[Samba] window, samba and ldap passwords

Dermot paikkos at googlemail.com
Tue Aug 16 05:06:29 MDT 2011


I have a stanza like this in the slapd.conf on the ldap master.

# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
        by self write
        by anonymous auth
        by * none


I have a lot of debug messages from ldap going into the logs but I
can't any errors. I can't see any attempt at a password change in the
log.

I know that the ldap password had not changed either. What do you mean
by dynamically configured ldap?
Thanks,
Dp.



On 16 August 2011 11:51, J. Echter <j.echter at elektro-mayer-echter.de> wrote:
> Am 16.08.2011 12:48, schrieb Dermot:
>>
>> Hi,
>>
>> I recently migrated to a Samba3x domain. One issue that has been
>> reported to me is that XP users cannot change their password from
>> their PC. I have done some searching and I haven't seen a straight
>> forward answer to this.
>>
>> My config is
>>
>> ldap primary + Samba PDC on host A
>> ldap slave + samba BDC on host B
>>
>> I see this error in the machine log when someone attempts to change
>> their password:
>>
>> 2011/08/16 10:04:11.137313,  0] auth/pampass.c:861(smb_pam_passchange)
>>   smb_pam_passchange: PAM: Password Change Failed for user kreuze!
>> [2011/08/16 10:04:11.200891,  0] auth/pampass.c:705(smb_pam_chauthtok)
>>   PAM: UNKNOWN PAM ERROR (8) for User: kreuze
>> [2011/08/16 10:04:11.201002,  0] auth/pampass.c:861(smb_pam_passchange)
>>   smb_pam_passchange: PAM: Password Change Failed for user kreuze!
>> [2011/08/16 10:04:11.215657,  0] auth/pampass.c:705(smb_pam_chauthtok)
>>   PAM: UNKNOWN PAM ERROR (8) for User: kreuze
>> [2011/08/16 10:04:11.215741,  0] auth/pampass.c:861(smb_pam_passchange)
>>   smb_pam_passchange: PAM: Password Change Failed for user kreuze!
>>
>>
>> I have seen this article:
>>
>> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199
>> but I am not sure if it's appropriate for my environment. I suspect
>> the answer to this may very dependent on my config.
>> Can anyone offer any advice?
>> Thanks in advance.
>> Dermot.
>>
>>
>> =========== smb.conf on PDC ===========
>>
>>        dos charset = UTF-8
>>        display charset = UTF-8
>>        workgroup = FOO
>>        server string = %h server
>>        map to guest = Bad User
>>        passdb backend = ldapsam:ldap://127.0.0.1/
>>        pam password change = Yes
>>        passwd program = /usr/sbin/smbldap-passwd -u %u
>>        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>> *all*authentication*tokens*updated*
>>        unix password sync = Yes
>>        log level = 1
>>        syslog = 0
>>        log file = /var/log/samba/log.%m
>>        max log size = 1000
>>        smb ports = 139 445
>>        name resolve order = wins hosts bcast
>>        time server = Yes
>>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>        load printers = No
>>        add user script = /usr/sbin/smbldap-useradd -m %u
>>        delete user script = /usr/sbin/smbldap-userdel '%u'
>>        delete group script = /usr/sbin/smbldap-groupdel %g
>>        add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
>>        delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
>>        set primary group script = /usr/sbin/smbldap-usermod -g %g %u
>>        add machine script = /usr/sbin/smbldap-useradd -w %u
>>        logon script = logon.bat
>>        logon path =
>>        logon drive = U:
>>        logon home =
>>        domain logons = Yes
>>        os level = 65
>>        preferred master = Auto
>>        domain master = Yes
>>        dns proxy = No
>>        ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk
>>        ldap delete dn = Yes
>>        ldap group suffix = ou=Groups
>>        ldap idmap suffix = ou=idmap
>>        ldap machine suffix = ou=Computers, ou=Users
>>        ldap passwd sync = yes
>>        ldap suffix = dc=mydomain,dc=co,dc=uk
>>        ldap ssl = no
>>        ldap timeout = 20
>>        ldap user suffix = ou=Users
>>        panic action = /usr/share/samba/panic-action %d
>>        idmap backend = ldap:"ldap://127.0.0.1/"
>>        idmap uid = 15000-20000
>>        idmap gid = 15000-20000
>>        map acl inherit = Yes
>>        case sensitive = No
>>        hide unreadable = Yes
>
> Hi,
>
> afaik, you have to authenticate users to change NTpasswd and stull like
> that.
>
> i have seen this example for slapd.conf
>
> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> # These access lines apply to database #1 only
> access to
> attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
>        by dn="cn=admin,dc=meinnetz,dc=xx" write
>        by anonymous auth
>        by self write
>        by * none
>
> but i don't know how to add it to dynamically configured ldap.
>
> cheers
>
> juergen
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list