[Samba] Error: You do not have permission to change your password

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Aug 18 11:13:14 MDT 2010 

samba should bind as the ldap admin and with the password specified with 
the "smbpasswd -w" command.    Assuming the user's unix password is also 
stored in ldap,  I would have thought the "ldap passwd sync" option 
would have worked-  it never did for me though.




On 08/18/2010 11:41 AM, Christopher Springer wrote:
>  I've done some additional testing via ldapmodify and found that I can 
> login as the LDAP user and the user has permission to change his/her 
> own password hash.  Does Samba bind to the LDAP directory as the user 
> that is changing the password or as the user as defined by "ldap admin 
> dn"?
>
> Any other thoughts on this issue?
>
> Thanks all for your help!
>
> Chris
>
> On 08/18/2010 10:47 AM, Daniel Müller wrote:
>> You only changed unix-password:
>>
>>
>> tuepdc:~ # smbldap-passwd --help
>> (c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed 
>> under
>> the GPL
>> Usage: /usr/local/sbin/smbldap-passwd [options] [username]
>>    -h, -?, --help show this help message
>>    -s             update only samba password
>>    -u             update only UNIX password
>>
>> Just use smbldap-passwd USER
>>
>>
>>
>> -----------------------------------------------
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>>
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail: mueller at tropenklinik.de
>> Internet: www.tropenklinik.de
>> -----------------------------------------------
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Christopher Springer [mailto:cspringer at brcrp.com]
>> Gesendet: Mittwoch, 18. August 2010 16:28
>> An: mueller at tropenklinik.de
>> Cc: gaiseric.vandal at gmail.com; samba at lists.samba.org
>> Betreff: Re: [Samba] Error: You do not have permission to change your
>> password
>>
>>    I did some additional testing...
>>
>> It turns out that I was able to change the password successfully 
>> using...
>>
>> smbldap-passwd kennyz
>>
>> But then I tried changing with the -u option as follows...
>>
>> smbldap-passwd -u kennyz
>>
>> This did not return an error but it also apparently did not change the
>> user's password because I can't login as the user now.  I do not know
>> how to interpret this behaviour but I'm hoping it can give you guys a
>> clue as to what is truly the problem here.
>>
>> Thanks.
>> -- 
>> Chris
>>
>> On 08/18/2010 10:00 AM, Daniel Müller wrote:
>>> You need
>>> ldap passwd sync = yes
>>> no  unix password sync = yes
>>>
>>> Then try to change it on your linux box.
>>> -----------------------------------------------
>>> EDV Daniel Müller
>>>
>>> Leitung EDV
>>> Tropenklinik Paul-Lechler-Krankenhaus
>>> Paul-Lechler-Str. 24
>>> 72076 Tübingen
>>>
>>> Tel.: 07071/206-463, Fax: 07071/206-499
>>> eMail: mueller at tropenklinik.de
>>> Internet: www.tropenklinik.de
>>> -----------------------------------------------
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: samba-bounces at lists.samba.org 
>>> [mailto:samba-bounces at lists.samba.org]
>> Im
>>> Auftrag von Gaiseric Vandal
>>> Gesendet: Mittwoch, 18. August 2010 15:48
>>> An: samba at lists.samba.org
>>> Betreff: Re: [Samba] Error: You do not have permission to change your
>>> password
>>>
>>> I am pretty sure that the password command and script is run as root,
>>> not as the user changing the password.    What happens if you run the
>>> password commands on the samba server?   I don't have smbldap tools on
>>> my system (Solaris, so not provided by the Sun distro) so I had to rely
>>> on the OS password tools.   By default, root is not going to have
>>> sufficient privledges to change ldap passwords.
>>>
>>> If you don't enable password sync, are you able to change your Windows
>>> password?
>>>
>>>
>>> On 08/18/2010 08:49 AM, Christopher Springer wrote:
>>>>    I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb 
>>>> backend
>>>> and do the following...
>>>>
>>>> 1.  Login as user on Windows system using domain user name and
>>>> password - Login successful
>>>> 2.  Press Ctrl-Alt-Del
>>>> 3.  Press Change Password
>>>> 4.  Enter old and new password as prompted
>>>> 5.  Receive response "You do not have permission to change your
>>>> password."
>>>>
>>>> I receive the following repeated twice in "/var/log/samba/log.smbd"...
>>>>
>>>> [2010/08/17 16:13:53.884482,  0]
>>>> libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)
>>>>     NTLMSSP NTLM1 packet check failed due to invalid signature!
>>>> [2010/08/17 16:13:53.884592,  0]
>>>> rpc_server/srv_pipe_hnd.c:398(process_request_pdu)
>>>>     process_request_pdu: failed to do auth processing.
>>>> [2010/08/17 16:13:53.884668,  0]
>>>> rpc_server/srv_pipe_hnd.c:399(process_request_pdu)
>>>>     process_request_pdu: error was NT_STATUS_ACCESS_DENIED.
>>>>
>>>> This was generated from a WindowsNT4 system.  The issue can also be
>>>> duplicated from Windows XP clients.
>>>>
>>>> My smb.conf file on this system (PDC):
>>>>
>>>> [global]
>>>> log level = 1
>>>> workgroup = CORPDOM
>>>> netbios name = CORPPDC
>>>> passdb backend = ldapsam:ldap://127.0.0.1
>>>> enable privileges = yes
>>>> #encrypt passwords = yes
>>>> username map = /etc/samba/smbusers
>>>> printcap name = cups
>>>> add user script = /usr/sbin/smbldap-useradd -m '%u'
>>>> delete user script = /usr/sbin/smbldap-userdel '%u'
>>>> add group script = /usr/sbin/smbldap-groupadd -p '%g'
>>>> delete group script = /usr/sbin/smbldap-groupdel '%g'
>>>> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
>>>> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' 
>>>> '%g'
>>>> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>>>> add machine script = /usr/sbin/smbldap-useradd -w '%u'
>>>> logon script = scripts/%U.bat
>>>> logon path =
>>>> logon drive =
>>>> security = user
>>>> domain logons = Yes
>>>> os level = 35
>>>> preferred master = Yes
>>>> domain master = Yes
>>>> wins support = Yes
>>>> smb ports = 139
>>>> #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM
>>>> 10.20.0.255/CORPDOM
>>>> #remote browse sync = 10.20.255.255 10.30.255.255
>>>> #remote announce = 10.30.255.255
>>>> #remote browse sync = 10.30.255.255
>>>> ldap suffix = dc=brcrp,dc=com
>>>> ldap machine suffix = ou=Computers
>>>> ldap user suffix = ou=People
>>>> ldap group suffix = ou=Group
>>>> ldap idmap suffix = ou=Idmap
>>>> ldap admin dn = cn=Manager,dc=brcrp,dc=com
>>>> ldap ssl = no
>>>> #ldap passwd sync = yes
>>>> unix password sync = yes
>>>> passwd program = /usr/sbin/smbldap-passwd %u
>>>> passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
>>>> #client lanman auth = yes
>>>> #unix password sync = yes
>>>> #passwd program = /usr/sbin/smbldap-passwd -u %u
>>>> idmap backend = ldap:ldap://127.0.0.1
>>>> idmap uid = 15000-20000
>>>> idmap gid = 15000-20000
>>>> printing = cups
>>>>
>>>> [netlogon]
>>>> comment = Network Logon Service
>>>> path = /pub
>>>> guest ok = Yes
>>>> browseable = No
>

More information about the samba mailing list