from:"Christopher Springer"

[Samba] ERRNO=Operation not permitted in Logs

2011-01-25 Thread Christopher Springer


I'm receiving the following errors in my system logs...

Log
Jan 24 11:25:06 localhost nmbd[1276]: [2011/01/24 11:25:06.840799,  0] 
libsmb/nmblib.c:839(send_udp)
Jan 24 11:25:06 localhost nmbd[1276]:   Packet send failed to 
10.40.0.124(138) ERRNO=Operation not permitted
Jan 24 14:01:59 localhost nmbd[1276]: [2011/01/24 14:01:58.622688,  0] 
libsmb/nmblib.c:839(send_udp)
Jan 24 14:01:59 localhost nmbd[1276]:   Packet send failed to 
10.40.0.58(138) ERRNO=Operation not permitted
Jan 25 04:47:53 localhost nmbd[1276]: [2011/01/25 04:47:53.176812,  0] 
libsmb/nmblib.c:839(send_udp)
Jan 25 04:47:53 localhost nmbd[1276]:   Packet send failed to 
10.40.0.42(138) ERRNO=Operation not permitted

/Log

This is on a Samba BDC on a remote subnet (PI-VPN) from the PDC both 
with an LDAP backend.  The LDAP directory is replicated to the remote 
sever via syncrepl.  Everything appears to be working fine but I'm 
curious what would be causing these errors to occur at random.


Any ideas are greatly appreciated.

--
Christopher Springer
IS/IT Systems Administrator
csprin...@brcrp.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ERRNO=Operation not permitted in Logs

2011-01-25 Thread Christopher Springer

I verified that the Windows XP firewall and our anti-virus/anti-malware 
is not blocking any of the traffic.  Are there any other 
possibilities/reasons this error might occur in the log?


Thanks for the insight!
--

Christopher Springer
IS/IT Systems Administrator
csprin...@brcrp.com


On 01/25/2011 09:32 AM, Volker Lendecke wrote:

On Tue, Jan 25, 2011 at 09:11:01AM -0500, Christopher Springer wrote:

I'm receiving the following errors in my system logs...

Log
Jan 24 11:25:06 localhost nmbd[1276]: [2011/01/24 11:25:06.840799,  0]
libsmb/nmblib.c:839(send_udp)
Jan 24 11:25:06 localhost nmbd[1276]:   Packet send failed to
10.40.0.124(138) ERRNO=Operation not permitted
Jan 24 14:01:59 localhost nmbd[1276]: [2011/01/24 14:01:58.622688,  0]
libsmb/nmblib.c:839(send_udp)
Jan 24 14:01:59 localhost nmbd[1276]:   Packet send failed to
10.40.0.58(138) ERRNO=Operation not permitted
Jan 25 04:47:53 localhost nmbd[1276]: [2011/01/25 04:47:53.176812,  0]
libsmb/nmblib.c:839(send_udp)
Jan 25 04:47:53 localhost nmbd[1276]:   Packet send failed to
10.40.0.42(138) ERRNO=Operation not permitted
/Log

Firewall?

Volker


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.

2011-01-12 Thread Christopher Springer


I've finally found the solution (or at least in my case) to this problem.

After looking at the logs for LDAP (slapd) I found that every time a 
system on the domain tried to update it's associated account information 
in the database I would receive the following error:


RESULT tag=103 err=53 text=shadow context; no update referral

This lead me to find that the account information in LDAP was not being 
updated...however the machine's domain user accounts would still be able 
to login so it wasn't a major issue...just EXTREMELY annoying.  I added 
the following line in my slapd.conf file to tell the slapd daemon where 
to send its updates since it's a read-only local authentication server 
at the remote plants:


updateref ldap://xxx.xxx.xxx.xxx

The remote server now sends the account database updates to the central 
master server and eventually replicates those changes back down to the 
remote sites...and, thus, eliminating the annoying error message that I 
was receiving in my samba and system logs.  Just for reference, the 
original error was something similar to the following...


_netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting 
auth request from client  machine account $   or
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting 
auth request from client  machine account $


Thanks all!  I hope this helps someone else.

Chris

On 08/19/2010 03:29 PM, Christopher Springer wrote:
 My configuration is a multi-subnet, multi-subnet Samba/OpenLDAP 
configuration.  Everything works fine on both subnets but I'm getting 
the following error in /var/log/messages and in 
/var/log/samba/log.smbd...


_netr_ServerAuthenticate2: netlogon_creds_server_check failed. 
Rejecting auth request from client XXX30874 machine account XXX30874$


This messages seems to be repeated every time someone logs into their 
machine or when the machine has to contact the server for 
authentication purposes.  I have not had a chance to go through all of 
the logs and verify what OS's are the offenders but it appears that a 
lot of them are old WindowsNT4 machines.


Please note that the only server on the subnet in question is the 
BDC.  It has a local, replicated LDAP directory against which logins 
are authenticated.  nmbd/wins is used for host name/netbios visibility.


Any ideas to getting rid of this error in the log file?  Again, it 
appears that access to files is working fine...it's just an annoyance 
because I don't understand why it's happening.


Thanks.

Chris

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.

2011-01-12 Thread Christopher Springer

,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaAcctFlags
by dn=cn=Manager,dc=example,dc=com write
by self write
by anonymous auth
by * none
access to *
by * read
#access to *
#   by * write



smb.conf - Master Server
-

[global]
log level = 1
workgroup = DOMAIN
netbios name = SYSNAME
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security = user
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
smb ports = 139
lanman auth = yes
ldap suffix = dc=example,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=example,dc=com
ldap ssl = no
ldap passwd sync = yes
printing = cups

[netlogon]
comment = Network Logon Service
path = /pub
guest ok = Yes
browseable = No


My question to you is...why doesn't your PDC access your LDAP server?  
My configuration is a Samba domain with LDAP backend database...just FYI.


Chris


On 01/12/2011 01:49 PM, Martin Hochreiter wrote:

Hi Christopher!

Thank you for that information, I am very much appreciate any deeper 
information on that issue.
Is there a chance that you give me the config of your central (major) 
ldap server and your smb.conf so we have the

chance to compare it with our system, please?

We see the same error but our PDC does directly access the main ldap 
server so it should not be a

problem of an update - reference ...

It would be nice to know the versions of your system too (we use 
ubuntu 8.04 and Centos 5.5 with ldap 2.4.XX and Samba 3.5.6)


Thank you very much!

regards
Martin


Am 12.01.2011 17:37 schrieb Christopher Springer:
I've finally found the solution (or at least in my case) to this 
problem.


After looking at the logs for LDAP (slapd) I found that every time a
system on the domain tried to update it's associated account
information in the database I would receive the following error:

RESULT tag=103 err=53 text=shadow context; no update referral

This lead me to find that the account information in LDAP was not
being updated...however the machine's domain user accounts would still
be able to login so it wasn't a major issue...just EXTREMELY
annoying.  I added the following line in my slapd.conf file to tell
the slapd daemon where to send its updates since it's a read-only
local authentication server at the remote plants:

updateref ldap://xxx.xxx.xxx.xxx

The remote server now sends the account database updates to the
central master server and eventually replicates those changes back
down to the remote sites...and, thus, eliminating the annoying error
message that I was receiving in my samba and system logs.  Just for
reference, the original error was something similar to the following...

_netr_ServerAuthenticate2: netlogon_creds_server_check failed.
Rejecting auth request from client  machine account
$   or
_netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client  machine account $

Thanks all!  I hope this helps someone else.

Chris

On 08/19/2010 03:29 PM, Christopher Springer wrote:

 My configuration is a multi-subnet, multi-subnet Samba/OpenLDAP
configuration.  Everything works fine on both subnets but I'm getting
the following error in /var/log/messages and in
/var/log/samba/log.smbd...

