[Samba] Error: You do not have permission to change your password
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed Aug 18 11:13:14 MDT 2010
samba should bind as the ldap admin and with the password specified with
the "smbpasswd -w" command. Assuming the user's unix password is also
stored in ldap, I would have thought the "ldap passwd sync" option
would have worked- it never did for me though.
On 08/18/2010 11:41 AM, Christopher Springer wrote:
> I've done some additional testing via ldapmodify and found that I can
> login as the LDAP user and the user has permission to change his/her
> own password hash. Does Samba bind to the LDAP directory as the user
> that is changing the password or as the user as defined by "ldap admin
> dn"?
>
> Any other thoughts on this issue?
>
> Thanks all for your help!
>
> Chris
>
> On 08/18/2010 10:47 AM, Daniel Müller wrote:
>> You only changed unix-password:
>>
>>
>> tuepdc:~ # smbldap-passwd --help
>> (c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed
>> under
>> the GPL
>> Usage: /usr/local/sbin/smbldap-passwd [options] [username]
>> -h, -?, --help show this help message
>> -s update only samba password
>> -u update only UNIX password
>>
>> Just use smbldap-passwd USER
>>
>>
>>
>> -----------------------------------------------
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>>
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail: mueller at tropenklinik.de
>> Internet: www.tropenklinik.de
>> -----------------------------------------------
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Christopher Springer [mailto:cspringer at brcrp.com]
>> Gesendet: Mittwoch, 18. August 2010 16:28
>> An: mueller at tropenklinik.de
>> Cc: gaiseric.vandal at gmail.com; samba at lists.samba.org
>> Betreff: Re: [Samba] Error: You do not have permission to change your
>> password
>>
>> I did some additional testing...
>>
>> It turns out that I was able to change the password successfully
>> using...
>>
>> smbldap-passwd kennyz
>>
>> But then I tried changing with the -u option as follows...
>>
>> smbldap-passwd -u kennyz
>>
>> This did not return an error but it also apparently did not change the
>> user's password because I can't login as the user now. I do not know
>> how to interpret this behaviour but I'm hoping it can give you guys a
>> clue as to what is truly the problem here.
>>
>> Thanks.
>> --
>> Chris
>>
>> On 08/18/2010 10:00 AM, Daniel Müller wrote:
>>> You need
>>> ldap passwd sync = yes
>>> no unix password sync = yes
>>>
>>> Then try to change it on your linux box.
>>> -----------------------------------------------
>>> EDV Daniel Müller
>>>
>>> Leitung EDV
>>> Tropenklinik Paul-Lechler-Krankenhaus
>>> Paul-Lechler-Str. 24
>>> 72076 Tübingen
>>>
>>> Tel.: 07071/206-463, Fax: 07071/206-499
>>> eMail: mueller at tropenklinik.de
>>> Internet: www.tropenklinik.de
>>> -----------------------------------------------
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org]
>> Im
>>> Auftrag von Gaiseric Vandal
>>> Gesendet: Mittwoch, 18. August 2010 15:48
>>> An: samba at lists.samba.org
>>> Betreff: Re: [Samba] Error: You do not have permission to change your
>>> password
>>>
>>> I am pretty sure that the password command and script is run as root,
>>> not as the user changing the password. What happens if you run the
>>> password commands on the samba server? I don't have smbldap tools on
>>> my system (Solaris, so not provided by the Sun distro) so I had to rely
>>> on the OS password tools. By default, root is not going to have
>>> sufficient privledges to change ldap passwords.
>>>
>>> If you don't enable password sync, are you able to change your Windows
>>> password?
>>>
>>>
>>> On 08/18/2010 08:49 AM, Christopher Springer wrote:
>>>> I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb
>>>> backend
>>>> and do the following...
>>>>
>>>> 1. Login as user on Windows system using domain user name and
>>>> password - Login successful
>>>> 2. Press Ctrl-Alt-Del
>>>> 3. Press Change Password
>>>> 4. Enter old and new password as prompted
>>>> 5. Receive response "You do not have permission to change your
>>>> password."
>>>>
>>>> I receive the following repeated twice in "/var/log/samba/log.smbd"...
>>>>
>>>> [2010/08/17 16:13:53.884482, 0]
>>>> libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)
>>>> NTLMSSP NTLM1 packet check failed due to invalid signature!
>>>> [2010/08/17 16:13:53.884592, 0]
>>>> rpc_server/srv_pipe_hnd.c:398(process_request_pdu)
>>>> process_request_pdu: failed to do auth processing.
>>>> [2010/08/17 16:13:53.884668, 0]
>>>> rpc_server/srv_pipe_hnd.c:399(process_request_pdu)
>>>> process_request_pdu: error was NT_STATUS_ACCESS_DENIED.
>>>>
>>>> This was generated from a WindowsNT4 system. The issue can also be
>>>> duplicated from Windows XP clients.
>>>>
>>>> My smb.conf file on this system (PDC):
>>>>
>>>> [global]
>>>> log level = 1
>>>> workgroup = CORPDOM
>>>> netbios name = CORPPDC
>>>> passdb backend = ldapsam:ldap://127.0.0.1
>>>> enable privileges = yes
>>>> #encrypt passwords = yes
>>>> username map = /etc/samba/smbusers
>>>> printcap name = cups
>>>> add user script = /usr/sbin/smbldap-useradd -m '%u'
>>>> delete user script = /usr/sbin/smbldap-userdel '%u'
>>>> add group script = /usr/sbin/smbldap-groupadd -p '%g'
>>>> delete group script = /usr/sbin/smbldap-groupdel '%g'
>>>> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
>>>> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
>>>> '%g'
>>>> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>>>> add machine script = /usr/sbin/smbldap-useradd -w '%u'
>>>> logon script = scripts/%U.bat
>>>> logon path =
>>>> logon drive =
>>>> security = user
>>>> domain logons = Yes
>>>> os level = 35
>>>> preferred master = Yes
>>>> domain master = Yes
>>>> wins support = Yes
>>>> smb ports = 139
>>>> #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM
>>>> 10.20.0.255/CORPDOM
>>>> #remote browse sync = 10.20.255.255 10.30.255.255
>>>> #remote announce = 10.30.255.255
>>>> #remote browse sync = 10.30.255.255
>>>> ldap suffix = dc=brcrp,dc=com
>>>> ldap machine suffix = ou=Computers
>>>> ldap user suffix = ou=People
>>>> ldap group suffix = ou=Group
>>>> ldap idmap suffix = ou=Idmap
>>>> ldap admin dn = cn=Manager,dc=brcrp,dc=com
>>>> ldap ssl = no
>>>> #ldap passwd sync = yes
>>>> unix password sync = yes
>>>> passwd program = /usr/sbin/smbldap-passwd %u
>>>> passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
>>>> #client lanman auth = yes
>>>> #unix password sync = yes
>>>> #passwd program = /usr/sbin/smbldap-passwd -u %u
>>>> idmap backend = ldap:ldap://127.0.0.1
>>>> idmap uid = 15000-20000
>>>> idmap gid = 15000-20000
>>>> printing = cups
>>>>
>>>> [netlogon]
>>>> comment = Network Logon Service
>>>> path = /pub
>>>> guest ok = Yes
>>>> browseable = No
>
More information about the samba
mailing list