[Samba] Error when changing domain password in Windows XP
Torkil Svensgaard
torkil at drcmr.dk
Fri May 27 07:02:22 MDT 2011
On 2011-05-27 14:22, Harry Jede wrote:
> try the same search with the user(s) you have configured for
> smbldap-tools and pam_ldap
ldapsearch -x -LLL -D "cn=admin,dc=drcmr,dc=local" -W -b
"ou=Users,dc=drcmr,dc=local" "uid=torkil"
This also works.
> you should NOT have a ldap user for nss, nore nss configured for shadow
> db.
I'm not certain what you mean by this but here is the relevant lines
from nsswitch.conf. Shadow should be changed to something else?
passwd: files ldap
group: files ldap
shadow: files ldap
> post the relevant config files and the global section from smb.conf
From /etc/pam.d/common-password
password requisite pam_passwdqc.so
min=disabled,disabled,disabled,8,8
password [success=3 default=ignore] pam_unix.so obscure
use_authtok try_first_pass sha512 min=8
password [success=2 default=ignore] pam_winbind.so
use_authtok try_first_pass
password [success=1 user_unknown=ignore default=die]
pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_smbpass.so nullok
use_authtok use_first_pass
From slapd.conf (ACL)
access to
attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=drcmr,dc=local" write
by anonymous auth
by self write
by * none
From smb.conf ([global])
workgroup = DRCMR
server string = %h server (Samba, Ubuntu)
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
# passwd program = /usr/sbin/smbldap-passwd %u
passwd program = /usr/bin/passwd %u
# encrypt passwords = yes
# passwd chat = *Password:* %n\n *Retype\snew\s*\spassword:* %n\n
*password\supdated\ssuccessfully* .
passwd chat = *Enter\snew\sPassword:* %n\n
*Re-type\snew\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
ldap password sync = No
pam password change = No
log level = 10
debug uid = no
syslog = 0
log file = /var/log/samba/log.%m
max log size = 5000
time server = Yes
printing= cups
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%m"
logon script = %U.bat
logon path = \\storage2\profiles\%U\%a
logon drive = p:
logon home = \\storage2\%U
domain logons = Yes
os level = 50
preferred master = Auto
domain master = Yes
wins support = Yes
wins hook = /mnt/admin/samba/bin/dns_update
ldap admin dn = cn=admin,dc=drcmr,dc=local
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap suffix = dc=drcmr,dc=local
ldap ssl = no
ldap user suffix = ou=Users
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap backend =
root preexec = /mnt/admin/samba/bin/netlogon %U
kernel oplocks = no
smb ports = 139
I'm not sure if any other configuration files are relevant?
Thanks,
Torkil
More information about the samba
mailing list