[Samba] Fwd: Unable to change passwords from Win XP Pro clients

Rowland Penny rpenny at samba.org
Fri Apr 21 15:30:22 UTC 2017

On Fri, 21 Apr 2017 10:39:58 -0400
Eleuterio Contracampo via samba <samba at lists.samba.org> wrote:

> Hello everyone,
> First time with Samba 4.
> I've got it running mostly (with Windows 7 clients, everything works
> like a charm.), but I-m struggling with an issue that is driving me
> nuts (spent countless hours trying out stuff and googleing without
> luck):
> When users log in from Win XP Pro terminals, and are forced to change
> initially assigned passwords, they get an error (1728: error in RCP
> protocol) and cannot continue.
> **Some background about my setup:*

You do not have a 'PDC' & 'BDC', you have two AD DCs

> **My smb.conf (PDC):*
> # Global parameters
> [global]

Remove this lot from smb.conf:

    wins support = yes 
    security = user 
    os level = 65 
    domain logons = yes
    preferred master = yes
    domain master = yes
    local master = yes
    name resolve order = host wins lmhosts bcast
    remote announce =
    remote browse sync =
    passdb backend = ldapsam:"ldap:// ldap://"
    ldap suffix = dc=MYDOMAIN,dc=org,dc=ar
    ldap user suffix = ou=users
    ldap machine suffix = ou=machines
    ldap group suffix = ou=groups
    ldap admin dn = cn=admin,dc=MYDOMAIN,dc=org,dc=ar
    ldap delete dn = no
    acl:search = false
    kerberos method = secrets only
    vfs objects = fileid acl_xattr
    map acl inherit = yes
    store dos attributes = yes
    ldap passwd sync = yes

They are either default settings or have absolutely no place in an AD
DC smb.conf. The 'ldap' lines should only be used on a ldap based Samba
machine, not an AD DC, 'acl_xattr' is built into the samba binary.
Finally 'ldap passwd sync' only makes sense when you want the local
users passwords to sync with the users in ldap, only problem is, you
cannot have a local user with the same name as an AD user.


More information about the samba mailing list