[Samba] Error: You do not have permission to change your password
Christopher Springer
cspringer at brcrp.com
Thu Aug 19 07:05:00 MDT 2010
Excellent find Daniel! I made the following change and I'm not able
to change passwords for my NT4 machines...
lanman auth = yes
(was previously set to lanman auth = no (default) )
Thank you all very much for your help!
Chris
On 08/19/2010 03:49 AM, Daniel Müller wrote:
> Check this parameters in your global section
>
> With testparm -v
>
> lanman auth = ?
> ntlm auth = ?
> client NTLMv2 = ?
> client lanman auth = ?
>
> -----------------------------------------------
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
>
> -----Ursprüngliche Nachricht-----
> Von: Christopher Springer [mailto:cspringer at brcrp.com]
> Gesendet: Mittwoch, 18. August 2010 22:12
> An: mueller at tropenklinik.de
> Cc: gaiseric.vandal at gmail.com; samba at lists.samba.org
> Betreff: Re: AW: [Samba] Error: You do not have permission to change your
> password
>
> Well, I have a partially working configuration now...that is to say
> that it DOES work for WinXP and later but it does NOT work for WinNT4
> systems (2k not tested). I must've made a mistake in testing because
> now it seems that the XP systems are able to change passwords just
> fine. For the life of me I cannot get rid of the NTLM error messages
> when trying to change passwords on a WinNT4 system. I'm also having
> trouble figuring out what items in the Samba LDAP schema are still in
> use and which ones should be controlled by other applications
> (smbldap-usermod, pdbedit, etc). A good reference on deprecated LDAP
> entries would be greatly appreciated! I realize I still need to change
> the LDAP directory to use a separate user for replication, etc but I'm
> trying to take small steps here :)
>
> working smb.conf -
>
> [global]
> log level = 1
> workgroup = CORPDOM
> netbios name = CORPPDC
> passdb backend = ldapsam:ldap://127.0.0.1
> username map = /etc/samba/smbusers
> printcap name = cups
> add user script = /usr/sbin/smbldap-useradd -m '%u'
> delete user script = /usr/sbin/smbldap-userdel '%u'
> add group script = /usr/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
> add machine script = /usr/sbin/smbldap-useradd -w '%u'
> logon script = scripts/%U.bat
> logon path =
> logon drive =
> security = user
> domain logons = Yes
> os level = 35
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> smb ports = 139
> ldap suffix = dc=brcrp,dc=com
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=People
> ldap group suffix = ou=Group
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=brcrp,dc=com
> ldap ssl = no
> ldap passwd sync = yes
> printing = cups
>
> [netlogon]
> comment = Network Logon Service
> path = /pub
> guest ok = Yes
> browseable = No
>
>
> working slapd.conf
>
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
>
> include /etc/openldap/schema/corba.schema
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/duaconf.schema
> include /etc/openldap/schema/dyngroup.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/java.schema
> include /etc/openldap/schema/misc.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/openldap.schema
> include /etc/openldap/schema/ppolicy.schema
> include /etc/openldap/schema/collective.schema
> include /etc/openldap/schema/samba.schema
>
> # Allow LDAPv2 client connections. This is NOT the default.
> allow bind_v2
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral ldap://root.openldap.org
>
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
>
> # Load dynamic backend modules:
> # modulepath /usr/lib/openldap # or /usr/lib64/openldap
> # moduleload accesslog.la
> # moduleload auditlog.la
> # moduleload back_sql.la
> # moduleload denyop.la
> # moduleload dyngroup.la
> # moduleload dynlist.la
> # moduleload lastmod.la
> # moduleload pcache.la
> # moduleload ppolicy.la
> # moduleload refint.la
> # moduleload retcode.la
> # moduleload rwm.la
> moduleload syncprov.la
> # moduleload translucent.la
> # moduleload unique.la
> # moduleload valsort.la
>
> # The next three lines allow use of TLS for encrypting connections using a
> # dummy test certificate which you can generate by changing to
> # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
> # slapd.pem so that the ldap user or group can read it. Your client
> software
> # may balk at self-signed certificates, however.
> # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
> # TLSCertificateFile /etc/pki/tls/certs/slapd.pem
> # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
>
> # Sample security restrictions
> # Require integrity protection (prevent hijacking)
> # Require 112-bit (3DES or better) encryption for updates
> # Require 63-bit encryption for simple bind
> # security ssf=1 update_ssf=112 simple_bind=64
>
> # Sample access control policy:
> # Root DSE: allow anyone to read it
> # Subschema (sub)entry DSE: allow anyone to read it
> # Other DSEs:
> # Allow self write access
> # Allow authenticated users read access
> # Allow anonymous users to authenticate
> # Directives needed to implement policy:
> # access to dn.base="" by * read
> # access to dn.base="cn=Subschema" by * read
> # access to *
> # by self write
> # by users read
> # by anonymous auth
> #
> # if no access controls are present, the default policy
> # allows anyone and everyone to read anything but restricts
> # updates to rootdn. (e.g., "access to * by * read")
> #
> # rootdn can always read and write EVERYTHING!
