam
>         pam password change = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew
> \sUNIX\spassword:* %n\n .
>         passwd chat debug = Yes
>         username map = /etc/samba/smbusers
>         unix password sync = Yes
>         log level = 3
>         name resolve order = wins bcast hosts
>         time server = Yes
>         printcap name = CUPS
>         add user script = /usr/sbin/useradd -m %u
>         delete user script = /usr/sbin/userdel -r %u
>         add group script = /usr/sbin/groupadd %g
>         delete group script = /usr/sbin/groupdel %g
>         add user to group script = /usr/sbin/usermod -G %g %u
>         add machine script = /usr/sbin/useradd -s /bin/false
> -d /dev/null %u
>         logon script = scripts\%U.bat
>         logon path =
>         logon drive = H:
>         domain logons = Yes
>         os level = 128
>         preferred master = Yes
>         domain master = Yes
>         wins support = Yes
>         ldap passwd sync = Yes
>         idmap uid = 15000-20000
>         idmap gid = 15000-20000

	I don't know if it has an impact, but you don't need
'ldap passwd sync' if you are not using LDAP, and looks like
you are not using it.

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFJQ9UCj65ZxU4gPQRAnoeAKCMdmVkHvIUX2WaR7RR7OO4VAiFkACfW9SC
3itThn6cPZc4pUkjU17By94=
=a6Jh
-----END PGP SIGNATURE-----

More information about the samba mailing list