[Samba] Error when changing domain password in Windows XP

Torkil Svensgaard torkil at drcmr.dk
Fri May 27 07:02:22 MDT 2011

On 2011-05-27 14:22, Harry Jede wrote:
 > try the same search with the user(s) you have configured for
 > smbldap-tools and pam_ldap

ldapsearch -x -LLL -D "cn=admin,dc=drcmr,dc=local" -W -b 
"ou=Users,dc=drcmr,dc=local" "uid=torkil"

This also works.

 > you should NOT have a ldap user for nss, nore nss configured for shadow
 > db.

I'm not certain what you mean by this but here is the relevant lines 
from nsswitch.conf. Shadow should be changed to something else?

passwd: files ldap
group: files ldap
shadow: files ldap

 > post the relevant config files and the global section from smb.conf

 From /etc/pam.d/common-password

password        requisite                       pam_passwdqc.so 
password        [success=3 default=ignore]      pam_unix.so obscure 
use_authtok try_first_pass sha512 min=8
password        [success=2 default=ignore]      pam_winbind.so 
use_authtok try_first_pass
password        [success=1 user_unknown=ignore default=die] 
pam_ldap.so use_authtok try_first_pass

password        requisite                       pam_deny.so

password        required                        pam_permit.so
password        optional                        pam_smbpass.so nullok 
use_authtok use_first_pass

 From slapd.conf (ACL)
access to 
         by dn="cn=admin,dc=drcmr,dc=local" write
         by anonymous auth
         by self write
         by * none

 From smb.conf ([global])
     workgroup = DRCMR
     server string = %h server (Samba, Ubuntu)
     map to guest = Bad User
     obey pam restrictions = Yes
     passdb backend = ldapsam:ldap://
#   passwd program = /usr/sbin/smbldap-passwd %u
     passwd program = /usr/bin/passwd %u
#   encrypt passwords = yes
#   passwd chat = *Password:* %n\n *Retype\snew\s*\spassword:* %n\n 
*password\supdated\ssuccessfully* .
     passwd chat = *Enter\snew\sPassword:* %n\n 
*Re-type\snew\spassword:* %n\n *password\supdated\ssuccessfully* .
     unix password sync = Yes
     ldap password sync = No
     pam password change = No
     log level = 10
     debug uid = no
     syslog = 0
     log file = /var/log/samba/log.%m
     max log size = 5000
     time server = Yes
     printing= cups
     printcap name = cups
     add user script = /usr/sbin/smbldap-useradd -m "%u"
     delete user script = /usr/sbin/smbldap-userdel "%u"
     add group script = /usr/sbin/smbldap-groupadd -p "%g"
     delete group script = /usr/sbin/smbldap-groupdel "%g"
     add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
     delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
     set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
     add machine script = /usr/sbin/smbldap-useradd -w "%m"
     logon script = %U.bat
     logon path = \\storage2\profiles\%U\%a
     logon drive = p:
     logon home  = \\storage2\%U
     domain logons = Yes
     os level = 50
     preferred master = Auto
     domain master = Yes
     wins support = Yes
     wins hook = /mnt/admin/samba/bin/dns_update
     ldap admin dn = cn=admin,dc=drcmr,dc=local
     ldap delete dn = Yes
     ldap group suffix = ou=Groups
     ldap idmap suffix = ou=Users
     ldap machine suffix = ou=Computers
     ldap suffix = dc=drcmr,dc=local
     ldap ssl = no
     ldap user suffix = ou=Users
     usershare allow guests = Yes
     panic action = /usr/share/samba/panic-action %d
     idmap backend =
     root preexec = /mnt/admin/samba/bin/netlogon %U
     kernel oplocks = no
     smb ports = 139

I'm not sure if any other configuration files are relevant?



More information about the samba mailing list