Am 16.08.2011 13:06, schrieb Dermot:
I have a stanza like this in the slapd.conf on the ldap master.
# users can authenticate and change their password
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
by self write
by anonymous auth
by * none
I have a lot of debug messages from ldap going into the logs but I
can't any errors. I can't see any attempt at a password change in the
log.
I know that the ldap password had not changed either. What do you mean
by dynamically configured ldap?
Thanks,
Dp.
On 16 August 2011 11:51, J. Echter<[email protected]> wrote:
Am 16.08.2011 12:48, schrieb Dermot:
Hi,
I recently migrated to a Samba3x domain. One issue that has been
reported to me is that XP users cannot change their password from
their PC. I have done some searching and I haven't seen a straight
forward answer to this.
My config is
ldap primary + Samba PDC on host A
ldap slave + samba BDC on host B
I see this error in the machine log when someone attempts to change
their password:
2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange)
smb_pam_passchange: PAM: Password Change Failed for user kreuze!
[2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok)
PAM: UNKNOWN PAM ERROR (8) for User: kreuze
[2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange)
smb_pam_passchange: PAM: Password Change Failed for user kreuze!
[2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok)
PAM: UNKNOWN PAM ERROR (8) for User: kreuze
[2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange)
smb_pam_passchange: PAM: Password Change Failed for user kreuze!
I have seen this article:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199
but I am not sure if it's appropriate for my environment. I suspect
the answer to this may very dependent on my config.
Can anyone offer any advice?
Thanks in advance.
Dermot.
=========== smb.conf on PDC ===========
dos charset = UTF-8
display charset = UTF-8
workgroup = FOO
server string = %h server
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
unix password sync = Yes
log level = 1
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
smb ports = 139 445
name resolve order = wins hosts bcast
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel '%u'
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u
logon script = logon.bat
logon path =
logon drive = U:
logon home =
domain logons = Yes
os level = 65
preferred master = Auto
domain master = Yes
dns proxy = No
ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=Computers, ou=Users
ldap passwd sync = yes
ldap suffix = dc=mydomain,dc=co,dc=uk
ldap ssl = no
ldap timeout = 20
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
idmap backend = ldap:"ldap://127.0.0.1/";
idmap uid = 15000-20000
idmap gid = 15000-20000
map acl inherit = Yes
case sensitive = No
hide unreadable = Yes
Hi,
afaik, you have to authenticate users to change NTpasswd and stull like
that.
i have seen this example for slapd.conf
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to
attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=meinnetz,dc=xx" write
by anonymous auth
by self write
by * none
but i don't know how to add it to dynamically configured ldap.
cheers
juergen
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
which distro do you use?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
