[Samba] Error: You do not have permission to change your password

Christopher Springer cspringer at brcrp.com
Wed Aug 18 06:49:21 MDT 2010

  I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend 
and do the following...

1.  Login as user on Windows system using domain user name and password 
- Login successful
2.  Press Ctrl-Alt-Del
3.  Press Change Password
4.  Enter old and new password as prompted
5.  Receive response "You do not have permission to change your password."

I receive the following repeated twice in "/var/log/samba/log.smbd"...

[2010/08/17 16:13:53.884482,  0] 
   NTLMSSP NTLM1 packet check failed due to invalid signature!
[2010/08/17 16:13:53.884592,  0] 
   process_request_pdu: failed to do auth processing.
[2010/08/17 16:13:53.884668,  0] 
   process_request_pdu: error was NT_STATUS_ACCESS_DENIED.

This was generated from a WindowsNT4 system.  The issue can also be 
duplicated from Windows XP clients.

My smb.conf file on this system (PDC):

log level = 1
workgroup = CORPDOM
netbios name = CORPPDC
passdb backend = ldapsam:ldap://
enable privileges = yes
#encrypt passwords = yes
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security = user
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
smb ports = 139
#remote announce =
#remote browse sync =
#remote announce =
#remote browse sync =
ldap suffix = dc=brcrp,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=brcrp,dc=com
ldap ssl = no
#ldap passwd sync = yes
unix password sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
#client lanman auth = yes
#unix password sync = yes
#passwd program = /usr/sbin/smbldap-passwd -u %u
idmap backend = ldap:ldap://
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups

comment = Network Logon Service
path = /pub
guest ok = Yes
browseable = No

More information about the samba mailing list