[Samba] Samba, pam, NIS and password changes

Nigel Allen dna at edrs.com.au
Sun Sep 14 23:11:19 GMT 2008 

<bump?>

Nigel Allen wrote:
>
> Hi
>
> I have a customer who is having a problem with Samba password changes.
>
> The samba server (server12) is set up as a PDC for a WIndows domain 
> with XP clients. Samba is Version 3.0.26a-SerNet-RedHat. OS is Centos 
> 3.9.
>
> There is also a separate mail server (server56) running FC6 which uses 
> NIS for user validation.
>
> NIS server is running on server12.
>
> Generally speaking, everything is working and has been since the 
> server was set up by root.
>
> When a user tries to change their password from their XP workstation 
> they get the following error "You do not have permission to change 
> your password".
>
> If I log on to the server and do an "su -" to the user's account, I 
> get the following:
>
>> [robynw at sydsrv12 robynw]$ smbpasswd
>> Old SMB password:
>> New SMB password:
>> Retype new SMB password:
>> machine 127.0.0.1 rejected the password change: Error was : RAP86: 
>> The specified password is invalid.
>> Password changed for user robynw (Note: everything remains unchanged).
>
>
> When I look in /var/log/messages I see the following:
>
>> Sep 10 11:53:08 sydsrv12 ypserv[905]: refused connect from 
>> 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1)
>> Sep 10 11:53:17 sydsrv12 ypserv[905]: refused connect from 
>> 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1)
>> Sep 10 11:54:16 sydsrv12 named[4727]: client 192.168.0.210#2081: 
>> update 'jamesons.com.au/IN' denied
>> Sep 10 11:54:43 sydsrv12 su(pam_unix)[1859]: session opened for user 
>> robynw by prosmart(uid=0)
>> Sep 10 11:55:28 sydsrv12 named[4727]: client 192.168.0.242#1430: 
>> update 'jamesons.com.au/IN' denied
>> Sep 10 11:55:38 sydsrv12 ypserv[905]: refused connect from 
>> 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1)
>> Sep 10 11:56:09 sydsrv12 su(pam_unix)[1859]: session closed for user 
>> robynw
>> Sep 10 11:56:23 sydsrv12 ypserv[905]: refused connect from 
>> 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1)
>
>
> In the workstation log in /var/log/samba/pc004 I see the following:
>
>> [2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
>>   smb_pam_passchange: PAM: Password Change Failed for user robynw!
>> [2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
>>   smb_pam_passchange: PAM: Password Change Failed for user robynw!
>> [2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
>>   smb_pam_passchange: PAM: Password Change Failed for user robynw!
>> [2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
>>   smb_pam_passchange: PAM: Password Change Failed for user robynw!
>
>
> Here is the contents of /etc/pam.d/samba:
>
>> #%PAM-1.0
>> auth     required       pam_unix.so
>> account  required       pam_unix.so
> and the global section of /etc/samba/smb.conf
>
> # Date: 2008/09/10 11:01:30
>
>> [global]
>>         workgroup = MYDOMAIN
>>         passdb backend = tdbsam
>>         pam password change = Yes
>>         passwd program = /usr/bin/passwd %u
>>         passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n 
>> *Password*changed*
>>         username map = /etc/samba/smbusers
>>         unix password sync = Yes
>>         log level = 1
>>         syslog = 0
>>         log file = /var/log/samba/%m
>>         max log size = 50
>>         smb ports = 139
>>         name resolve order = wins bcast hosts
>>         time server = Yes
>>         show add printer wizard = No
>>         add user script = /usr/sbin/useradd -m '%u'
>>         delete user script = /usr/sbin/userdel -r '%u'
>>         add group script = /usr/sbin/groupadd '%g'
>>         delete group script = /usr/sbin/groupdel '%g'
>>         add user to group script = /usr/sbin/usermod -G '%g' '%u'
>>         add machine script = /usr/sbin/useradd -s /bin/false -d /tmp 
>> '%u'
>>         logon script = scripts\logon.bat
>>         logon path = \\%L\profiles\%U
>>         logon drive = X:
>>         logon home = \\%L\%U
>>         domain logons = Yes
>>         preferred master = Yes
>>         wins support = Yes
>>         ldap ssl = no
>>         utmp = Yes
>>         map acl inherit = Yes
>>         cups options = Raw
>>         veto files = /*.eml/*.nws/*.{*}/
>>         veto oplock files = /*.doc/*.xls/*.mdb/
>>         strict locking = No
>
> I would really appreciate anyone's input into where I should start 
> looking. Although I would like a solution to this, I would /really/ 
> like to understand the problem a little better. I have gone through 
> the Official Samba-3 How To and Samba by Example but I don't feel any 
> closer to the solution.
>
> Any takers?
>
> TIA
>
> Nigel.
>
>

More information about the samba mailing list