_netr_ServerAuthenticate2: netlogon_creds_server_check failed.
Rejecting auth request from client XXX30874 machine account XXX30874$

This messages seems to be repeated every time someone logs into their
machine or when the machine has to contact the server for
authentication purposes.  I have not had a chance to go through all
of the logs and verify what OS's are the offenders but it appears
that a lot of them are old WindowsNT4 machines.

Please note that the only server on the subnet in question is the
BDC.  It has a local, replicated LDAP directory against which logins
are authenticated.  nmbd/wins is used for host name/netbios visibility.

Any ideas to getting rid of this error in the log file?  Again, it
appears that access to files is working fine...it's just an annoyance
because I don't understand why it's happening.

Thanks.

Chris

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Multinetwork environment without WINS server

2010-12-23 Thread Christopher Springer

If you use DHCP on your network the following directive (on a Linux 
server running dhcpd) will automatically distribute the WINS information:


option netbios-name-servers XXX.XXX.XXX.XXX

This is the easiest way I've found to handle the Netbios situation with 
Samba in a multi-site environment.  We have 6 sites total and it has 
worked flawlessly since the time I installed it.

--

Christopher Springer
IS/IT Systems Administrator
BRC Rubber  Plastics, Inc
Office: 260-693-2171 x389
Cell: 260-750-2929
csprin...@brcrp.com


On 12/22/2010 09:24 PM, TAKAHASHI Motonobu wrote:

2010/12/23t...@tms3.com:

Is there any way to use samba as pdc in multinetwork environment without
WINS server? In this case (without wins), how will computers find pdc?
--

Sure...LMHosts files on all the workstations.  Kinda messy.

Refer to the KB150800: Domain Browsing with TCP/IP and LMHOSTS Files
  http://support.microsoft.com/kb/150800/en-us where you will find how to
setup your LMHOSTS files.

You will use shared LMHOSTS file using #INCLUDE method: KB102725
http://support.microsoft.com/kb/102725/en-us


  You could allow
the NETBios traffic to run wild on your network...with local workstations
becoming local browse masters. All kinda messy.

WINS can not reduce the traffic about NetBIOS browsing, which always use
broadcasts regardless of WINS.

But WINS can reduce the traffic about NetBIOS name resolution, using unicast
to WINS servers instead of broadcasts.

---
TAKAHASHI Motonobumo...@samba.gr.jp

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Logs Filling With Errors - Login Working Fine

2010-12-13 Thread Christopher Springer


Hello All:

Could someone please explain if the following log output is normal for 
my setup (see below)?  Setup is WAN-based Samba/LDAP domain with Samba 
PDC and master LDAP at corporate location.  6 Samba/LDAP BDC's with 1 at 
same location as PDC and then 1 at each remote site connected via WAN.  
NetBIOS information communicated via WINS server on corporate PDC over 
VPN.  LDAP directory is replicated using syncrepl module.  Clients are 
XP and Windows 7.


smbstatus --version:
Version 3.5.4-63.fc13

rpm -qa | grep openldap:
openldap-2.4.21-10.fc13.i686
openldap-devel-2.4.21-10.fc13.i686
openldap-servers-2.4.21-10.fc13.i686
openldap-clients-2.4.21-10.fc13.i686

Global section of smb.conf (from one of the servers in question - Remote 
BDC):


[global]
workgroup = XX
netbios name = XX
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security = user
domain logons = Yes
os level = 35
preferred master = Yes
domain master = No
lanman auth = Yes
wins server = XXX.XXX.XXX.XXX
smb ports = 139
ldap suffix = dc=x,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=brcrp,dc=com
ldap ssl = no
ldap passwd sync = yes
printing = cups


