[Samba] error "you do not have permission to change your password"

Data Control Systems - Mike Elkevizth mike at dcsamerica.com
Tue Mar 13 01:33:41 GMT 2007

Hi everyone,

I have had a problem for a while now, and haven't been able to figure it out
on my own, so I'm asking for help. When a user tries to change their
password they receive the aforementioned error. I am running Samba 3.0.10 on
CentOS 4.4 (Red Hat Enterprise) with an LDAP backend. I have the
smbldap-tools scripts installed and have them setup in my smb.conf (see

What I can't figure out is that when I run smbldap-passwd -u %username% as
root from any samba server (PDC or BDC) the command is successful and if I
run smbpasswd -U %username% from the PDC (which is how I understand it is
called by samba) it also completes successfully.

What am I missing?


Mike Elkevizth
Data Control Systems

 	# Password change and create options for domain control

	lanman auth = no
	encrypt passwords = yes
	username map = /etc/samba/smbusers
	unix password sync = yes
	passwd chat timeout = 6
	ldap delete dn = yes
	passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new
password*" %n\n"
	passwd program = /usr/sbin/smbldap-passwd -u "%u"
	add machine script = /usr/sbin/smbldap-useradd -w "%u"
	add user script = /usr/sbin/smbldap-useradd -a -m "%u"
	add group script = /usr/sbin/smbldap-groupadd -p "%g"
	add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
	set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
	delete user script = /usr/sbin/smbldap-userdel "%u"
	delete group script = /usr/sbin/smbldap-groupdel "%g"
	delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"

	# LDAP settings

	passdb backend = ldapsam:"ldap://localhost ldap://dcs001 ldap://dcs002
ldap://dcs003 ldap://dcs004"
	idmap backend = ldap:"ldap://localhost ldap://dcs001 ldap://dcs002
ldap://dcs003 ldap://dcs004"
	ldap timeout = 5
	ldap ssl = start_tls
	ldap admin dn = cn=sambauser,ou=DSA,dc=dcs
	ldap suffix = dc=dcs
	ldap machine suffix = ou=People
	ldap user suffix = ou=People
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Idmap
	ldap replication sleep = 1000

More information about the samba mailing list