[Samba] Error: You do not have permission to change your password

Christopher Springer cspringer at brcrp.com
Thu Aug 19 05:35:51 MDT 2010 

  These fields are also duplicated in the LDAP directly (see 
sambaPwdCanChange, sambaPwdMustChange, etc) and do not have any affect 
when change in the LDAP directory.  Apparently some of them are 
deprecated.  My appeal for a reference of deprecated variables came from 
that issue.

Thanks.
--
Chris

On 08/19/2010 03:44 AM, Daniel Müller wrote:
> tuepdc:~ # smbldap-useradd -?
>   (c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under
> the GPL
> Usage: /usr/local/sbin/smbldap-useradd [-awmugdsckABCDEFGHMNPST?] username
>    -o    add the user in the organizational unit (relative to the user
> suffix)
>    -a    is a Windows User (otherwise, Posix stuff only)
>    -b    is a AIX User
>    -w    is a Windows Workstation (otherwise, Posix stuff only)
>    -i    is a trust account (Windows Workstation)
>    -u    uid
>    -g    gid
>    -G    supplementary comma-separated groups
>    -n    do not create a group
>    -d    home
>    -s    shell
>    -c    gecos
>    -m    creates home directory and copies /etc/skel
>    -k    skeleton dir (with -m)
>    -t    time. Wait 'time' seconds before exiting (when adding Windows
> Workstation)
>    -P    ends by invoking smbldap-passwd
>    -A    can change password ? 0 if no, 1 if yes
> <---------------------------see!!!!
>    -B    must change password ? 0 if no, 1 if yes
>    -C    sambaHomePath (SMB home share, like '\\PDC-SRV\homes')
>    -D    sambaHomeDrive (letter associated with home share, like 'H:')
>    -E    sambaLogonScript (DOS script to execute on login)
>    -F    sambaProfilePath (profile directory, like '\\PDC-SRV\profiles\foo')
>    -H    sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')
>    -N    surname
>    -S    family name
>    -M    local mailAddress (comma seperated)
>    -T    mailToAddress (forward address) (comma seperated)
>    -?    show this help message
>
> -----------------------------------------------
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
>
> -----Ursprüngliche Nachricht-----
> Von: Christopher Springer [mailto:cspringer at brcrp.com]
> Gesendet: Mittwoch, 18. August 2010 17:00
> An: mueller at tropenklinik.de
> Cc: gaiseric.vandal at gmail.com; samba at lists.samba.org
> Betreff: Re: AW: [Samba] Error: You do not have permission to change your
> password
>
>    Using that from the command line I'm able to change the user's
> password and successfully login.  However, that didn't solve my problem
> when the user tries to change their password and I receive "You do not
> have permission to change your password."
>
> Thanks for your help thus far.
>
> Chris
>
> On 08/18/2010 10:47 AM, Daniel Müller wrote:
>> You only changed unix-password:
>>
>>
>> tuepdc:~ # smbldap-passwd --help
>> (c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under
>> the GPL
>> Usage: /usr/local/sbin/smbldap-passwd [options] [username]
>>     -h, -?, --help show this help message
>>     -s             update only samba password
>>     -u             update only UNIX password
>>
>> Just use smbldap-passwd USER
>>
>>
>>
>> -----------------------------------------------
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>>
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail: mueller at tropenklinik.de
>> Internet: www.tropenklinik.de
>> -----------------------------------------------
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Christopher Springer [mailto:cspringer at brcrp.com]
>> Gesendet: Mittwoch, 18. August 2010 16:28
>> An: mueller at tropenklinik.de
>> Cc: gaiseric.vandal at gmail.com; samba at lists.samba.org
>> Betreff: Re: [Samba] Error: You do not have permission to change your
>> password
>>
>>     I did some additional testing...
>>
>> It turns out that I was able to change the password successfully using...
>>
>> smbldap-passwd kennyz
>>
>> But then I tried changing with the -u option as follows...
>>
>> smbldap-passwd -u kennyz
>>
>> This did not return an error but it also apparently did not change the
>> user's password because I can't login as the user now.  I do not know
>> how to interpret this behaviour but I'm hoping it can give you guys a
>> clue as to what is truly the problem here.
>>
>> Thanks.
>> --
>> Chris
>>
>> On 08/18/2010 10:00 AM, Daniel Müller wrote:
>>> You need
>>> ldap passwd sync = yes
>>> no  unix password sync = yes
>>>
