[Samba] Error: You do not have permission to change your password

Wed Aug 18 08:20:27 MDT 2010

  After changing these lines my smb.conf now looks like the following 
(just including this so we're clear on the changes I've made thus far)

[global]
log level = 1
workgroup = CORPDOM
netbios name = CORPPDC
passdb backend = ldapsam:ldap://127.0.0.1
enable privileges = yes
#encrypt passwords = yes
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security = user
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
smb ports = 139
#remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM 
10.20.0.255/CORPDOM
#remote browse sync = 10.20.255.255 10.30.255.255
#remote announce = 10.30.255.255
#remote browse sync = 10.30.255.255
ldap suffix = dc=brcrp,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=brcrp,dc=com
ldap ssl = no
ldap passwd sync = yes
#unix password sync = yes
passwd program = /usr/sbin/smbldap-passwd -u %u
#passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
#client lanman auth = yes
#unix password sync = yes
#passwd program = /usr/sbin/smbldap-passwd -u %u
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups

[netlogon]
comment = Network Logon Service
path = /pub
guest ok = Yes
browseable = No

I still receive the same error when trying to change the user password 
on the Windows system.

Chris

On 08/18/2010 10:00 AM, Daniel Müller wrote:
> You need
> ldap passwd sync = yes
> no  unix password sync = yes
>
> Then try to change it on your linux box.
> -----------------------------------------------
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
> Auftrag von Gaiseric Vandal
> Gesendet: Mittwoch, 18. August 2010 15:48
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Error: You do not have permission to change your
> password
>
> I am pretty sure that the password command and script is run as root,
> not as the user changing the password.    What happens if you run the
> password commands on the samba server?   I don't have smbldap tools on
> my system (Solaris, so not provided by the Sun distro) so I had to rely
> on the OS password tools.   By default, root is not going to have
> sufficient privledges to change ldap passwords.
>
> If you don't enable password sync, are you able to change your Windows
> password?
>
>
> On 08/18/2010 08:49 AM, Christopher Springer wrote:
>>   I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend
>> and do the following...
>>
>> 1.  Login as user on Windows system using domain user name and
>> password - Login successful
>> 2.  Press Ctrl-Alt-Del
>> 3.  Press Change Password
>> 4.  Enter old and new password as prompted
>> 5.  Receive response "You do not have permission to change your
>> password."
>>
>> I receive the following repeated twice in "/var/log/samba/log.smbd"...
>>
>> [2010/08/17 16:13:53.884482,  0]
>> libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)
>>    NTLMSSP NTLM1 packet check failed due to invalid signature!
>> [2010/08/17 16:13:53.884592,  0]
>> rpc_server/srv_pipe_hnd.c:398(process_request_pdu)
>>    process_request_pdu: failed to do auth processing.
>> [2010/08/17 16:13:53.884668,  0]
>> rpc_server/srv_pipe_hnd.c:399(process_request_pdu)
>>    process_request_pdu: error was NT_STATUS_ACCESS_DENIED.
>>
>> This was generated from a WindowsNT4 system.  The issue can also be
>> duplicated from Windows XP clients.
>>
>> My smb.conf file on this system (PDC):
>>
>> [global]
>> log level = 1
>> workgroup = CORPDOM
>> netbios name = CORPPDC
>> passdb backend = ldapsam:ldap://127.0.0.1
>> enable privileges = yes
>> #encrypt passwords = yes
>> username map = /etc/samba/smbusers
>> printcap name = cups
>> add user script = /usr/sbin/smbldap-useradd -m '%u'
>> delete user script = /usr/sbin/smbldap-userdel '%u'
>> add group script = /usr/sbin/smbldap-groupadd -p '%g'
>> delete group script = /usr/sbin/smbldap-groupdel '%g'
>> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
>> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
>> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>> add machine script = /usr/sbin/smbldap-useradd -w '%u'
>> logon script = scripts/%U.bat
>> logon path =
>> logon drive =
>> security = user
>> domain logons = Yes
>> os level = 35
>> preferred master = Yes
>> domain master = Yes
>> wins support = Yes
>> smb ports = 139
>> #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM
>> 10.20.0.255/CORPDOM
>> #remote browse sync = 10.20.255.255 10.30.255.255
>> #remote announce = 10.30.255.255
>> #remote browse sync = 10.30.255.255
>> ldap suffix = dc=brcrp,dc=com
>> ldap machine suffix = ou=Computers
>> ldap user suffix = ou=People
>> ldap group suffix = ou=Group
>> ldap idmap suffix = ou=Idmap
>> ldap admin dn = cn=Manager,dc=brcrp,dc=com
>> ldap ssl = no
>> #ldap passwd sync = yes
>> unix password sync = yes
>> passwd program = /usr/sbin/smbldap-passwd %u
>> passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
>> #client lanman auth = yes
>> #unix password sync = yes
>> #passwd program = /usr/sbin/smbldap-passwd -u %u
>> idmap backend = ldap:ldap://127.0.0.1
>> idmap uid = 15000-20000
>> idmap gid = 15000-20000
>> printing = cups
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /pub
>> guest ok = Yes
>> browseable = No

-- 
Christopher Springer
IS/IT Systems Administrator
BRC Rubber&  Plastics, Inc
260-693-2171 x389
cspringer at brcrp.com