[Samba] Password Change from Windows machines ("You do not have permission to change your password")

Derek Simkowiak ubuntu at realloc.net
Tue Dec 1 01:26:29 MST 2009 

    Hello,
    I just wasted several hours trying to figure out why I could not 
change Samba passwords from Windows XP computers.  I'm posting here so 
that there is some form of documentation about this on the web.

    My setup is basically this:

- Samba 3.3.2  (running under Ubuntu 9.04)
- OpenLDAP user database
- Full O.S. support for OpenLDAP auth, using nsswitch and PAM. 
    (My client LDAP config was installed using *auth-client-config *as 
per https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html, 
plus some tweaking in /etc/smbldap-tools/. )

    I can ssh into the box as a system user that exists only in LDAP 
(and not in /etc/passwd).  I can also change my LDAP password at the 
bash prompt by typing "passwd" (via PAM), or smbldap-passwd, or 
smbpasswd.  That all works as per the documentation.

    The problem: I could not change my password from Windows boxen.  
They kept giving me "You do not have permission to change your password."

    I found the solution by cranking up the log level to 10.  I 
eventually found this golden snippet in all the noise:

[2009/11/30 23:23:37,  4] auth/pampass.c:smb_pam_chauthtok(670)
  smb_pam_chauthtok: PAM: Password Change for User: dereks
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(284)
  smb_pam_passchange_conv: starting converstation for 1 messages
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(312)
  smb_pam_passchange_conv: Processing message 0
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(346)
  smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: New password:
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
  smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*enter 
new * password:*| to |New password:|
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
  smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*retype 
new * password:*| to |New password:|
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
  smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match 
|*password updated successfully*| to |New password:|
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
  smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match || to 
|New password:|
[2009/11/30 23:23:37,  3] auth/pampass.c:smb_pam_passchange_conv(370)
  smb_pam_passchange_conv: Could not find reply for PAM prompt: New 
password:
[2009/11/30 23:23:37,  0] auth/pampass.c:smb_pam_chauthtok(699)
  PAM: User not known to PAM
[2009/11/30 23:23:37,  2] auth/pampass.c:smb_pam_error_handler(77)
  smb_pam_error_handler: PAM: Password Change Failed : User not known to 
the underlying authentication module
[2009/11/30 23:23:37,  0] auth/pampass.c:smb_pam_passchange(861)
  smb_pam_passchange: PAM: Password Change Failed for user dereks!
[2009/11/30 23:23:37,  4] auth/pampass.c:smb_pam_end(450)
  smb_pam_end: PAM: PAM_END OK.
[2009/11/30 23:23:37,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2009/11/30 23:23:37,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (4202, 513) - sec_ctx_stack_ndx = 1
[2009/11/30 23:23:37,  5] 
rpc_server/srv_samr_nt.c:_samr_ChangePasswordUser2(1907)
  _samr_ChangePasswordUser2: 1907
      samr_ChangePasswordUser2: struct samr_ChangePasswordUser2
          out: struct samr_ChangePasswordUser2
              result                   : NT_STATUS_ACCESS_DENIED


    Here you can see that the "password chat" was attempting to 
communicate with PAM in a fashion similar to 'expect'.  My "passwd chat" 
setting in /etc/samba/smb.conf was not correct, so the password change 
failed.  The resulting error code "NT_STATUS_ACCESS_DENIED" caused 
Windows to print that useless "You do not have permission to change your 
password" dialog box, and sent me on a wild goose chase.

    The comments in the smb.conf that come with Ubuntu say this:

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan 
<<kahan at informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

    My reading of these comments is that either "passwd program" with 
matching "passwd chat" will be used, or else "pam password change = yes" 
will be used.  In my troubleshooting, I commented out either the first 
one (to use PAM), or else the latter one (to use /usr/bin/passwd with 
the chat setting).  That interpretation was also consistent with all the 
Samba docs and forum postings I found online.

    But, as shown in the logs above, the correct answer was "pam 
password change = yes" with a corrected "passwd chat" setting.  Here is 
a setting that works for me on Ubuntu 9.04:

passwd program = /usr/bin/passwd %u
passwd chat = *New\spassword:* %n\n *New\spassword:* %n\n 
*password\supdated\ssuccessfully* .
pam password change = yes

    I deduced that customized chat script by running "/usr/bin/passwd 
username" at the bash prompt to see what happens. 

    Alternatively, I now know that the default setting for "passwd chat" 
setting will work with PAM, if I comment out the broken one that comes 
with the Ubuntu (and Debian?) smb.conf file and also comment out the 
"passwd program = ..." line. 

    In short, the combination of these issues made troubleshooting time 
consuming and difficult:

- Misleading error message ("You do not have permission to change your 
password.")
- Misleading docs that imply EITHER "pam password change = yes" OR 
"passwd program" with "passwd chat"
- An outdated, incorrect setting for "passwd chat" in the Debian and 
Ubuntu smb.conf file that does not work with /usr/bin/passwd
- Missing Samba docs to explain "passwd chat" might be used, even in the 
case of "pam password change = yes"
- Missing Samba docs to explain the default setting for "passwd chat" 
will work with PAM, in the case of "pam password change"


    Hopefully this will help somebody else avoid the same mistake.


Thank You,
Derek Simkowiak

More information about the samba mailing list