[Samba] Password Change from Windows machines ("You do not have permission to change your password")
Derek Simkowiak
ubuntu at realloc.net
Tue Dec 1 10:39:04 MST 2009
For anyone else trying to get this to work, I should also add that a
problem in the Ubuntu auth-client-config package was also giving me the
same (misleading) error message.
In /etc/pam.d/common-password, you must remove the "use_authtok"
option on the pam_ldap.so line:
_Wrong:_
password [success=1 user_unknown=ignore default=die]
pam_ldap.so use_authtok try_first_pass
_Correct:_
password [success=1 user_unknown=ignore default=die]
pam_ldap.so try_first_pass
This problem also resulted in the misleading "You do not have
permission to change your password" error message. Between this and the
problem below, I was pulling my hair out...
Thanks,
Derek
On 12/01/2009 12:26 AM, Derek Simkowiak wrote:
> Hello,
> I just wasted several hours trying to figure out why I could not
> change Samba passwords from Windows XP computers. I'm posting here so
> that there is some form of documentation about this on the web.
>
> My setup is basically this:
>
> - Samba 3.3.2 (running under Ubuntu 9.04)
> - OpenLDAP user database
> - Full O.S. support for OpenLDAP auth, using nsswitch and PAM. (My
> client LDAP config was installed using *auth-client-config *as per
> https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html, plus
> some tweaking in /etc/smbldap-tools/. )
>
> I can ssh into the box as a system user that exists only in LDAP
> (and not in /etc/passwd). I can also change my LDAP password at the
> bash prompt by typing "passwd" (via PAM), or smbldap-passwd, or
> smbpasswd. That all works as per the documentation.
>
> The problem: I could not change my password from Windows boxen.
> They kept giving me "You do not have permission to change your password."
>
> I found the solution by cranking up the log level to 10. I
> eventually found this golden snippet in all the noise:
>
> [2009/11/30 23:23:37, 4] auth/pampass.c:smb_pam_chauthtok(670)
> smb_pam_chauthtok: PAM: Password Change for User: dereks
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(284)
> smb_pam_passchange_conv: starting converstation for 1 messages
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(312)
> smb_pam_passchange_conv: Processing message 0
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(346)
> smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: New password:
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
> smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*enter
> new * password:*| to |New password:|
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
> smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match
> |*retype new * password:*| to |New password:|
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
> smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match
> |*password updated successfully*| to |New password:|
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
> smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match || to
> |New password:|
> [2009/11/30 23:23:37, 3] auth/pampass.c:smb_pam_passchange_conv(370)
> smb_pam_passchange_conv: Could not find reply for PAM prompt: New
> password:
> [2009/11/30 23:23:37, 0] auth/pampass.c:smb_pam_chauthtok(699)
> PAM: User not known to PAM
> [2009/11/30 23:23:37, 2] auth/pampass.c:smb_pam_error_handler(77)
> smb_pam_error_handler: PAM: Password Change Failed : User not known
> to the underlying authentication module
> [2009/11/30 23:23:37, 0] auth/pampass.c:smb_pam_passchange(861)
> smb_pam_passchange: PAM: Password Change Failed for user dereks!
> [2009/11/30 23:23:37, 4] auth/pampass.c:smb_pam_end(450)
> smb_pam_end: PAM: PAM_END OK.
> [2009/11/30 23:23:37, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2009/11/30 23:23:37, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
> pop_sec_ctx (4202, 513) - sec_ctx_stack_ndx = 1
> [2009/11/30 23:23:37, 5]
> rpc_server/srv_samr_nt.c:_samr_ChangePasswordUser2(1907)
> _samr_ChangePasswordUser2: 1907
> samr_ChangePasswordUser2: struct samr_ChangePasswordUser2
> out: struct samr_ChangePasswordUser2
> result : NT_STATUS_ACCESS_DENIED
>
>
> Here you can see that the "password chat" was attempting to
> communicate with PAM in a fashion similar to 'expect'. My "passwd
> chat" setting in /etc/samba/smb.conf was not correct, so the password
> change failed. The resulting error code "NT_STATUS_ACCESS_DENIED"
> caused Windows to print that useless "You do not have permission to
> change your password" dialog box, and sent me on a wild goose chase.
>
> The comments in the smb.conf that come with Ubuntu say this:
>
> # For Unix password sync to work on a Debian GNU/Linux system, the
> following
> # parameters must be set (thanks to Ian Kahan
> <<kahan at informatik.tu-muenchen.de> for
> # sending the correct chat script for the passwd program in Debian
> Sarge).
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>
> # This boolean controls whether PAM will be used for password changes
> # when requested by an SMB client instead of the program listed in
> # 'passwd program'. The default is 'no'.
> pam password change = yes
>
> My reading of these comments is that either "passwd program" with
> matching "passwd chat" will be used, or else "pam password change =
> yes" will be used. In my troubleshooting, I commented out either the
> first one (to use PAM), or else the latter one (to use /usr/bin/passwd
> with the chat setting). That interpretation was also consistent with
> all the Samba docs and forum postings I found online.
>
> But, as shown in the logs above, the correct answer was "pam
> password change = yes" with a corrected "passwd chat" setting. Here
> is a setting that works for me on Ubuntu 9.04:
>
> passwd program = /usr/bin/passwd %u
> passwd chat = *New\spassword:* %n\n *New\spassword:* %n\n
> *password\supdated\ssuccessfully* .
> pam password change = yes
>
> I deduced that customized chat script by running "/usr/bin/passwd
> username" at the bash prompt to see what happens.
> Alternatively, I now know that the default setting for "passwd
> chat" setting will work with PAM, if I comment out the broken one that
> comes with the Ubuntu (and Debian?) smb.conf file and also comment out
> the "passwd program = ..." line.
> In short, the combination of these issues made troubleshooting time
> consuming and difficult:
>
> - Misleading error message ("You do not have permission to change your
> password.")
> - Misleading docs that imply EITHER "pam password change = yes" OR
> "passwd program" with "passwd chat"
> - An outdated, incorrect setting for "passwd chat" in the Debian and
> Ubuntu smb.conf file that does not work with /usr/bin/passwd
> - Missing Samba docs to explain "passwd chat" might be used, even in
> the case of "pam password change = yes"
> - Missing Samba docs to explain the default setting for "passwd chat"
> will work with PAM, in the case of "pam password change"
>
>
> Hopefully this will help somebody else avoid the same mistake.
>
>
> Thank You,
> Derek Simkowiak
>
More information about the samba
mailing list