The master is a xenamd64 debian 5.0.6 samba is Version 3.5.6 ldap is 2.4.11 (installed via apt)
Dp. On 16 August 2011 12:13, J. Echter <[email protected]> wrote: > Am 16.08.2011 13:06, schrieb Dermot: >> >> I have a stanza like this in the slapd.conf on the ldap master. >> >> # users can authenticate and change their password >> access to >> attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet >> by self write >> by anonymous auth >> by * none >> >> >> I have a lot of debug messages from ldap going into the logs but I >> can't any errors. I can't see any attempt at a password change in the >> log. >> >> I know that the ldap password had not changed either. What do you mean >> by dynamically configured ldap? >> Thanks, >> Dp. >> >> >> >> On 16 August 2011 11:51, J. Echter<[email protected]> >> wrote: >>> >>> Am 16.08.2011 12:48, schrieb Dermot: >>>> >>>> Hi, >>>> >>>> I recently migrated to a Samba3x domain. One issue that has been >>>> reported to me is that XP users cannot change their password from >>>> their PC. I have done some searching and I haven't seen a straight >>>> forward answer to this. >>>> >>>> My config is >>>> >>>> ldap primary + Samba PDC on host A >>>> ldap slave + samba BDC on host B >>>> >>>> I see this error in the machine log when someone attempts to change >>>> their password: >>>> >>>> 2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) >>>> smb_pam_passchange: PAM: Password Change Failed for user kreuze! >>>> [2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) >>>> PAM: UNKNOWN PAM ERROR (8) for User: kreuze >>>> [2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) >>>> smb_pam_passchange: PAM: Password Change Failed for user kreuze! >>>> [2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) >>>> PAM: UNKNOWN PAM ERROR (8) for User: kreuze >>>> [2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) >>>> smb_pam_passchange: PAM: Password Change Failed for user kreuze! >>>> >>>> >>>> I have seen this article: >>>> >>>> >>>> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199 >>>> but I am not sure if it's appropriate for my environment. I suspect >>>> the answer to this may very dependent on my config. >>>> Can anyone offer any advice? >>>> Thanks in advance. >>>> Dermot. >>>> >>>> >>>> =========== smb.conf on PDC =========== >>>> >>>> dos charset = UTF-8 >>>> display charset = UTF-8 >>>> workgroup = FOO >>>> server string = %h server >>>> map to guest = Bad User >>>> passdb backend = ldapsam:ldap://127.0.0.1/ >>>> pam password change = Yes >>>> passwd program = /usr/sbin/smbldap-passwd -u %u >>>> passwd chat = *New*password* %n\n *Retype*new*password* %n\n >>>> *all*authentication*tokens*updated* >>>> unix password sync = Yes >>>> log level = 1 >>>> syslog = 0 >>>> log file = /var/log/samba/log.%m >>>> max log size = 1000 >>>> smb ports = 139 445 >>>> name resolve order = wins hosts bcast >>>> time server = Yes >>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>>> load printers = No >>>> add user script = /usr/sbin/smbldap-useradd -m %u >>>> delete user script = /usr/sbin/smbldap-userdel '%u' >>>> delete group script = /usr/sbin/smbldap-groupdel %g >>>> add user to group script = /usr/sbin/smbldap-groupmod -m %u %g >>>> delete user from group script = /usr/sbin/smbldap-groupmod -x %u >>>> %g >>>> set primary group script = /usr/sbin/smbldap-usermod -g %g %u >>>> add machine script = /usr/sbin/smbldap-useradd -w %u >>>> logon script = logon.bat >>>> logon path = >>>> logon drive = U: >>>> logon home = >>>> domain logons = Yes >>>> os level = 65 >>>> preferred master = Auto >>>> domain master = Yes >>>> dns proxy = No >>>> ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk >>>> ldap delete dn = Yes >>>> ldap group suffix = ou=Groups >>>> ldap idmap suffix = ou=idmap >>>> ldap machine suffix = ou=Computers, ou=Users >>>> ldap passwd sync = yes >>>> ldap suffix = dc=mydomain,dc=co,dc=uk >>>> ldap ssl = no >>>> ldap timeout = 20 >>>> ldap user suffix = ou=Users >>>> panic action = /usr/share/samba/panic-action %d >>>> idmap backend = ldap:"ldap://127.0.0.1/"; >>>> idmap uid = 15000-20000 >>>> idmap gid = 15000-20000 >>>> map acl inherit = Yes >>>> case sensitive = No >>>> hide unreadable = Yes >>> >>> Hi, >>> >>> afaik, you have to authenticate users to change NTpasswd and stull like >>> that. >>> >>> i have seen this example for slapd.conf >>> >>> # The userPassword by default can be changed >>> # by the entry owning it if they are authenticated. >>> # Others should not be able to see it, except the >>> # admin entry below >>> # These access lines apply to database #1 only >>> access to >>> attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword >>> by dn="cn=admin,dc=meinnetz,dc=xx" write >>> by anonymous auth >>> by self write >>> by * none >>> >>> but i don't know how to add it to dynamically configured ldap. >>> >>> cheers >>> >>> juergen >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> > which distro do you use? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
