[Samba] window, samba and ldap passwords

Dermot paikkos at googlemail.com
Tue Aug 16 05:19:24 MDT 2011 

The master is a xenamd64 debian 5.0.6
samba is Version 3.5.6
ldap is 2.4.11 (installed via apt)

Dp.



On 16 August 2011 12:13, J. Echter <j.echter at elektro-mayer-echter.de> wrote:
> Am 16.08.2011 13:06, schrieb Dermot:
>>
>> I have a stanza like this in the slapd.conf on the ldap master.
>>
>> # users can authenticate and change their password
>> access to
>> attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
>>         by self write
>>         by anonymous auth
>>         by * none
>>
>>
>> I have a lot of debug messages from ldap going into the logs but I
>> can't any errors. I can't see any attempt at a password change in the
>> log.
>>
>> I know that the ldap password had not changed either. What do you mean
>> by dynamically configured ldap?
>> Thanks,
>> Dp.
>>
>>
>>
>> On 16 August 2011 11:51, J. Echter<j.echter at elektro-mayer-echter.de>
>>  wrote:
>>>
>>> Am 16.08.2011 12:48, schrieb Dermot:
>>>>
>>>> Hi,
>>>>
>>>> I recently migrated to a Samba3x domain. One issue that has been
>>>> reported to me is that XP users cannot change their password from
>>>> their PC. I have done some searching and I haven't seen a straight
>>>> forward answer to this.
>>>>
>>>> My config is
>>>>
>>>> ldap primary + Samba PDC on host A
>>>> ldap slave + samba BDC on host B
>>>>
>>>> I see this error in the machine log when someone attempts to change
>>>> their password:
>>>>
>>>> 2011/08/16 10:04:11.137313,  0] auth/pampass.c:861(smb_pam_passchange)
>>>>   smb_pam_passchange: PAM: Password Change Failed for user kreuze!
>>>> [2011/08/16 10:04:11.200891,  0] auth/pampass.c:705(smb_pam_chauthtok)
>>>>   PAM: UNKNOWN PAM ERROR (8) for User: kreuze
>>>> [2011/08/16 10:04:11.201002,  0] auth/pampass.c:861(smb_pam_passchange)
>>>>   smb_pam_passchange: PAM: Password Change Failed for user kreuze!
>>>> [2011/08/16 10:04:11.215657,  0] auth/pampass.c:705(smb_pam_chauthtok)
>>>>   PAM: UNKNOWN PAM ERROR (8) for User: kreuze
>>>> [2011/08/16 10:04:11.215741,  0] auth/pampass.c:861(smb_pam_passchange)
>>>>   smb_pam_passchange: PAM: Password Change Failed for user kreuze!
>>>>
>>>>
>>>> I have seen this article:
>>>>
>>>>
>>>> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199
>>>> but I am not sure if it's appropriate for my environment. I suspect
>>>> the answer to this may very dependent on my config.
>>>> Can anyone offer any advice?
>>>> Thanks in advance.
>>>> Dermot.
>>>>
>>>>
>>>> =========== smb.conf on PDC ===========
>>>>
>>>>        dos charset = UTF-8
>>>>        display charset = UTF-8
>>>>        workgroup = FOO
>>>>        server string = %h server
>>>>        map to guest = Bad User
>>>>        passdb backend = ldapsam:ldap://127.0.0.1/
>>>>        pam password change = Yes
>>>>        passwd program = /usr/sbin/smbldap-passwd -u %u
>>>>        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>>>> *all*authentication*tokens*updated*
>>>>        unix password sync = Yes
>>>>        log level = 1
>>>>        syslog = 0
>>>>        log file = /var/log/samba/log.%m
>>>>        max log size = 1000
>>>>        smb ports = 139 445
>>>>        name resolve order = wins hosts bcast
>>>>        time server = Yes
>>>>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>>>        load printers = No
>>>>        add user script = /usr/sbin/smbldap-useradd -m %u
>>>>        delete user script = /usr/sbin/smbldap-userdel '%u'
>>>>        delete group script = /usr/sbin/smbldap-groupdel %g
>>>>        add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
>>>>        delete user from group script = /usr/sbin/smbldap-groupmod -x %u
>>>> %g
>>>>        set primary group script = /usr/sbin/smbldap-usermod -g %g %u
>>>>        add machine script = /usr/sbin/smbldap-useradd -w %u
>>>>        logon script = logon.bat
>>>>        logon path =
>>>>        logon drive = U:
>>>>        logon home =
>>>>        domain logons = Yes
>>>>        os level = 65
>>>>        preferred master = Auto
>>>>        domain master = Yes
>>>>        dns proxy = No
>>>>        ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk
>>>>        ldap delete dn = Yes
>>>>        ldap group suffix = ou=Groups
>>>>        ldap idmap suffix = ou=idmap
>>>>        ldap machine suffix = ou=Computers, ou=Users
>>>>        ldap passwd sync = yes
>>>>        ldap suffix = dc=mydomain,dc=co,dc=uk
>>>>        ldap ssl = no
>>>>        ldap timeout = 20
>>>>        ldap user suffix = ou=Users
>>>>        panic action = /usr/share/samba/panic-action %d
>>>>        idmap backend = ldap:"ldap://127.0.0.1/"
>>>>        idmap uid = 15000-20000
>>>>        idmap gid = 15000-20000
>>>>        map acl inherit = Yes
>>>>        case sensitive = No
>>>>        hide unreadable = Yes
>>>
>>> Hi,
>>>
>>> afaik, you have to authenticate users to change NTpasswd and stull like
>>> that.
>>>
>>> i have seen this example for slapd.conf
>>>
>>> # The userPassword by default can be changed
>>> # by the entry owning it if they are authenticated.
>>> # Others should not be able to see it, except the
>>> # admin entry below
>>> # These access lines apply to database #1 only
>>> access to
>>> attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
>>>        by dn="cn=admin,dc=meinnetz,dc=xx" write
>>>        by anonymous auth
>>>        by self write
>>>        by * none
>>>
>>> but i don't know how to add it to dynamically configured ldap.
>>>
>>> cheers
>>>
>>> juergen
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
> which distro do you use?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list