[Samba] Win XP Client password change nightmare.

Arturo Limon limonavila at gmail.com
Wed Mar 25 23:32:35 GMT 2009


I have setup a Samba server with CentOS 5.2 and Samba 3.0.28-1.el5_2.1 (the
CentOS included versión).

I have configured Samba as a PDC following "Samba-3 by example" chapter 3,
"Secure Office Networking". No DNS or DHCP active, as far as for now this is
just a test environment.

Most of it works fine, but trying to change user passwords for a MS-Windows
test computer (USRMGR.EXE from SRVTOOLS), has proved to be a nightmare. I
always get an Access Denied (Aceso denegado) error message. Connection from
MS-Windows computer is done as "Administrator" (root).

I have googled for hours, and the problem does not seem to be new, but no
advice has helped appart from NOT syncing Samba and Linux passwords, which I
do not want to do.

My smb.conf is as follows:

        workgroup = MICASA
        netbios name = TESTSERVER
        interfaces = eth0, lo
        bind interfaces only = Yes
        passdb backend = tdbsam

        unix password sync = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = "New UNIX password:*" %n\n "Retype new UNIX
password:*" %n\n "passwd: all authentication to

        username map = /etc/samba/smbusers
        ;syslog = 0
        log file = /var/log/samba/%m
        max log size = 150
        smb ports = 139
        name resolve order = wins bcast hosts
        time server = Yes
        printcap name = CUPS
        show add printer wizard = No

        add user script = /usr/sbin/useradd -m '%u'
        delete user script = /usr/sbin/userdel -r '%u'
        add group script = /usr/sbin/groupadd '%g'
        delete group script = /usr/sbin/groupdel '%g'
        add user to group script = /usr/sbin/usermod -G '%g' '%u'
        add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'
        shutdown script = /var/lib/samba/scripts/shutdown.sh
        abort shutdown script = /sbin/shutdown -c

        logon script = scripts\logon.bat
        logon path = \\%L\profiles\%U
        logon drive = X:
        logon home = \\%L\%U
        domain logons = Yes
        (I do not think rest of smb.conf may be of efect in the problem)

/etc/pam.d/samba is as follows (just like CentOS install leaves it):

auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth
password   include      system-auth

/etc/pam.d/system-auth is as follows (also like CentOS install leaves it):

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so

When trying to change password, messages are ....

>From /var/log/samba/pc-prueba (pc-prueba is the name of the MS-Windows test

[2009/03/26 00:17:17, 1] smbd/service.c:make_connection_snum(1033)
  pc-prueba ( connect to service root initially as user root
(uid=0, gid=0) (pid 17133)
[2009/03/26 00:17:55, 0] auth/pampass.c:smb_pam_chauthtok(691)
  PAM: UNKNOWN PAM ERROR (19) for User: arturo
[2009/03/26 00:17:55, 0] auth/pampass.c:smb_pam_passchange(847)
  smb_pam_passchange: PAM: Password Change Failed for user arturo!

No error messages in smbd.log or nmbd.log.

I have tried with "password chat debug = Yes" and found no clue of what the
problem could be. Commenting out "pam password change = Yes" or changing it
to "No" have not helped. Only switching to "No" the "Unix password sync".

I can't believe it does not work, I think something must be wrong somewhere,
or in what I am doing. I have spent several hours trying and it is quite
frustrating. Any help will be greatly appreciated.

Thanks in advance.



More information about the samba mailing list