[Samba] Unable to change Windows password on Samba BDC

Matt Anderson sokkerstud_11 at hotmail.com
Thu May 1 19:38:05 GMT 2008


Dear Help,

We are currently running Samba 3.0.22 on a distributed network/domain as a PDC
(primary domain controller) and several as BDCs (Backup domain controllers) in
our branch offices located around the country.

At this point, the PDC is set up in our corporate office (where I'm located) and
users have no trouble authenticating (via logging into windows and accessing
shares) and also have no trouble changing passwords (either when they expire or
manually) through the Windows interface.

However, users located in the branch offices (where the BDCs are located), they
have no trouble authenticating (via logging into windows and accessing shares)
BUT are unable to change their password through the Windows interface, getting
the error that "The system cannot change your password now because the domain
<name> is not available".  All clients are Windows XP with SP2 installed.

I have added (see below) the smb.conf for our PDC as well as the BDC that's
causing problems -- all BDCs basically have the exact same config.

I've tried raising the log level to 3 on the BDC that's not working properly,
but it turns out that trying to change the password doesn't generate ANY log. 
However, I know that the domain is available since immediately before attempting
to change password I logged on to Windows using the domain...  I've poked around
various forums and newsgroups but haven't found anything that has stuck (or
particularly pertains to BDCs).  If anyone has ANY suggestions whatsoever, I'd
be glad to hear them!

Thanks,
Matt

======= PDC smb.conf (global section only) =============
[global]
	netbios name = ds-tem-1
	workgroup = DOMAIN
	server string = Samba PDC %v %h
	obey pam restrictions = Yes
	passdb backend = "ldapsam:ldaps://ip.goes.here ldaps://ip.goes.here"
	security = user
	log level = 3 
	log file = /var/log/samba/%m.log
	max log size = 5000 
	add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null/ -g machine -c
'Machine Account for %u' -s /bin/false %u
	logon path = 
	logon home = 
	domain logons = Yes
	os level = 128
	preferred master = Yes
	domain master = Yes
	ldap admin dn = cn=name,o=organization
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=IDMap
	ldap machine suffix = ou=Workstations
	ldap user suffix = 
	ldap filter = (uid=%u)
	ldap suffix = o=organization
	ldap passwd sync = No 
	unix password sync = Yes
	passwd program = /usr/sbin/smbldap-passwd -u %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
	idmap backend = "ldaps://ip.goes.here ldaps://ip.goes.here"
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	veto files = /.?*/
	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
	wins support = Yes 
	encrypt passwords = Yes
	logon script = %U.bat
	map to guest = Bad User

======== BDC smb.conf (global section only) =========
[global]
	workgroup = DOMAIN
	server string = Samba BDC %v %h
	obey pam restrictions = Yes
	passdb backend = "ldapsam:ldaps://ip.goes.here ldaps://ip.goes.here"
	log level = 2 
	log file = /var/log/samba/%m.log
	max log size = 1000
	logon path = 
	logon home =
	domain logons = Yes
	domain master = No
	preferred master = Yes
	ldap admin dn = cn=name,o=organization
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=IDMap
	ldap machine suffix = ou=Workstations
	ldap suffix = o=organization
	ldap passwd sync = No
	ldap filter = (uid=%u)
	unix password sync = Yes
	passwd program = /usr/sbin/smbldap-passwd -u %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
	idmap backend = "ldaps://ip.goes.here ldaps://ip.goes.here"
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	veto files = /.?*/
	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
	wins server = ip.of.PDC.here
	map to guest = Bad User



More information about the samba mailing list