[Samba] Unable to change Windows password on Samba BDC
Matt Anderson
sokkerstud_11 at hotmail.com
Thu May 1 19:38:05 GMT 2008
Dear Help,
We are currently running Samba 3.0.22 on a distributed network/domain as a PDC
(primary domain controller) and several as BDCs (Backup domain controllers) in
our branch offices located around the country.
At this point, the PDC is set up in our corporate office (where I'm located) and
users have no trouble authenticating (via logging into windows and accessing
shares) and also have no trouble changing passwords (either when they expire or
manually) through the Windows interface.
However, users located in the branch offices (where the BDCs are located), they
have no trouble authenticating (via logging into windows and accessing shares)
BUT are unable to change their password through the Windows interface, getting
the error that "The system cannot change your password now because the domain
<name> is not available". All clients are Windows XP with SP2 installed.
I have added (see below) the smb.conf for our PDC as well as the BDC that's
causing problems -- all BDCs basically have the exact same config.
I've tried raising the log level to 3 on the BDC that's not working properly,
but it turns out that trying to change the password doesn't generate ANY log.
However, I know that the domain is available since immediately before attempting
to change password I logged on to Windows using the domain... I've poked around
various forums and newsgroups but haven't found anything that has stuck (or
particularly pertains to BDCs). If anyone has ANY suggestions whatsoever, I'd
be glad to hear them!
Thanks,
Matt
======= PDC smb.conf (global section only) =============
[global]
netbios name = ds-tem-1
workgroup = DOMAIN
server string = Samba PDC %v %h
obey pam restrictions = Yes
passdb backend = "ldapsam:ldaps://ip.goes.here ldaps://ip.goes.here"
security = user
log level = 3
log file = /var/log/samba/%m.log
max log size = 5000
add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null/ -g machine -c
'Machine Account for %u' -s /bin/false %u
logon path =
logon home =
domain logons = Yes
os level = 128
preferred master = Yes
domain master = Yes
ldap admin dn = cn=name,o=organization
ldap group suffix = ou=Groups
ldap idmap suffix = ou=IDMap
ldap machine suffix = ou=Workstations
ldap user suffix =
ldap filter = (uid=%u)
ldap suffix = o=organization
ldap passwd sync = No
unix password sync = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
idmap backend = "ldaps://ip.goes.here ldaps://ip.goes.here"
idmap uid = 10000-20000
idmap gid = 10000-20000
veto files = /.?*/
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
wins support = Yes
encrypt passwords = Yes
logon script = %U.bat
map to guest = Bad User
======== BDC smb.conf (global section only) =========
[global]
workgroup = DOMAIN
server string = Samba BDC %v %h
obey pam restrictions = Yes
passdb backend = "ldapsam:ldaps://ip.goes.here ldaps://ip.goes.here"
log level = 2
log file = /var/log/samba/%m.log
max log size = 1000
logon path =
logon home =
domain logons = Yes
domain master = No
preferred master = Yes
ldap admin dn = cn=name,o=organization
ldap group suffix = ou=Groups
ldap idmap suffix = ou=IDMap
ldap machine suffix = ou=Workstations
ldap suffix = o=organization
ldap passwd sync = No
ldap filter = (uid=%u)
unix password sync = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
idmap backend = "ldaps://ip.goes.here ldaps://ip.goes.here"
idmap uid = 10000-20000
idmap gid = 10000-20000
veto files = /.?*/
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
wins server = ip.of.PDC.here
map to guest = Bad User
More information about the samba
mailing list