[Samba] Unable to change password in windows - SAMBA_LDAP_PDC

jayendren anand maduray jayendren at hivsa.com
Tue Nov 27 14:20:18 GMT 2007

Hi All.

I have a SAMBA PDC that uses LDAP as its back end.
The OS, is UBUNTU 6.10 Server.
SAMBA Version is 3.022

The problem is, when a client logs onto the Domain, he presses 
Control+Alt+Del, and chooses Change Password.
He types in the old password, then the new one, and confirms this.
When he clicks on OK, it thinks for a bit (about 30 seconds) and then says:
 "The system cannot change your password now because the domain 
RIVONINGO.HIVSA is not available"

This used to work before, and works fine on another server, with the 
identical settings.

The log file for the computer says:
[2007/11/27 16:00:11, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(2171)
ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  
(No such object)

or sometimes
 Unable to open new log file /var/log/samba/log.computername: Permission 

My smb.conf looks like this:

# workgroup = NT-Domain-Name or Workgroup-Name
	workgroup = RIVONINGO.HIVSA
	netbios name = SOUL-CALIBUR

# server string is the equivalent of the NT Description field
	server string = PHRU Domain Control 

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
;	hosts allow = 192.168.1. 192.168.2. 127.

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
	;printcap name = /etc/printcap
	load printers = no
	;utmp = yes

#Jay Added (disable printing)
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
;	printing = cups

# This option tells cups that the data has already been rasterized
;	cups options = raw

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
;	guest account = pcguest

# Put a capping on the size of the log files (in Kb).
	max log size = 100000

# Security mode. Most people will want user level security. See
# security_level.txt for details.
# Use password server option only with security = server
;   password server = <NT-Server-Name>
	security = user

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
;	smb passwd file = /etc/samba/smbpasswd
	encrypt passwords = true

#PAM,LDAP, TIME_Server settings 
#Jay added:
	obey pam restrictions = no
	ldap passwd sync = yes
	time server = yes
	enable privileges = yes

# The following are needed to allow password changing from Windows to
# update the Linux system password also.
# noTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# noTE2: You do noT need these to allow workstations to change only
#        the encrypted SMB passwords. They allow the Unix password
#        to be kept in sync with the SMB password.
;  passwd program = /usr/bin/passwd %u
 ; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
	;passwd chat = *Enter*password* %n\n *Retype*password* %n\n *success*
	passwd program = /usr/sbin/smbldap-passwd -s %u
;	/usr/sbin//smbldap-passwd %u
	unix password sync = no


# This tells Samba to use a separate log file for each machine
# that connects all log information in one file
#Jay added:
	log level = 0
	syslog = 0
;	log file = /var/log/samba/smbd.log
	log file = /var/log/samba/log.%m
	mangling method = hash2
	dos charset = 850
	unix charset = ISO8859-1

# Unix users can map to different SMB User names
	username map = /etc/samba/smbusers

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
;	interfaces = 
	interfaces = eth0

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
	local master = yes
 	preferred master = yes

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
;	os level = 33
	os level = 100

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
	domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
	preferred master = yes

# Enable this if you want Samba to be a domain logon server for 
# Windows workstations. 
	domain logons = yes

#Automatic homes, LDAP Backend
#Jay added:
	logon drive = U:
	logon home = \\soul-calibur\%U
	passdb backend = ldapsam:ldap://
	ldap admin dn = cn=manager,dc=rivoningo,dc=hivsa
	ldap suffix = dc=rivoningo,dc=hivsa
	ldap group suffix = ou=smbGroups,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa
	ldap user suffix = ou=smbUsers,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa
	ldap machine suffix = ou=smbComputers,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa
	ldap idmap suffix = ou=smbUsers,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa
	idmap backend = ldap://
	;ldap port = 636
	ldap ssl = off
	;ldap ssl = start_tls
	ldap delete dn = yes

