[Samba] Samba, pam, NIS and password changes

Tue, 09 Sep 2008 19:22:18 -0700 


Hi

I have a customer who is having a problem with Samba password changes.
The samba server (server12) is set up as a PDC for a WIndows domain with XP clients. Samba is Version 3.0.26a-SerNet-RedHat. OS is Centos 3.9.
There is also a separate mail server (server56) running FC6 which uses NIS for user validation. 

NIS server is running on server12.
Generally speaking, everything is working and has been since the server was set up by root.
When a user tries to change their password from their XP workstation they get the following error "You do not have permission to change your password".
If I log on to the server and do an "su -" to the user's account, I get the following: 


[EMAIL PROTECTED] robynw]$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
machine 127.0.0.1 rejected the password change: Error was : RAP86: The specified password is invalid. 
Password changed for user robynw (Note: everything remains unchanged).



When I look in /var/log/messages I see the following:
Sep 10 11:53:08 sydsrv12 ypserv[905]: refused connect from 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1) Sep 10 11:53:17 sydsrv12 ypserv[905]: refused connect from 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1) Sep 10 11:54:16 sydsrv12 named[4727]: client 192.168.0.210#2081: update 'jamesons.com.au/IN' denied Sep 10 11:54:43 sydsrv12 su(pam_unix)[1859]: session opened for user robynw by prosmart(uid=0) Sep 10 11:55:28 sydsrv12 named[4727]: client 192.168.0.242#1430: update 'jamesons.com.au/IN' denied Sep 10 11:55:38 sydsrv12 ypserv[905]: refused connect from 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1) Sep 10 11:56:09 sydsrv12 su(pam_unix)[1859]: session closed for user robynw Sep 10 11:56:23 sydsrv12 ypserv[905]: refused connect from 192.168.0.56:49229 to procedure ypproc_match (jgc,shadow.byname;-1) 


In the workstation log in /var/log/samba/pc004 I see the following:


[2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
  smb_pam_passchange: PAM: Password Change Failed for user robynw!
[2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
  smb_pam_passchange: PAM: Password Change Failed for user robynw!
[2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
  smb_pam_passchange: PAM: Password Change Failed for user robynw!
[2008/09/10 11:53:39, 0] auth/pampass.c:smb_pam_passchange(847)
  smb_pam_passchange: PAM: Password Change Failed for user robynw!



Here is the contents of /etc/pam.d/samba:


#%PAM-1.0
auth     required       pam_unix.so
account  required       pam_unix.so

and the global section of /etc/samba/smb.conf

# Date: 2008/09/10 11:01:30


[global]
        workgroup = MYDOMAIN
        passdb backend = tdbsam
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed* 
        username map = /etc/samba/smbusers
        unix password sync = Yes
        log level = 1
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        smb ports = 139
        name resolve order = wins bcast hosts
        time server = Yes
        show add printer wizard = No
        add user script = /usr/sbin/useradd -m '%u'
        delete user script = /usr/sbin/userdel -r '%u'
        add group script = /usr/sbin/groupadd '%g'
        delete group script = /usr/sbin/groupdel '%g'
        add user to group script = /usr/sbin/usermod -G '%g' '%u'
        add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'
        logon script = scripts\logon.bat
        logon path = \\%L\profiles\%U
        logon drive = X:
        logon home = \\%L\%U
        domain logons = Yes
        preferred master = Yes
        wins support = Yes
        ldap ssl = no
        utmp = Yes
        map acl inherit = Yes
        cups options = Raw
        veto files = /*.eml/*.nws/*.{*}/
        veto oplock files = /*.doc/*.xls/*.mdb/
        strict locking = No
I would really appreciate anyone's input into where I should start looking. Although I would like a solution to this, I would /really/ like to understand the problem a little better. I have gone through the Official Samba-3 How To and Samba by Example but I don't feel any closer to the solution. 

Any takers?

TIA

Nigel.


--
Nigel Allen
Managing Director
Electronic Document Registry Systems    
EDRS
Phone:
Fax:
Mobile:
Web:
        +61 2 9450 2690
+61 2 9450 2691
+61 4 1494 5269
http://www.edrs.com.au

DataSafe^(TM) - Saving over 80% of your postage costs

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to