[Samba] Win XP Client password change nightmare.
Arturo Limon
limonavila at gmail.com
Wed Mar 25 23:32:35 GMT 2009
Hello,
I have setup a Samba server with CentOS 5.2 and Samba 3.0.28-1.el5_2.1 (the
CentOS included versión).
I have configured Samba as a PDC following "Samba-3 by example" chapter 3,
"Secure Office Networking". No DNS or DHCP active, as far as for now this is
just a test environment.
Most of it works fine, but trying to change user passwords for a MS-Windows
test computer (USRMGR.EXE from SRVTOOLS), has proved to be a nightmare. I
always get an Access Denied (Aceso denegado) error message. Connection from
MS-Windows computer is done as "Administrator" (root).
I have googled for hours, and the problem does not seem to be new, but no
advice has helped appart from NOT syncing Samba and Linux passwords, which I
do not want to do.
My smb.conf is as follows:
[global]
workgroup = MICASA
netbios name = TESTSERVER
interfaces = eth0, lo
bind interfaces only = Yes
passdb backend = tdbsam
unix password sync = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = "New UNIX password:*" %n\n "Retype new UNIX
password:*" %n\n "passwd: all authentication to
username map = /etc/samba/smbusers
;syslog = 0
log file = /var/log/samba/%m
max log size = 150
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
logon home = \\%L\%U
domain logons = Yes
.............
(I do not think rest of smb.conf may be of efect in the problem)
/etc/pam.d/samba is as follows (just like CentOS install leaves it):
#%PAM-1.0
auth required pam_nologin.so
auth include system-auth
account include system-auth
session include system-auth
password include system-auth
/etc/pam.d/system-auth is as follows (also like CentOS install leaves it):
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
When trying to change password, messages are ....
>From /var/log/samba/pc-prueba (pc-prueba is the name of the MS-Windows test
computer):
[2009/03/26 00:17:17, 1] smbd/service.c:make_connection_snum(1033)
pc-prueba (192.168.1.100) connect to service root initially as user root
(uid=0, gid=0) (pid 17133)
[2009/03/26 00:17:55, 0] auth/pampass.c:smb_pam_chauthtok(691)
PAM: UNKNOWN PAM ERROR (19) for User: arturo
[2009/03/26 00:17:55, 0] auth/pampass.c:smb_pam_passchange(847)
smb_pam_passchange: PAM: Password Change Failed for user arturo!
No error messages in smbd.log or nmbd.log.
I have tried with "password chat debug = Yes" and found no clue of what the
problem could be. Commenting out "pam password change = Yes" or changing it
to "No" have not helped. Only switching to "No" the "Unix password sync".
I can't believe it does not work, I think something must be wrong somewhere,
or in what I am doing. I have spent several hours trying and it is quite
frustrating. Any help will be greatly appreciated.
Thanks in advance.
Regards.
Arturo.
More information about the samba
mailing list