Hello,
I just wasted several hours trying to figure out why I could not change Samba passwords from Windows XP computers. I'm posting here so that there is some form of documentation about this on the web.

   My setup is basically this:

- Samba 3.3.2  (running under Ubuntu 9.04)
- OpenLDAP user database
- Full O.S. support for OpenLDAP auth, using nsswitch and PAM. (My client LDAP config was installed using *auth-client-config *as per https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html, plus some tweaking in /etc/smbldap-tools/. )

I can ssh into the box as a system user that exists only in LDAP (and not in /etc/passwd). I can also change my LDAP password at the bash prompt by typing "passwd" (via PAM), or smbldap-passwd, or smbpasswd. That all works as per the documentation.

The problem: I could not change my password from Windows boxen. They kept giving me "You do not have permission to change your password."

I found the solution by cranking up the log level to 10. I eventually found this golden snippet in all the noise:

[2009/11/30 23:23:37,  4] auth/pampass.c:smb_pam_chauthtok(670)
 smb_pam_chauthtok: PAM: Password Change for User: dereks
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(284)
 smb_pam_passchange_conv: starting converstation for 1 messages
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(312)
 smb_pam_passchange_conv: Processing message 0
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(346)
 smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: New password:
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*enter new * password:*| to |New password:|
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*retype new * password:*| to |New password:|
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*password updated successfully*| to |New password:|
[2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352)
smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match || to |New password:|
[2009/11/30 23:23:37,  3] auth/pampass.c:smb_pam_passchange_conv(370)
smb_pam_passchange_conv: Could not find reply for PAM prompt: New password:
[2009/11/30 23:23:37,  0] auth/pampass.c:smb_pam_chauthtok(699)
 PAM: User not known to PAM
[2009/11/30 23:23:37,  2] auth/pampass.c:smb_pam_error_handler(77)
smb_pam_error_handler: PAM: Password Change Failed : User not known to the underlying authentication module
[2009/11/30 23:23:37,  0] auth/pampass.c:smb_pam_passchange(861)
 smb_pam_passchange: PAM: Password Change Failed for user dereks!
[2009/11/30 23:23:37,  4] auth/pampass.c:smb_pam_end(450)
 smb_pam_end: PAM: PAM_END OK.
[2009/11/30 23:23:37,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
 pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2009/11/30 23:23:37,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
 pop_sec_ctx (4202, 513) - sec_ctx_stack_ndx = 1
[2009/11/30 23:23:37, 5] rpc_server/srv_samr_nt.c:_samr_ChangePasswordUser2(1907)
 _samr_ChangePasswordUser2: 1907
     samr_ChangePasswordUser2: struct samr_ChangePasswordUser2
         out: struct samr_ChangePasswordUser2
             result                   : NT_STATUS_ACCESS_DENIED


Here you can see that the "password chat" was attempting to communicate with PAM in a fashion similar to 'expect'. My "passwd chat" setting in /etc/samba/smb.conf was not correct, so the password change failed. The resulting error code "NT_STATUS_ACCESS_DENIED" caused Windows to print that useless "You do not have permission to change your password" dialog box, and sent me on a wild goose chase.

   The comments in the smb.conf that come with Ubuntu say this:

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<ka...@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
  passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
  pam password change = yes

My reading of these comments is that either "passwd program" with matching "passwd chat" will be used, or else "pam password change = yes" will be used. In my troubleshooting, I commented out either the first one (to use PAM), or else the latter one (to use /usr/bin/passwd with the chat setting). That interpretation was also consistent with all the Samba docs and forum postings I found online.

But, as shown in the logs above, the correct answer was "pam password change = yes" with a corrected "passwd chat" setting. Here is a setting that works for me on Ubuntu 9.04:

passwd program = /usr/bin/passwd %u
passwd chat = *New\spassword:* %n\n *New\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes

I deduced that customized chat script by running "/usr/bin/passwd username" at the bash prompt to see what happens. Alternatively, I now know that the default setting for "passwd chat" setting will work with PAM, if I comment out the broken one that comes with the Ubuntu (and Debian?) smb.conf file and also comment out the "passwd program = ..." line. In short, the combination of these issues made troubleshooting time consuming and difficult:

- Misleading error message ("You do not have permission to change your password.") - Misleading docs that imply EITHER "pam password change = yes" OR "passwd program" with "passwd chat" - An outdated, incorrect setting for "passwd chat" in the Debian and Ubuntu smb.conf file that does not work with /usr/bin/passwd - Missing Samba docs to explain "passwd chat" might be used, even in the case of "pam password change = yes" - Missing Samba docs to explain the default setting for "passwd chat" will work with PAM, in the case of "pam password change"


   Hopefully this will help somebody else avoid the same mistake.


Thank You,
Derek Simkowiak

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to