BEGIN LOG

Dec 13 10:52:27 brc40684 smbd[1908]: [2010/12/13 10:52:27.451195,  0] 
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
Dec 13 10:52:27 brc40684 smbd[1908]:   _netr_ServerAuthenticate3: 
netlogon_creds_server_check failed. Rejecting auth request from client 
 machine account $
Dec 13 10:54:20 brc40684 smbd[1912]: [2010/12/13 10:54:20.641430,  0] 
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
Dec 13 10:54:20 brc40684 smbd[1912]:   _netr_ServerAuthenticate3: 
netlogon_creds_server_check failed. Rejecting auth request from client 
 machine account $
Dec 13 10:56:06 brc40684 smbd[1917]: [2010/12/13 10:56:06.112343,  0] 
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
Dec 13 10:56:06 brc40684 smbd[1917]:   _netr_ServerAuthenticate3: 
netlogon_creds_server_check failed. Rejecting auth request from client 
 machine account $
Dec 13 11:07:27 brc40684 smbd[1944]: [2010/12/13 11:07:27.467410,  0] 
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
Dec 13 11:07:27 brc40684 smbd[1944]:   _netr_ServerAuthenticate3: 
netlogon_creds_server_check failed. Rejecting auth request from client 
 machine account $
Dec 13 11:09:20 brc40684 smbd[1947]: [2010/12/13 11:09:20.843142,  0] 
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)


END LOG

If anyone can tell me how to get rid of this error message it would be 
greatly appreciated!


Thanks.

--
Christopher Springer
IS/IT Systems Administrator
BRC Rubber  Plastics, Inc
Office: 260-693-2171 x389
Cell: 260-750-2929
csprin...@brcrp.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Examples for smbldap

2010-09-01 Thread Christopher Springer

 Check the Samba-HOWTO that comes with the samba-doc package.  It has 
several good examples that should get you pointed in the right direction.


Chris

On 08/31/2010 03:16 PM, John McMonagle wrote:

What is a good reference samba pdc with smbldap?

Originally used Samba-3 by Example but do not know if that is still current.
My current samba domain controllers that were set up about 5 years ago are
still broken after doing a lot of fixes.  Looks like there have been some
changes since I first set up and like to compare what I have to reference.
In case it's matters running debian lenny
samba 3.2.5-4
smbldap 0.9.4-1
slapd  2.4.11-1

John


--
Christopher Springer
IS/IT Systems Administrator
BRC Rubber  Plastics, Inc
Office: 260-693-2171 x389
Cell: 260-750-2929
csprin...@brcrp.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] New PDC

2010-08-31 Thread Christopher Springer

 The basic concept here is making sure that the SID and RID's are the 
same on the new Samba PDC as on the old PDC.  After you migrate that 
information using net setlocalsid and net setdomainsid it is 
possible to go into the passdb backend (in our case LDAP) and manually 
modify the users to match their old NT id (I believe they call the last 
4 digits the RID).  You can find the users' ID's in the Windows registry 
in the key for their respective profile.  This will allow you to join 
the new domain without any of the profiles being re-created.


I know this works because I've just done the same thing.  However, I 
could not get net rpc vampire to work on our old domain controllers.


Chris

On 08/31/2010 04:47 AM, Daniel Müller wrote:

Look at,

net RPC VAMPIRE
Export users, aliases and groups from remote server to local server. You
need to run this against the PDC, from a Samba machine joined as a BDC.

and net getlocalsid
and net setlocalsid


On Mon, 30 Aug 2010 15:11:02 -0700, Gregory A. Cain
g...@gregorycain.net  wrote:

Hi -

I'm setting up a new Samba PDC here in a 30-person architectural office.
   The current PDC is running on an older computer and hasn't been
updated in a while.

The new PDC will be Samba 3.4.0 running on Ubuntu 9.10.  We don't use
roaming profiles.

My question is this - is there a way to seamlessly migrate the
desktops to the new PDC from the old one without having to move or copy
all their profile data?  In other words, to have the desktops see the
new PDC as the old PDC?