>
> #######################################################################
> # ldbm and/or bdb database definitions
> #######################################################################
>
> database bdb
> suffix "dc=brcrp,dc=com"
> checkpoint 1024 15
> rootdn "cn=Manager,dc=brcrp,dc=com"
> # Cleartext passwords, especially for the rootdn, should
> # be avoided. See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw *omitted*
> #rootpw {SSHA}5v9AquZvm/9fhFMcetO072dGd2BX8C5Q
>
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory /var/lib/ldap
>
> # Indices to maintain for this database
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index uidNumber,gidNumber,loginShell eq,pres
> index uid,memberUid eq,pres,sub
> index nisMapName,nisMapEntry eq,pres,sub
>
> # Replicas of this database
> #replogfile /var/lib/ldap/openldap-master-replog
> #replica host=ldap-1.example.com:389 starttls=critical
> # bindmethod=sasl saslmech=GSSAPI
> # authcId=host/ldap-master.example.com at EXAMPLE.COM
> overlay syncprov
> syncprov-checkpoint 100 10
> syncprov-sessionlog 100
>
> # enable monitoring
> # database monitor
>
> # allow onlu rootdn to read the monitor
> #access to *
> # by dn.exact="cn=Manager,dc=brcrp,dc=com" write
> # by * none
> access to
> attrs=userPassword,shadowLastChange,shadowMax,sambaNTPassword,sambaLMPasswor
> d,sambaPwdLastSet,sambaPwdMustChange,sambaAcctFlags
> by dn="cn=Manager,dc=brcrp,dc=com" write
> by self write
> by anonymous auth
> by * none
> access to *
> by * read
> #access to *
> # by * write
>
> I have this server also acting as the WINS server for our multi-site
> environment over VPN. It seems to work pretty well. Setup is PDC w/BDC
> (both LDAP) at corporate with remote BDC (replicated LDAP) and DHCP
> server with netbios-name-server option.
>
> Again, thanks all for your help!
>
> Chris
>
> On 08/18/2010 10:47 AM, Daniel Müller wrote:
>> You only changed unix-password:
>>
>>
>> tuepdc:~ # smbldap-passwd --help
>> (c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under
>> the GPL
>> Usage: /usr/local/sbin/smbldap-passwd [options] [username]
>> -h, -?, --help show this help message
>> -s update only samba password
>> -u update only UNIX password
>>
>> Just use smbldap-passwd USER
>>
>>
>>
>> -----------------------------------------------
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>>
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail: mueller at tropenklinik.de
>> Internet: www.tropenklinik.de
>> -----------------------------------------------
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Christopher Springer [mailto:cspringer at brcrp.com]
>> Gesendet: Mittwoch, 18. August 2010 16:28
>> An: mueller at tropenklinik.de
>> Cc: gaiseric.vandal at gmail.com; samba at lists.samba.org
>> Betreff: Re: [Samba] Error: You do not have permission to change your
>> password
>>
>> I did some additional testing...
>>
>> It turns out that I was able to change the password successfully using...
>>
>> smbldap-passwd kennyz
>>
>> But then I tried changing with the -u option as follows...
>>
>> smbldap-passwd -u kennyz
>>
>> This did not return an error but it also apparently did not change the
>> user's password because I can't login as the user now. I do not know
>> how to interpret this behaviour but I'm hoping it can give you guys a
>> clue as to what is truly the problem here.
>>
>> Thanks.
>> --
>> Chris
>>
>> On 08/18/2010 10:00 AM, Daniel Müller wrote:
>>> You need
>>> ldap passwd sync = yes
>>> no unix password sync = yes
>>>
>>> Then try to change it on your linux box.
