[Samba] window, samba and ldap passwords

J. Echter j.echter at elektro-mayer-echter.de
Tue Aug 16 05:13:54 MDT 2011


Am 16.08.2011 13:06, schrieb Dermot:
> I have a stanza like this in the slapd.conf on the ldap master.
>
> # users can authenticate and change their password
> access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
>          by self write
>          by anonymous auth
>          by * none
>
>
> I have a lot of debug messages from ldap going into the logs but I
> can't any errors. I can't see any attempt at a password change in the
> log.
>
> I know that the ldap password had not changed either. What do you mean
> by dynamically configured ldap?
> Thanks,
> Dp.
>
>
>
> On 16 August 2011 11:51, J. Echter<j.echter at elektro-mayer-echter.de>  wrote:
>> Am 16.08.2011 12:48, schrieb Dermot:
>>> Hi,
>>>
>>> I recently migrated to a Samba3x domain. One issue that has been
>>> reported to me is that XP users cannot change their password from
>>> their PC. I have done some searching and I haven't seen a straight
>>> forward answer to this.
>>>
>>> My config is
>>>
>>> ldap primary + Samba PDC on host A
>>> ldap slave + samba BDC on host B
>>>
>>> I see this error in the machine log when someone attempts to change
>>> their password:
>>>
>>> 2011/08/16 10:04:11.137313,  0] auth/pampass.c:861(smb_pam_passchange)
>>>    smb_pam_passchange: PAM: Password Change Failed for user kreuze!
>>> [2011/08/16 10:04:11.200891,  0] auth/pampass.c:705(smb_pam_chauthtok)
>>>    PAM: UNKNOWN PAM ERROR (8) for User: kreuze
>>> [2011/08/16 10:04:11.201002,  0] auth/pampass.c:861(smb_pam_passchange)
>>>    smb_pam_passchange: PAM: Password Change Failed for user kreuze!
>>> [2011/08/16 10:04:11.215657,  0] auth/pampass.c:705(smb_pam_chauthtok)
>>>    PAM: UNKNOWN PAM ERROR (8) for User: kreuze
>>> [2011/08/16 10:04:11.215741,  0] auth/pampass.c:861(smb_pam_passchange)
>>>    smb_pam_passchange: PAM: Password Change Failed for user kreuze!
>>>
>>>
>>> I have seen this article:
>>>
>>> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199
>>> but I am not sure if it's appropriate for my environment. I suspect
>>> the answer to this may very dependent on my config.
>>> Can anyone offer any advice?
>>> Thanks in advance.
>>> Dermot.
>>>
>>>
>>> =========== smb.conf on PDC ===========
>>>
>>>         dos charset = UTF-8
>>>         display charset = UTF-8
>>>         workgroup = FOO
>>>         server string = %h server
>>>         map to guest = Bad User
>>>         passdb backend = ldapsam:ldap://127.0.0.1/
>>>         pam password change = Yes
>>>         passwd program = /usr/sbin/smbldap-passwd -u %u
>>>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>>> *all*authentication*tokens*updated*
>>>         unix password sync = Yes
>>>         log level = 1
>>>         syslog = 0
>>>         log file = /var/log/samba/log.%m
>>>         max log size = 1000
>>>         smb ports = 139 445
>>>         name resolve order = wins hosts bcast
>>>         time server = Yes
>>>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>>         load printers = No
>>>         add user script = /usr/sbin/smbldap-useradd -m %u
>>>         delete user script = /usr/sbin/smbldap-userdel '%u'
>>>         delete group script = /usr/sbin/smbldap-groupdel %g
>>>         add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
>>>         delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
>>>         set primary group script = /usr/sbin/smbldap-usermod -g %g %u
>>>         add machine script = /usr/sbin/smbldap-useradd -w %u
>>>         logon script = logon.bat
>>>         logon path =
>>>         logon drive = U:
>>>         logon home =
>>>         domain logons = Yes
>>>         os level = 65
>>>         preferred master = Auto
>>>         domain master = Yes
>>>         dns proxy = No
>>>         ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk
>>>         ldap delete dn = Yes
>>>         ldap group suffix = ou=Groups
>>>         ldap idmap suffix = ou=idmap
>>>         ldap machine suffix = ou=Computers, ou=Users
>>>         ldap passwd sync = yes
>>>         ldap suffix = dc=mydomain,dc=co,dc=uk
>>>         ldap ssl = no
>>>         ldap timeout = 20
>>>         ldap user suffix = ou=Users
>>>         panic action = /usr/share/samba/panic-action %d
>>>         idmap backend = ldap:"ldap://127.0.0.1/"
>>>         idmap uid = 15000-20000
>>>         idmap gid = 15000-20000
>>>         map acl inherit = Yes
>>>         case sensitive = No
>>>         hide unreadable = Yes
>> Hi,
>>
>> afaik, you have to authenticate users to change NTpasswd and stull like
>> that.
>>
>> i have seen this example for slapd.conf
>>
>> # The userPassword by default can be changed
>> # by the entry owning it if they are authenticated.
>> # Others should not be able to see it, except the
>> # admin entry below
>> # These access lines apply to database #1 only
>> access to
>> attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
>>         by dn="cn=admin,dc=meinnetz,dc=xx" write
>>         by anonymous auth
>>         by self write
>>         by * none
>>
>> but i don't know how to add it to dynamically configured ldap.
>>
>> cheers
>>
>> juergen
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
which distro do you use?


More information about the samba mailing list