Any information anyone can provide (the more detail the better - I don't
do this stuff every day) - would be very, very much appreciated.

Thanks in advance.

Greg


--
Christopher Springer
IS/IT Systems Administrator
BRC Rubber  Plastics, Inc
Office: 260-693-2171 x389
Cell: 260-750-2929
csprin...@brcrp.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] help making fileserver

2010-08-19 Thread Christopher Springer

 I have a file server that I authenticate against LDAP/Samba.  The 
smb.conf looks something like this...(which of course does not include 
the shares section of the config...)  This configuration assumes using 
nss_ldap (for getting user accounts) and POSIX ACL's for permissions 
using getfacl and setfacl.


[global]
log file = /var/log/samba/%m.log
passdb backend = ldapsam:ldap://ip address
ldap suffix = ldap suffix
ldap machine suffix = ou=Machine
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=IdMap
ldap admin dn = ldap dn to connect as
show add printer wizard = No
dns proxy = No
cups options = raw
server string = File Server
password server = SERVER1 SERVER2
domain logons = no
domain master = no
workgroup = CORPDOM
printcap name = cups
security = DOMAIN
preferred master = No
max log size = 50
disable spoolss = Yes


On 08/18/2010 09:37 PM, Hernan Caffera wrote:

Hi, folks !
Perhaps somebody can help me with a litle isuue.
I´ve got a PDC with Ubuntu+Samba 3.5 +LDAP  working fine in my network.
But now I’m trying to implement a fileserver that autenticate  against my domain
server.
If someone have any idea about how to do it and can give me a link or some clue
about it, I really will apreciate it!
Thank you very much for your time.





--
Christopher Springer
IS/IT Systems Administrator
BRC Rubber  Plastics, Inc
260-693-2171 x389
csprin...@brcrp.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Error: You do not have permission to change your password

2010-08-19 Thread Christopher Springer

 These fields are also duplicated in the LDAP directly (see 
sambaPwdCanChange, sambaPwdMustChange, etc) and do not have any affect 
when change in the LDAP directory.  Apparently some of them are 
deprecated.  My appeal for a reference of deprecated variables came from 
that issue.


Thanks.
--
Chris

On 08/19/2010 03:44 AM, Daniel Müller wrote:

tuepdc:~ # smbldap-useradd -?
  (c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under
the GPL
Usage: /usr/local/sbin/smbldap-useradd [-awmugdsckABCDEFGHMNPST?] username
   -oadd the user in the organizational unit (relative to the user
suffix)
   -ais a Windows User (otherwise, Posix stuff only)
   -bis a AIX User
   -wis a Windows Workstation (otherwise, Posix stuff only)
   -iis a trust account (Windows Workstation)
   -uuid
   -ggid
   -Gsupplementary comma-separated groups
   -ndo not create a group
   -dhome
   -sshell
   -cgecos
   -mcreates home directory and copies /etc/skel
   -kskeleton dir (with -m)
   -ttime. Wait 'time' seconds before exiting (when adding Windows
Workstation)
   -Pends by invoking smbldap-passwd
   -Acan change password ? 0 if no, 1 if yes
---see
   -Bmust change password ? 0 if no, 1 if yes
   -CsambaHomePath (SMB home share, like '\\PDC-SRV\homes')
   -DsambaHomeDrive (letter associated with home share, like 'H:')
   -EsambaLogonScript (DOS script to execute on login)
   -FsambaProfilePath (profile directory, like '\\PDC-SRV\profiles\foo')
   -HsambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')
   -Nsurname
   -Sfamily name
   -Mlocal mailAddress (comma seperated)
   -TmailToAddress (forward address) (comma seperated)
   -?show this help message

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: Christopher Springer [mailto:csprin...@brcrp.com]
Gesendet: Mittwoch, 18. August 2010 17:00
An: muel...@tropenklinik.de
Cc: gaiseric.van...@gmail.com; samba@lists.samba.org
Betreff: Re: AW: [Samba] Error: You do not have permission to change your
password

   Using that from the command line I'm able to change the user's
password and successfully login.  However, that didn't solve my problem
when the user tries to change their password and I receive You do not
have permission to change your password.