#Use the smbldap-tools scripts
#Jay added:
	add user script = /usr/sbin//smbldap-useradd -m "%u"
	delete user script = /usr/sbin//smbldap-userdel "%u"
	add machine script = /usr/sbin//smbldap-useradd -w "%u"
	add group script = /usr/sbin//smbldap-groupadd -p "%g"
	delete group script = /usr/sbin//smbldap-groupdel "%g"
	add user to group script = /usr/sbin//smbldap-groupmod -m "%u" "%g"
	delete user from group script = /usr/sbin//smbldap-groupmod -x "%u" "%g"
	set primary group script = /usr/sbin//smbldap-usermod -g "%g" "%u"

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
	wins support = yes

#Testing csc policy, acls, hide dot files
#Jay added:

;	acl compatibility = yes
;	nt acl support = yes
;	nt pipe support = yes
;	nt status support = yes
;	kernel oplocks = yes
;	lock spin count = 3
;	lock spin time = 10
;	oplock break wait time = 0
;	inherit permissions = yes
;	inherit acls = yes
;	csc policy = manual
;	fake oplocks = no
;	locking = yes
;	oplocks = yes
;	level2 oplocks = yes
;	oplock contention limit = 2
;	posix locking = yes
;	strict locking = yes
;	hide dot files = yes

#============================ Share Definitions ==============================
#IDMAP/Shell/Winbind Settings:
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	template shell = /bin/false
	winbind use default domain = no

	comment = Home Directories
	valid users = %S
	browseable = yes
	writable = yes
	hide files = /desktop.ini/ntuser.ini/NTUSER.*/

#This prevents users from browsing other peoples' files
#Jay added:
	create mask = 0600
	directory mask = 0700

#Jay added:
	nt acl support = yes
	nt pipe support = yes
	nt status support = yes
	;kernel oplocks = yes	
	;lock spin count = 3
	;lock spin time = 10
	;oplock break wait time = 0
	inherit permissions = yes
	inherit acls = yes
	;fake oplocks = no
	;locking = yes
	;oplocks = yes
	level2 oplocks = no
	;oplock contention limit = 2
	;posix locking = yes
	;strict locking = yes
	hide dot files = yes
	hide files = /desktop.ini/ntuser.ini/NTUSER.*/

#Jay Added:
#Real_Time Antivirus Scanning

        vfs object = recycle  
        ;vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
 	recycle:repository = .deleted
	recycle:keeptree = Yes
	recycle:versions = Yes

# Un-comment the following and create the netlogon directory for Domain Logons
	comment = Network Logon Service
	path = /srv/samba/netlogon
	writelist = root jayendren

#Jay Added:
#Real_Time Antivirus Scanning

	;vfs object = vscan-clamav
	;vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf

	path = /srv/samba/file-server/staff/%U/profile
	;valid users = %S
	writeable = yes
	browseable = no
	hide files = /desktop.ini/ntuser.ini/NTUSER.*/

#Jay Added:
#Real_Time Antivirus Scanning

	vfs object = recycle 
        ;vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
        recycle:repository = .deleted
        recycle:keeptree = Yes
        recycle:versions = Yes

#This prevents users from browsing other peoples' profiles
#Jay added:
	create mode = 0600
	directory mode = 0700

#Jay added: 
        nt acl support = yes
        nt pipe support = yes
        nt status support = yes
        inherit permissions = yes
        inherit acls = yes
	level2 oplocks = no
 	acl compatibility = auto

	path = /srv/samba/file-server/wallpaper
	;valid users = %S
	;public = yes
	writeable = no
	browseable = yes

#Jay Added:
#Real_Time Antivirus Scanning

        ;vfs object = vscan-clamav
        ;vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf

Any help regarding this will greatly appreciated, as I have set the 
accounts to expire their passwds after 45 days.
All hells gonna break loose in 10 days time!

God bless.

Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
Senior IT Administrator

Perinatal HIV Research Unit
Wits Health Consortium
University of the Witwatersrand

Alternate email address: jayendren at mweb.co.za
Fax Number: 0866857317

...There are 10 types of people, 
those who understand binary 
and those who do not...

More information about the samba mailing list