[Samba] FreeBSD: Changing UNIX passwords from Windows

Jon Theil Nielsen jontheil at gmail.com
Mon Feb 11 22:38:59 GMT 2008 

2008/2/11, Michael Heydon <michaelh at jaswin.com.au>:
>
> Ken Gunderson wrote:
> > On Mon, 11 Feb 2008 02:06:51 +0100
> > "Jon Theil Nielsen" <jontheil at gmail.com> wrote:
> >
> >
> >> Hello
> >>
> >> We have a FreeBSD server (7.0 BETA3) running as PDC (Samba 3.0.28)
> passwords
> >> stored in tdbsam. Theres are no problems for users and machines to log
> on to
> >> the network as long as they use the passwords I have made by smbpasswd
> -a
> >> username. But I cannot make a working configuration which allows users
> to
> >> change their own passwords on the server. They are told something like
> "You
> >> do not have permission to change your password". I guess the problem is
> the
> >> communication between Samba and the server, the passwd chat, but I'm
> not
> >> sure. I have the following lines in smb.conf
> >>
> >> passwd program = /usr/bin/passwd %u
> >> unix password sync = Yes
> >> passwd chat = *New*password* %n\n *Retype*new*passwordn* %n\n
> >>
> >
> > Might want to try:
> >
> > passwd chat = *Old*Password* %n\n *New*Password* %n\n
> > *Retype*New*Password* %n\n
> >
> >
> The password command is called as root, I believe that one of the
> requirements is that it does not prompt for the old password since samba
> will have no idea what the old password was.
>
> If you enable passwd chat debugging (and maybe up the log level) you
> should be able to see exactly what is sent and recieved by samba/passwd.
>
> > --hth
> >
> >
>
> *Michael Heydon - IT Administrator *
> michaelh at jaswin.com.au <mailto:michaelh at jaswin.com.au>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Okay, now I have made some exercises.
I now have the password chat debug active and I have loglevel 100.
I am not certain about the syntax in the password chat. But if I from a
console try to change the password of a given user (here testuser1), I see
these lines:

mflserver3# /usr/bin/passwd testuser1
Changing local password for testuser1
New Password: (entering the password)
Retype New Password: (entering it again)

>From that i guess the expression in the chat would be:
*Changing*local*password*for*%u\n *New*Password* %n\n *Retype*New*Password*
%n\n

Selected parts of the log shows:

[2008/02/11 23:10:33, 10] lib/util_pw.c:getpwnam_alloc(76)
  Got testuser1 from pwnam_cache
[2008/02/11 23:10:33, 5] lib/username.c:Get_Pwnam_internals(108)
  Get_Pwnam_internals did find user [testuser1]!
[2008/02/11 23:10:33, 3] smbd/chgpasswd.c:chgpasswd(462)
  chgpasswd: Password change (as_root=Yes) for user: testuser1
[2008/02/11 23:10:33, 100] smbd/chgpasswd.c:chgpasswd(465)
  chgpasswd: Passwords: old= new=Very Secret
[2008/02/11 23:10:33, 3] smbd/chgpasswd.c:findpty(105)
  pty: try to open ptyp0, line was /dev/ptyXX
[2008/02/11 23:10:33, 3] smbd/chgpasswd.c:findpty(105)
  pty: try to open ptyp1, line was /dev/ptyp0
[2008/02/11 23:10:33, 3] smbd/chgpasswd.c:findpty(105)
  pty: try to open ptyp2, line was /dev/ptyp1
[2008/02/11 23:10:33, 3] smbd/chgpasswd.c:findpty(110)
  pty: opened /dev/ptyp2
[2008/02/11 23:10:33, 3] smbd/sec_ctx.c:push_sec_ctx(207)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2008/02/11 23:10:33, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(105) : conn_ctx_stack_ndx = 1
[2008/02/11 23:10:33, 3] smbd/sec_ctx.c:set_sec_ctx(307)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2008/02/11 23:10:33, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2008/02/11 23:10:33, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2008/02/11 23:10:33, 3] smbd/chgpasswd.c:chat_with_program(430)
  chat_with_program: Dochild for user testuser1 (uid=0,gid=0) (as_root =
Yes)
[2008/02/11 23:10:33, 10] smbd/chgpasswd.c:dochild(222)
  Invoking '/usr/bin/passwd testuser1' as password change program.
[2008/02/11 23:10:34, 10] lib/util_sock.c:read_socket_with_timeout(476)
  read_socket_with_timeout: timeout read. select timed out.
[2008/02/11 23:10:34, 100] smbd/chgpasswd.c:expect(279)
  expect: expected [*Changing*local*password*for*testuser1
  ] received [Changing local password for testuser1
  New Password:] match no
[2008/02/11 23:10:34, 2] smbd/chgpasswd.c:expect(285)
  expect: Unknown error: 0
[2008/02/11 23:10:34, 3] smbd/chgpasswd.c:talktochild(316)
  Response 1 incorrect
[2008/02/11 23:10:34, 3] smbd/chgpasswd.c:chat_with_program(372)
  chat_with_program: Child failed to change password: testuser1
[2008/02/11 23:10:34, 3] smbd/sec_ctx.c:pop_sec_ctx(415)
  pop_sec_ctx (1035, 1036) - sec_ctx_stack_ndx = 1
[2008/02/11 23:10:34, 5]
rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7576)
  init_samr_r_chgpasswd_user
[2008/02/11 23:10:34, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1581)
  _samr_chgpasswd_user: 1581
[2008/02/11 23:10:34, 5] rpc_parse/parse_prs.c:prs_debug(84)
  000000 samr_io_r_chgpasswd_user
[2008/02/11 23:10:34, 5] rpc_parse/parse_prs.c:prs_ntstatus(769)
      0000 status: NT_STATUS_ACCESS_DENIED
[2008/02/11 23:10:34, 0] rpc_parse/parse_prs.c:prs_dump_region(70)

As told, I'm not confident with the syntax. Have I made it wrong? Or can you
see anything else from the log that can pinpoint the problem?
I would believe that there must be several admins out there who use the
combination of of Samba and FreeBSD without having these problems.

Cheers,
Jon Theil Nielsen

More information about the samba mailing list