Thanks for your help thus far.

Chris

On 08/18/2010 10:47 AM, Daniel Müller wrote:

You only changed unix-password:


tuepdc:~ # smbldap-passwd --help
(c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under
the GPL
Usage: /usr/local/sbin/smbldap-passwd [options] [username]
-h, -?, --help show this help message
-s update only samba password
-u update only UNIX password

Just use smbldap-passwd USER



---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: Christopher Springer [mailto:csprin...@brcrp.com]
Gesendet: Mittwoch, 18. August 2010 16:28
An: muel...@tropenklinik.de
Cc: gaiseric.van...@gmail.com; samba@lists.samba.org
Betreff: Re: [Samba] Error: You do not have permission to change your
password

I did some additional testing...

It turns out that I was able to change the password successfully using...

smbldap-passwd kennyz

But then I tried changing with the -u option as follows...

smbldap-passwd -u kennyz

This did not return an error but it also apparently did not change the
user's password because I can't login as the user now.  I do not know
how to interpret this behaviour but I'm hoping it can give you guys a
clue as to what is truly the problem here.

Thanks.
--
Chris

On 08/18/2010 10:00 AM, Daniel Müller wrote:

You need
ldap passwd sync = yes
no  unix password sync = yes

Then try to change it on your linux box.
---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]

Im

Auftrag von Gaiseric Vandal
Gesendet: Mittwoch, 18. August 2010 15:48
An: samba@lists.samba.org
Betreff: Re: [Samba] Error: You do not have permission to change your
password

I am pretty sure

Re: [Samba] Error: You do not have permission to change your password

2010-08-19 Thread Christopher Springer

 Excellent find Daniel!  I made the following change and I'm not able 
to change passwords for my NT4 machines...


lanman auth = yes
(was previously set to lanman auth = no (default) )

Thank you all very much for your help!

Chris

On 08/19/2010 03:49 AM, Daniel Müller wrote:

Check this parameters in your global section

  With testparm -v

lanman auth = ?
ntlm auth = ?
client NTLMv2 = ?
client lanman auth = ?

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: Christopher Springer [mailto:csprin...@brcrp.com]
Gesendet: Mittwoch, 18. August 2010 22:12
An: muel...@tropenklinik.de
Cc: gaiseric.van...@gmail.com; samba@lists.samba.org
Betreff: Re: AW: [Samba] Error: You do not have permission to change your
password

   Well, I have a partially working configuration now...that is to say
that it DOES work for WinXP and later but it does NOT work for WinNT4
systems (2k not tested).  I must've made a mistake in testing because
now it seems that the XP systems are able to change passwords just
fine.  For the life of me I cannot get rid of the NTLM error messages
when trying to change passwords on a WinNT4 system.  I'm also having
trouble figuring out what items in the Samba LDAP schema are still in
use and which ones should be controlled by other applications
(smbldap-usermod, pdbedit, etc).  A good reference on deprecated LDAP
entries would be greatly appreciated!  I realize I still need to change
the LDAP directory to use a separate user for replication, etc but I'm
trying to take small steps here :)

working smb.conf -

[global]
log level = 1
workgroup = CORPDOM
netbios name = CORPPDC
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security = user
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
smb ports = 139
ldap suffix = dc=brcrp,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=brcrp,dc=com
ldap ssl = no
ldap passwd sync = yes
printing = cups