>>> Then try to change it on your linux box.
>>> -----------------------------------------------
>>> EDV Daniel Müller
>>>
>>> Leitung EDV
>>> Tropenklinik Paul-Lechler-Krankenhaus
>>> Paul-Lechler-Str. 24
>>> 72076 Tübingen
>>>
>>> Tel.: 07071/206-463, Fax: 07071/206-499
>>> eMail: mueller at tropenklinik.de
>>> Internet: www.tropenklinik.de
>>> -----------------------------------------------
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
>> Im
>>> Auftrag von Gaiseric Vandal
>>> Gesendet: Mittwoch, 18. August 2010 15:48
>>> An: samba at lists.samba.org
>>> Betreff: Re: [Samba] Error: You do not have permission to change your
>>> password
>>>
>>> I am pretty sure that the password command and script is run as root,
>>> not as the user changing the password.    What happens if you run the
>>> password commands on the samba server?   I don't have smbldap tools on
>>> my system (Solaris, so not provided by the Sun distro) so I had to rely
>>> on the OS password tools.   By default, root is not going to have
>>> sufficient privledges to change ldap passwords.
>>>
>>> If you don't enable password sync, are you able to change your Windows
>>> password?
>>>
>>>
>>> On 08/18/2010 08:49 AM, Christopher Springer wrote:
>>>>     I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend
>>>> and do the following...
>>>>
>>>> 1.  Login as user on Windows system using domain user name and
>>>> password - Login successful
>>>> 2.  Press Ctrl-Alt-Del
>>>> 3.  Press Change Password
>>>> 4.  Enter old and new password as prompted
>>>> 5.  Receive response "You do not have permission to change your
>>>> password."
>>>>
>>>> I receive the following repeated twice in "/var/log/samba/log.smbd"...
>>>>
>>>> [2010/08/17 16:13:53.884482,  0]
>>>> libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)
>>>>      NTLMSSP NTLM1 packet check failed due to invalid signature!
>>>> [2010/08/17 16:13:53.884592,  0]
>>>> rpc_server/srv_pipe_hnd.c:398(process_request_pdu)
>>>>      process_request_pdu: failed to do auth processing.
>>>> [2010/08/17 16:13:53.884668,  0]
>>>> rpc_server/srv_pipe_hnd.c:399(process_request_pdu)
>>>>      process_request_pdu: error was NT_STATUS_ACCESS_DENIED.
>>>>
>>>> This was generated from a WindowsNT4 system.  The issue can also be
>>>> duplicated from Windows XP clients.
>>>>
>>>> My smb.conf file on this system (PDC):
>>>>
>>>> [global]
>>>> log level = 1
>>>> workgroup = CORPDOM
>>>> netbios name = CORPPDC
>>>> passdb backend = ldapsam:ldap://127.0.0.1
>>>> enable privileges = yes
>>>> #encrypt passwords = yes
>>>> username map = /etc/samba/smbusers
>>>> printcap name = cups
>>>> add user script = /usr/sbin/smbldap-useradd -m '%u'
>>>> delete user script = /usr/sbin/smbldap-userdel '%u'
>>>> add group script = /usr/sbin/smbldap-groupadd -p '%g'
>>>> delete group script = /usr/sbin/smbldap-groupdel '%g'
>>>> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
>>>> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
>>>> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>>>> add machine script = /usr/sbin/smbldap-useradd -w '%u'
>>>> logon script = scripts/%U.bat
>>>> logon path =
>>>> logon drive =
>>>> security = user
>>>> domain logons = Yes
>>>> os level = 35
>>>> preferred master = Yes
>>>> domain master = Yes
>>>> wins support = Yes
>>>> smb ports = 139
>>>> #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM
>>>> 10.20.0.255/CORPDOM
>>>> #remote browse sync = 10.20.255.255 10.30.255.255
>>>> #remote announce = 10.30.255.255
>>>> #remote browse sync = 10.30.255.255
>>>> ldap suffix = dc=brcrp,dc=com
>>>> ldap machine suffix = ou=Computers
>>>> ldap user suffix = ou=People
>>>> ldap group suffix = ou=Group
>>>> ldap idmap suffix = ou=Idmap
>>>> ldap admin dn = cn=Manager,dc=brcrp,dc=com
>>>> ldap ssl = no
>>>> #ldap passwd sync = yes
>>>> unix password sync = yes
>>>> passwd program = /usr/sbin/smbldap-passwd %u
>>>> passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
>>>> #client lanman auth = yes
>>>> #unix password sync = yes
>>>> #passwd program = /usr/sbin/smbldap-passwd -u %u
>>>> idmap backend = ldap:ldap://127.0.0.1
>>>> idmap uid = 15000-20000
>>>> idmap gid = 15000-20000
>>>> printing = cups
>>>>
>>>> [netlogon]
>>>> comment = Network Logon Service
>>>> path = /pub
>>>> guest ok = Yes
>>>> browseable = No

-- 
Christopher Springer
IS/IT Systems Administrator
BRC Rubber&  Plastics, Inc
260-693-2171 x389
cspringer at brcrp.com

More information about the samba mailing list