[Samba] Error: You do not have permission to change your password

Christopher Springer cspringer at brcrp.com
Wed Aug 18 08:05:22 MDT 2010


  Results of testing as requested -

[root at localhost ~]# smbldap-passwd kennyz
Changing UNIX and samba passwords for kennyz
New password: <enter pass>
Retype new password: <enter pass>

No errors returned.  User is able to login with new password.

Commented out "unix password sync = yes".  Still same result..."You do 
not have permission to change your password."

Thank you for your help!  We'll keep trying...

Chris

On 08/18/2010 09:48 AM, Gaiseric Vandal wrote:
> I am pretty sure that the password command and script is run as root, 
> not as the user changing the password.    What happens if you run the 
> password commands on the samba server?   I don't have smbldap tools on 
> my system (Solaris, so not provided by the Sun distro) so I had to 
> rely on the OS password tools.   By default, root is not going to have 
> sufficient privledges to change ldap passwords.
>
> If you don't enable password sync, are you able to change your Windows 
> password?
>
>
> On 08/18/2010 08:49 AM, Christopher Springer wrote:
>>  I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend 
>> and do the following...
>>
>> 1.  Login as user on Windows system using domain user name and 
>> password - Login successful
>> 2.  Press Ctrl-Alt-Del
>> 3.  Press Change Password
>> 4.  Enter old and new password as prompted
>> 5.  Receive response "You do not have permission to change your 
>> password."
>>
>> I receive the following repeated twice in "/var/log/samba/log.smbd"...
>>
>> [2010/08/17 16:13:53.884482,  0] 
>> libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)
>>   NTLMSSP NTLM1 packet check failed due to invalid signature!
>> [2010/08/17 16:13:53.884592,  0] 
>> rpc_server/srv_pipe_hnd.c:398(process_request_pdu)
>>   process_request_pdu: failed to do auth processing.
>> [2010/08/17 16:13:53.884668,  0] 
>> rpc_server/srv_pipe_hnd.c:399(process_request_pdu)
>>   process_request_pdu: error was NT_STATUS_ACCESS_DENIED.
>>
>> This was generated from a WindowsNT4 system.  The issue can also be 
>> duplicated from Windows XP clients.
>>
>> My smb.conf file on this system (PDC):
>>
>> [global]
>> log level = 1
>> workgroup = CORPDOM
>> netbios name = CORPPDC
>> passdb backend = ldapsam:ldap://127.0.0.1
>> enable privileges = yes
>> #encrypt passwords = yes
>> username map = /etc/samba/smbusers
>> printcap name = cups
>> add user script = /usr/sbin/smbldap-useradd -m '%u'
>> delete user script = /usr/sbin/smbldap-userdel '%u'
>> add group script = /usr/sbin/smbldap-groupadd -p '%g'
>> delete group script = /usr/sbin/smbldap-groupdel '%g'
>> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
>> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
>> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>> add machine script = /usr/sbin/smbldap-useradd -w '%u'
>> logon script = scripts/%U.bat
>> logon path =
>> logon drive =
>> security = user
>> domain logons = Yes
>> os level = 35
>> preferred master = Yes
>> domain master = Yes
>> wins support = Yes
>> smb ports = 139
>> #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM 
>> 10.20.0.255/CORPDOM
>> #remote browse sync = 10.20.255.255 10.30.255.255
>> #remote announce = 10.30.255.255
>> #remote browse sync = 10.30.255.255
>> ldap suffix = dc=brcrp,dc=com
>> ldap machine suffix = ou=Computers
>> ldap user suffix = ou=People
>> ldap group suffix = ou=Group
>> ldap idmap suffix = ou=Idmap
>> ldap admin dn = cn=Manager,dc=brcrp,dc=com
>> ldap ssl = no
>> #ldap passwd sync = yes
>> unix password sync = yes
>> passwd program = /usr/sbin/smbldap-passwd %u
>> passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
>> #client lanman auth = yes
>> #unix password sync = yes
>> #passwd program = /usr/sbin/smbldap-passwd -u %u
>> idmap backend = ldap:ldap://127.0.0.1
>> idmap uid = 15000-20000
>> idmap gid = 15000-20000
>> printing = cups
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /pub
>> guest ok = Yes
>> browseable = No
>

-- 
Christopher Springer
IS/IT Systems Administrator
BRC Rubber&  Plastics, Inc
260-693-2171 x389
cspringer at brcrp.com



More information about the samba mailing list