[netlogon]
comment = Network Logon Service
path = /pub
guest ok = Yes
browseable = No


working slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include/etc/openldap/schema/corba.schema
include/etc/openldap/schema/core.schema
include/etc/openldap/schema/cosine.schema
include/etc/openldap/schema/duaconf.schema
include/etc/openldap/schema/dyngroup.schema
include/etc/openldap/schema/inetorgperson.schema
include/etc/openldap/schema/java.schema
include/etc/openldap/schema/misc.schema
include/etc/openldap/schema/nis.schema
include/etc/openldap/schema/openldap.schema
include/etc/openldap/schema/ppolicy.schema
include/etc/openldap/schema/collective.schema
include/etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referralldap://root.openldap.org

pidfile/var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath/usr/lib/openldap # or /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running make slapd.pem, and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client
software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs

Re: [Samba] Error: You do not have permission to change your password

2010-08-19 Thread Christopher Springer

 Oh sorry...bad typo LOL...I'm noW able to change passwords on my NT4 
machines.


Chris

On 08/19/2010 09:09 AM, Michael Wood wrote:

On 19 August 2010 15:05, Christopher Springercsprin...@brcrp.com  wrote:

  Excellent find Daniel!  I made the following change and I'm not able to
change passwords for my NT4 machines...

Did you mean you are NOW able to change passwords for your NT4
machines?  Or still not?


lanman auth = yes
(was previously set to lanman auth = no (default) )

Thank you all very much for your help!


--
Christopher Springer
IS/IT Systems Administrator
BRC Rubber  Plastics, Inc
260-693-2171 x389
csprin...@brcrp.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.

2010-08-19 Thread Christopher Springer

 My configuration is a multi-subnet, multi-subnet Samba/OpenLDAP 
configuration.  Everything works fine on both subnets but I'm getting 
the following error in /var/log/messages and in /var/log/samba/log.smbd...


_netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting 
auth request from client XXX30874 machine account XXX30874$


This messages seems to be repeated every time someone logs into their 
machine or when the machine has to contact the server for authentication 
purposes.  I have not had a chance to go through all of the logs and 
verify what OS's are the offenders but it appears that a lot of them are 
old WindowsNT4 machines.


Please note that the only server on the subnet in question is the BDC.  
It has a local, replicated LDAP directory against which logins are 
authenticated.  nmbd/wins is used for host name/netbios visibility.


Any ideas to getting rid of this error in the log file?  Again, it 
appears that access to files is working fine...it's just an annoyance 
because I don't understand why it's happening.


Thanks.

Chris
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Error: You do not have permission to change your password

2010-08-18 Thread Christopher Springer

 I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend 
and do the following...


1.  Login as user on Windows system using domain user name and password 
- Login successful

2.  Press Ctrl-Alt-Del
3.  Press Change Password
4.  Enter old and new password as prompted
5.  Receive response You do not have permission to change your password.

I receive the following repeated twice in /var/log/samba/log.smbd...

[2010/08/17 16:13:53.884482,  0] 
libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)

  NTLMSSP NTLM1 packet check failed due to invalid signature!
[2010/08/17 16:13:53.884592,  0] 
rpc_server/srv_pipe_hnd.c:398(process_request_pdu)

  process_request_pdu: failed to do auth processing.
[2010/08/17 16:13:53.884668,  0] 
rpc_server/srv_pipe_hnd.c:399(process_request_pdu)

  process_request_pdu: error was NT_STATUS_ACCESS_DENIED.

This was generated from a WindowsNT4 system.  The issue can also be 
duplicated from Windows XP clients.