>>> -----------------------------------------------
>>> EDV Daniel Müller
>>>
>>> Leitung EDV
>>> Tropenklinik Paul-Lechler-Krankenhaus
>>> Paul-Lechler-Str. 24
>>> 72076 Tübingen
>>>
>>> Tel.: 07071/206-463, Fax: 07071/206-499
>>> eMail: mueller at tropenklinik.de
>>> Internet: www.tropenklinik.de
>>> -----------------------------------------------
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
>> Im
>>> Auftrag von Gaiseric Vandal
>>> Gesendet: Mittwoch, 18. August 2010 15:48
>>> An: samba at lists.samba.org
>>> Betreff: Re: [Samba] Error: You do not have permission to change your
>>> password
>>>
>>> I am pretty sure that the password command and script is run as root,
>>> not as the user changing the password. What happens if you run the
>>> password commands on the samba server? I don't have smbldap tools on
>>> my system (Solaris, so not provided by the Sun distro) so I had to rely
>>> on the OS password tools. By default, root is not going to have
>>> sufficient privledges to change ldap passwords.
>>>
>>> If you don't enable password sync, are you able to change your Windows
>>> password?
>>>
>>>
>>> On 08/18/2010 08:49 AM, Christopher Springer wrote:
>>>> I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend
>>>> and do the following...
>>>>
>>>> 1. Login as user on Windows system using domain user name and
>>>> password - Login successful
>>>> 2. Press Ctrl-Alt-Del
>>>> 3. Press Change Password
>>>> 4. Enter old and new password as prompted
>>>> 5. Receive response "You do not have permission to change your
>>>> password."
>>>>
>>>> I receive the following repeated twice in "/var/log/samba/log.smbd"...
>>>>
>>>> [2010/08/17 16:13:53.884482, 0]
>>>> libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)
>>>> NTLMSSP NTLM1 packet check failed due to invalid signature!
>>>> [2010/08/17 16:13:53.884592, 0]
>>>> rpc_server/srv_pipe_hnd.c:398(process_request_pdu)
>>>> process_request_pdu: failed to do auth processing.
>>>> [2010/08/17 16:13:53.884668, 0]
>>>> rpc_server/srv_pipe_hnd.c:399(process_request_pdu)
>>>> process_request_pdu: error was NT_STATUS_ACCESS_DENIED.
>>>>
>>>> This was generated from a WindowsNT4 system. The issue can also be
>>>> duplicated from Windows XP clients.
>>>>
>>>> My smb.conf file on this system (PDC):
>>>>
>>>> [global]
>>>> log level = 1
>>>> workgroup = CORPDOM
>>>> netbios name = CORPPDC
>>>> passdb backend = ldapsam:ldap://127.0.0.1
>>>> enable privileges = yes
>>>> #encrypt passwords = yes
>>>> username map = /etc/samba/smbusers
>>>> printcap name = cups
>>>> add user script = /usr/sbin/smbldap-useradd -m '%u'
>>>> delete user script = /usr/sbin/smbldap-userdel '%u'
>>>> add group script = /usr/sbin/smbldap-groupadd -p '%g'
>>>> delete group script = /usr/sbin/smbldap-groupdel '%g'
>>>> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
>>>> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
>>>> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>>>> add machine script = /usr/sbin/smbldap-useradd -w '%u'
>>>> logon script = scripts/%U.bat
>>>> logon path =
>>>> logon drive =
>>>> security = user
>>>> domain logons = Yes
>>>> os level = 35
>>>> preferred master = Yes
>>>> domain master = Yes
>>>> wins support = Yes
>>>> smb ports = 139
>>>> #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM
>>>> 10.20.0.255/CORPDOM
>>>> #remote browse sync = 10.20.255.255 10.30.255.255
>>>> #remote announce = 10.30.255.255
>>>> #remote browse sync = 10.30.255.255
>>>> ldap suffix = dc=brcrp,dc=com
>>>> ldap machine suffix = ou=Computers
>>>> ldap user suffix = ou=People
>>>> ldap group suffix = ou=Group
>>>> ldap idmap suffix = ou=Idmap
>>>> ldap admin dn = cn=Manager,dc=brcrp,dc=com
>>>> ldap ssl = no
>>>> #ldap passwd sync = yes
>>>> unix password sync = yes
>>>> passwd program = /usr/sbin/smbldap-passwd %u
>>>> passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
>>>> #client lanman auth = yes
>>>> #unix password sync = yes
>>>> #passwd program = /usr/sbin/smbldap-passwd -u %u
>>>> idmap backend = ldap:ldap://127.0.0.1
>>>> idmap uid = 15000-20000
>>>> idmap gid = 15000-20000
>>>> printing = cups
>>>>
>>>> [netlogon]
>>>> comment = Network Logon Service
>>>> path = /pub
>>>> guest ok = Yes
>>>> browseable = No
--
Christopher Springer
IS/IT Systems Administrator
BRC Rubber& Plastics, Inc
260-693-2171 x389
cspringer at brcrp.com
More information about the samba
mailing list