[Samba] Problem with samba+openldap with regard changing passwords from windows

Alan Goodman lists at goodmanemail.com
Wed Feb 20 10:19:15 GMT 2008

Edmundo Valle Neto wrote:
> Alan Goodman escreveu:
>> Edmundo Valle Neto wrote:
>>> Alan Goodman escreveu:
>>>> I have implemented samba with LDAP backend, domain logins and 
>>>> roaming profiles and everything is great - except for one thing.
>>>> Noone can change their passwords from windows - trying to change 
>>>> your password results in windows telling you your not allowed to do 
>>>> that!
>>>> I did smbldap-show alan and among other information the line: 
>>>> sambaPwdCanChange: 0 appeared.
>>>> From my understanding if I do smbldap-usermod -A0 -B0 alan that 
>>>> line should then be changed to have a value of 1 allowing users to 
>>>> change passwords from their windows logins, however running the 
>>>> above command does not appear to be changing these values at all 
>>>> and thus im left with manually smbldap-passwd user to change each 
>>>> persons passwords (which does work)
>>>> If someone could let me know which logs you require and how to 
>>>> obtain them I would be happy to post them up here.
>>>> OS = CentOS 5.1
>>>> Alan
>>> Post your smb.conf.
>>> Edmundo Valle Neto
>> http://pastebin.com/f5fba0114
>> Alan
> netbios name = MARANATHACENTRA
> Netbios names can have a maximum of 12 characters, it will probably be 
> truncated. (but this isnt related to your problem)
> You only need password options if you want that unix passwords stay in 
> sync.
> Then, you only need "ldap passwd sync = Yes". Its commented out, you 
> already tried it? What happens?
> These three options together works too.
> unix password sync = Yes
> passwd program = /usr/local/sbin/smbldap-passwd -u %u
> passwd chat = "Changing password for*\nNew password*" %n\n "*Retype 
> new password*" %n\n"
> Theres a double quote that isn't needed at the end (its not opening 
> nor closing any string), the old smbldap-tools documentation shows 
> that way (wrong), I dont have sure if it is really a problem.
> If it doesn't work as you said that it works at command line, include 
> a piece of log using level 3 when a client try to change its password.
> Regards.
> Edmundo Valle Neto
> Besides that, the configuration is right.
> "/usr/local/sbin/smbldap-passwd -u anyuser" works when executed from 
> the command line?
> What samba version you use, you compile your own packages?
Here you go...

http://pastebin.com/f61c911dd - logs

In answer to your questions...

Yeah that command works as root on the CLI
Samba version is 3.0.25b-1.el5_1.4
No I used the RPM's
OpenLDAP version...
slapd -V
@(#) $OpenLDAP: slapd 2.3.27 (Nov 10 2007 09:24:08) $
mockbuild at builder6.centos.org:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd 

Many thanks for your help.  It is much appreciated.


More information about the samba mailing list