[Samba] window, samba and ldap passwords
J. Echter
j.echter at elektro-mayer-echter.de
Tue Aug 16 04:51:20 MDT 2011
Am 16.08.2011 12:48, schrieb Dermot:
> Hi,
>
> I recently migrated to a Samba3x domain. One issue that has been
> reported to me is that XP users cannot change their password from
> their PC. I have done some searching and I haven't seen a straight
> forward answer to this.
>
> My config is
>
> ldap primary + Samba PDC on host A
> ldap slave + samba BDC on host B
>
> I see this error in the machine log when someone attempts to change
> their password:
>
> 2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange)
> smb_pam_passchange: PAM: Password Change Failed for user kreuze!
> [2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok)
> PAM: UNKNOWN PAM ERROR (8) for User: kreuze
> [2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange)
> smb_pam_passchange: PAM: Password Change Failed for user kreuze!
> [2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok)
> PAM: UNKNOWN PAM ERROR (8) for User: kreuze
> [2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange)
> smb_pam_passchange: PAM: Password Change Failed for user kreuze!
>
>
> I have seen this article:
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199
> but I am not sure if it's appropriate for my environment. I suspect
> the answer to this may very dependent on my config.
> Can anyone offer any advice?
> Thanks in advance.
> Dermot.
>
>
> =========== smb.conf on PDC ===========
>
> dos charset = UTF-8
> display charset = UTF-8
> workgroup = FOO
> server string = %h server
> map to guest = Bad User
> passdb backend = ldapsam:ldap://127.0.0.1/
> pam password change = Yes
> passwd program = /usr/sbin/smbldap-passwd -u %u
> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *all*authentication*tokens*updated*
> unix password sync = Yes
> log level = 1
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 1000
> smb ports = 139 445
> name resolve order = wins hosts bcast
> time server = Yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> load printers = No
> add user script = /usr/sbin/smbldap-useradd -m %u
> delete user script = /usr/sbin/smbldap-userdel '%u'
> delete group script = /usr/sbin/smbldap-groupdel %g
> add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
> delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
> set primary group script = /usr/sbin/smbldap-usermod -g %g %u
> add machine script = /usr/sbin/smbldap-useradd -w %u
> logon script = logon.bat
> logon path =
> logon drive = U:
> logon home =
> domain logons = Yes
> os level = 65
> preferred master = Auto
> domain master = Yes
> dns proxy = No
> ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk
> ldap delete dn = Yes
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=idmap
> ldap machine suffix = ou=Computers, ou=Users
> ldap passwd sync = yes
> ldap suffix = dc=mydomain,dc=co,dc=uk
> ldap ssl = no
> ldap timeout = 20
> ldap user suffix = ou=Users
> panic action = /usr/share/samba/panic-action %d
> idmap backend = ldap:"ldap://127.0.0.1/"
> idmap uid = 15000-20000
> idmap gid = 15000-20000
> map acl inherit = Yes
> case sensitive = No
> hide unreadable = Yes
Hi,
afaik, you have to authenticate users to change NTpasswd and stull like
that.
i have seen this example for slapd.conf
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=meinnetz,dc=xx" write
by anonymous auth
by self write
by * none
but i don't know how to add it to dynamically configured ldap.
cheers
juergen
More information about the samba
mailing list