[Samba] Password Change from Windows machines ("You do not have permission to change your password")

Derek Simkowiak ubuntu at realloc.net
Tue Dec 1 10:39:04 MST 2009 

    For anyone else trying to get this to work, I should also add that a 
problem in the Ubuntu auth-client-config package was also giving me the 
same (misleading) error message.

    In /etc/pam.d/common-password, you must remove the "use_authtok" 
option on the pam_ldap.so line:

_Wrong:_
password        [success=1 user_unknown=ignore default=die]     
pam_ldap.so use_authtok try_first_pass

_Correct:_
password        [success=1 user_unknown=ignore default=die]     
pam_ldap.so try_first_pass


    This problem also resulted in the misleading "You do not have 
permission to change your password" error message.  Between this and the 
problem below, I was pulling my hair out...


Thanks,
Derek


On 12/01/2009 12:26 AM, Derek Simkowiak wrote:
>    Hello,
>    I just wasted several hours trying to figure out why I could not 
> change Samba passwords from Windows XP computers.  I'm posting here so 
> that there is some form of documentation about this on the web.
>
>    My setup is basically this:
>
> - Samba 3.3.2  (running under Ubuntu 9.04)
> - OpenLDAP user database
> - Full O.S. support for OpenLDAP auth, using nsswitch and PAM.    (My 
> client LDAP config was installed using *auth-client-config *as per 
> https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html, plus 
> some tweaking in /etc/smbldap-tools/. )
>
>    I can ssh into the box as a system user that exists only in LDAP 
> (and not in /etc/passwd).  I can also change my LDAP password at the 
> bash prompt by typing "passwd" (via PAM), or smbldap-passwd, or 
> smbpasswd.  That all works as per the documentation.
>
>    The problem: I could not change my password from Windows boxen.  
> They kept giving me "You do not have permission to change your password."
>
>    I found the solution by cranking up the log level to 10.  I 
> eventually found this golden snippet in all the noise:
>
> [2009/11/30 23:23:37,  4] auth/pampass.c:smb_pam_chauthtok(670)
>  smb_pam_chauthtok: PAM: Password Change for User: dereks
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(284)
>  smb_pam_passchange_conv: starting converstation for 1 messages
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(312)
>  smb_pam_passchange_conv: Processing message 0
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(346)
>  smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: New password:
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
>  smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*enter 
> new * password:*| to |New password:|
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
>  smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match 
> |*retype new * password:*| to |New password:|
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
>  smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match 
> |*password updated successfully*| to |New password:|
> [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
>  smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match || to 
> |New password:|
> [2009/11/30 23:23:37,  3] auth/pampass.c:smb_pam_passchange_conv(370)
>  smb_pam_passchange_conv: Could not find reply for PAM prompt: New 
> password:
> [2009/11/30 23:23:37,  0] auth/pampass.c:smb_pam_chauthtok(699)
>  PAM: User not known to PAM
> [2009/11/30 23:23:37,  2] auth/pampass.c:smb_pam_error_handler(77)
>  smb_pam_error_handler: PAM: Password Change Failed : User not known 
> to the underlying authentication module
> [2009/11/30 23:23:37,  0] auth/pampass.c:smb_pam_passchange(861)
>  smb_pam_passchange: PAM: Password Change Failed for user dereks!
> [2009/11/30 23:23:37,  4] auth/pampass.c:smb_pam_end(450)
>  smb_pam_end: PAM: PAM_END OK.
> [2009/11/30 23:23:37,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
>  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2009/11/30 23:23:37,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
>  pop_sec_ctx (4202, 513) - sec_ctx_stack_ndx = 1
> [2009/11/30 23:23:37,  5] 
> rpc_server/srv_samr_nt.c:_samr_ChangePasswordUser2(1907)
>  _samr_ChangePasswordUser2: 1907
>      samr_ChangePasswordUser2: struct samr_ChangePasswordUser2
>          out: struct samr_ChangePasswordUser2
>              result                   : NT_STATUS_ACCESS_DENIED
>
>
>    Here you can see that the "password chat" was attempting to 
> communicate with PAM in a fashion similar to 'expect'.  My "passwd 
> chat" setting in /etc/samba/smb.conf was not correct, so the password 
> change failed.  The resulting error code "NT_STATUS_ACCESS_DENIED" 
> caused Windows to print that useless "You do not have permission to 
> change your password" dialog box, and sent me on a wild goose chase.
>
>    The comments in the smb.conf that come with Ubuntu say this:
>
> # For Unix password sync to work on a Debian GNU/Linux system, the 
> following
> # parameters must be set (thanks to Ian Kahan 
> <<kahan at informatik.tu-muenchen.de> for
> # sending the correct chat script for the passwd program in Debian 
> Sarge).
>   passwd program = /usr/bin/passwd %u
>   passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>
> # This boolean controls whether PAM will be used for password changes
> # when requested by an SMB client instead of the program listed in
> # 'passwd program'. The default is 'no'.
>   pam password change = yes
>
>    My reading of these comments is that either "passwd program" with 
> matching "passwd chat" will be used, or else "pam password change = 
> yes" will be used.  In my troubleshooting, I commented out either the 
> first one (to use PAM), or else the latter one (to use /usr/bin/passwd 
> with the chat setting).  That interpretation was also consistent with 
> all the Samba docs and forum postings I found online.
>
>    But, as shown in the logs above, the correct answer was "pam 
> password change = yes" with a corrected "passwd chat" setting.  Here 
> is a setting that works for me on Ubuntu 9.04:
>
> passwd program = /usr/bin/passwd %u
> passwd chat = *New\spassword:* %n\n *New\spassword:* %n\n 
> *password\supdated\ssuccessfully* .
> pam password change = yes
>
>    I deduced that customized chat script by running "/usr/bin/passwd 
> username" at the bash prompt to see what happens.
>    Alternatively, I now know that the default setting for "passwd 
> chat" setting will work with PAM, if I comment out the broken one that 
> comes with the Ubuntu (and Debian?) smb.conf file and also comment out 
> the "passwd program = ..." line.
>    In short, the combination of these issues made troubleshooting time 
> consuming and difficult:
>
> - Misleading error message ("You do not have permission to change your 
> password.")
> - Misleading docs that imply EITHER "pam password change = yes" OR 
> "passwd program" with "passwd chat"
> - An outdated, incorrect setting for "passwd chat" in the Debian and 
> Ubuntu smb.conf file that does not work with /usr/bin/passwd
> - Missing Samba docs to explain "passwd chat" might be used, even in 
> the case of "pam password change = yes"
> - Missing Samba docs to explain the default setting for "passwd chat" 
> will work with PAM, in the case of "pam password change"
>
>
>    Hopefully this will help somebody else avoid the same mistake.
>
>
> Thank You,
> Derek Simkowiak
>

More information about the samba mailing list