[Samba] Unable to change Windows password on Samba BDC

Adam Williams awilliam at mdah.state.ms.us
Thu May 1 20:45:19 GMT 2008 

in the BDC, take out:

	passwd program = /usr/sbin/smbldap-passwd -u %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
	unix password sync = yes


add:

ldap passwd sync = yes
encrypt passwords = yes
update encrypted = Yes
unix password sync = no

Matt Anderson wrote:
> Dear Help,
>
> We are currently running Samba 3.0.22 on a distributed network/domain as a PDC
> (primary domain controller) and several as BDCs (Backup domain controllers) in
> our branch offices located around the country.
>
> At this point, the PDC is set up in our corporate office (where I'm located) and
> users have no trouble authenticating (via logging into windows and accessing
> shares) and also have no trouble changing passwords (either when they expire or
> manually) through the Windows interface.
>
> However, users located in the branch offices (where the BDCs are located), they
> have no trouble authenticating (via logging into windows and accessing shares)
> BUT are unable to change their password through the Windows interface, getting
> the error that "The system cannot change your password now because the domain
> <name> is not available".  All clients are Windows XP with SP2 installed.
>
> I have added (see below) the smb.conf for our PDC as well as the BDC that's
> causing problems -- all BDCs basically have the exact same config.
>
> I've tried raising the log level to 3 on the BDC that's not working properly,
> but it turns out that trying to change the password doesn't generate ANY log. 
> However, I know that the domain is available since immediately before attempting
> to change password I logged on to Windows using the domain...  I've poked around
> various forums and newsgroups but haven't found anything that has stuck (or
> particularly pertains to BDCs).  If anyone has ANY suggestions whatsoever, I'd
> be glad to hear them!
>
> Thanks,
> Matt
>
> ======= PDC smb.conf (global section only) =============
> [global]
> 	netbios name = ds-tem-1
> 	workgroup = DOMAIN
> 	server string = Samba PDC %v %h
> 	obey pam restrictions = Yes
> 	passdb backend = "ldapsam:ldaps://ip.goes.here ldaps://ip.goes.here"
> 	security = user
> 	log level = 3 
> 	log file = /var/log/samba/%m.log
> 	max log size = 5000 
> 	add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null/ -g machine -c
> 'Machine Account for %u' -s /bin/false %u
> 	logon path = 
> 	logon home = 
> 	domain logons = Yes
> 	os level = 128
> 	preferred master = Yes
> 	domain master = Yes
> 	ldap admin dn = cn=name,o=organization
> 	ldap group suffix = ou=Groups
> 	ldap idmap suffix = ou=IDMap
> 	ldap machine suffix = ou=Workstations
> 	ldap user suffix = 
> 	ldap filter = (uid=%u)
> 	ldap suffix = o=organization
> 	ldap passwd sync = No 
> 	unix password sync = Yes
> 	passwd program = /usr/sbin/smbldap-passwd -u %u
> 	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> 	idmap backend = "ldaps://ip.goes.here ldaps://ip.goes.here"
> 	idmap uid = 10000-20000
> 	idmap gid = 10000-20000
> 	veto files = /.?*/
> 	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> 	wins support = Yes 
> 	encrypt passwords = Yes
> 	logon script = %U.bat
> 	map to guest = Bad User
>
> ======== BDC smb.conf (global section only) =========
> [global]
> 	workgroup = DOMAIN
> 	server string = Samba BDC %v %h
> 	obey pam restrictions = Yes
> 	passdb backend = "ldapsam:ldaps://ip.goes.here ldaps://ip.goes.here"
> 	log level = 2 
> 	log file = /var/log/samba/%m.log
> 	max log size = 1000
> 	logon path = 
> 	logon home =
> 	domain logons = Yes
> 	domain master = No
> 	preferred master = Yes
> 	ldap admin dn = cn=name,o=organization
> 	ldap group suffix = ou=Groups
> 	ldap idmap suffix = ou=IDMap
> 	ldap machine suffix = ou=Workstations
> 	ldap suffix = o=organization
> 	ldap passwd sync = No
> 	ldap filter = (uid=%u)
> 	unix password sync = Yes
> 	passwd program = /usr/sbin/smbldap-passwd -u %u
> 	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> 	idmap backend = "ldaps://ip.goes.here ldaps://ip.goes.here"
> 	idmap uid = 10000-20000
> 	idmap gid = 10000-20000
> 	veto files = /.?*/
> 	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> 	wins server = ip.of.PDC.here
> 	map to guest = Bad User
>
>

More information about the samba mailing list