[Samba] Problem with samba+openldap with regard changing passwords from windows

Edmundo Valle Neto edmundo.valle at terra.com.br
Tue Feb 19 21:55:15 GMT 2008

Alan Goodman escreveu:
> Edmundo Valle Neto wrote:
>> Alan Goodman escreveu:
>>> I have implemented samba with LDAP backend, domain logins and 
>>> roaming profiles and everything is great - except for one thing.
>>> Noone can change their passwords from windows - trying to change 
>>> your password results in windows telling you your not allowed to do 
>>> that!
>>> I did smbldap-show alan and among other information the line: 
>>> sambaPwdCanChange: 0 appeared.
>>> From my understanding if I do smbldap-usermod -A0 -B0 alan that line 
>>> should then be changed to have a value of 1 allowing users to change 
>>> passwords from their windows logins, however running the above 
>>> command does not appear to be changing these values at all and thus 
>>> im left with manually smbldap-passwd user to change each persons 
>>> passwords (which does work)
>>> If someone could let me know which logs you require and how to 
>>> obtain them I would be happy to post them up here.
>>> OS = CentOS 5.1
>>> Alan
>> Post your smb.conf.
>> Edmundo Valle Neto
> http://pastebin.com/f5fba0114
> Alan

netbios name = MARANATHACENTRA

Netbios names can have a maximum of 12 characters, it will probably be 
truncated. (but this isnt related to your problem)

You only need password options if you want that unix passwords stay in sync.

Then, you only need "ldap passwd sync = Yes". Its commented out, you 
already tried it? What happens?

These three options together works too.
unix password sync = Yes
passwd program = /usr/local/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new 
password*" %n\n"

Theres a double quote that isn't needed at the end (its not opening nor 
closing any string), the old smbldap-tools documentation shows that way 
(wrong), I dont have sure if it is really a problem.

If it doesn't work as you said that it works at command line, include a 
piece of log using level 3 when a client try to change its password.


Edmundo Valle Neto

Besides that, the configuration is right.

"/usr/local/sbin/smbldap-passwd -u anyuser" works when executed from the 
command line?
What samba version you use, you compile your own packages?

More information about the samba mailing list