My smb.conf file on this system (PDC):

[global]
log level = 1
workgroup = CORPDOM
netbios name = CORPPDC
passdb backend = ldapsam:ldap://127.0.0.1
enable privileges = yes
#encrypt passwords = yes
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security = user
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
smb ports = 139
#remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM 
10.20.0.255/CORPDOM

#remote browse sync = 10.20.255.255 10.30.255.255
#remote announce = 10.30.255.255
#remote browse sync = 10.30.255.255
ldap suffix = dc=brcrp,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=brcrp,dc=com
ldap ssl = no
#ldap passwd sync = yes
unix password sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
#client lanman auth = yes
#unix password sync = yes
#passwd program = /usr/sbin/smbldap-passwd -u %u
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 15000-2
idmap gid = 15000-2
printing = cups

[netlogon]
comment = Network Logon Service
path = /pub
guest ok = Yes
browseable = No
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Error: You do not have permission to change your password

2010-08-18 Thread Christopher Springer


 Results of testing as requested -

[r...@localhost ~]# smbldap-passwd kennyz
Changing UNIX and samba passwords for kennyz
New password: enter pass
Retype new password: enter pass

No errors returned.  User is able to login with new password.

Commented out unix password sync = yes.  Still same result...You do 
not have permission to change your password.


Thank you for your help!  We'll keep trying...

Chris

On 08/18/2010 09:48 AM, Gaiseric Vandal wrote:
I am pretty sure that the password command and script is run as root, 
not as the user changing the password.What happens if you run the 
password commands on the samba server?   I don't have smbldap tools on 
my system (Solaris, so not provided by the Sun distro) so I had to 
rely on the OS password tools.   By default, root is not going to have 
sufficient privledges to change ldap passwords.


If you don't enable password sync, are you able to change your Windows 
password?



On 08/18/2010 08:49 AM, Christopher Springer wrote:
 I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend 
and do the following...


1.  Login as user on Windows system using domain user name and 
password - Login successful

2.  Press Ctrl-Alt-Del
3.  Press Change Password
4.  Enter old and new password as prompted
5.  Receive response You do not have permission to change your 
password.


I receive the following repeated twice in /var/log/samba/log.smbd...

[2010/08/17 16:13:53.884482,  0] 
libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)

  NTLMSSP NTLM1 packet check failed due to invalid signature!
[2010/08/17 16:13:53.884592,  0] 
rpc_server/srv_pipe_hnd.c:398(process_request_pdu)

  process_request_pdu: failed to do auth processing.
[2010/08/17 16:13:53.884668,  0] 
rpc_server/srv_pipe_hnd.c:399(process_request_pdu)

  process_request_pdu: error was NT_STATUS_ACCESS_DENIED.

This was generated from a WindowsNT4 system.  The issue can also be 
duplicated from Windows XP clients.


My smb.conf file on this system (PDC):

[global]
log level = 1
workgroup = CORPDOM
netbios name = CORPPDC
passdb backend = ldapsam:ldap://127.0.0.1
enable privileges = yes
#encrypt passwords = yes
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security = user
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
smb ports = 139
#remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM 
10.20.0.255/CORPDOM

#remote browse sync = 10.20.255.255 10.30.255.255
#remote announce = 10.30.255.255
#remote browse sync = 10.30.255.255
ldap suffix = dc=brcrp,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=brcrp,dc=com
ldap ssl = no
#ldap passwd sync = yes
unix password sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
#client lanman auth = yes
#unix password sync = yes
#passwd program = /usr/sbin/smbldap-passwd -u %u
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 15000-2
idmap gid = 15000-2
printing = cups

[netlogon]
comment = Network Logon Service
path = /pub
guest ok = Yes
browseable = No




--
Christopher Springer
IS/IT Systems Administrator
BRC Rubber  Plastics, Inc
260-693-2171 x389
csprin...@brcrp.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Error: You do not have permission to change your password

2010-08-18 Thread Christopher Springer

 After changing these lines my smb.conf now looks like the following 
(just including this so we're clear on the changes I've made thus far)


[global]
log level = 1
workgroup = CORPDOM
netbios name = CORPPDC
passdb backend = ldapsam:ldap://127.0.0.1
enable privileges = yes
#encrypt passwords = yes
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security = user
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
smb ports = 139
#remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM 
10.20.0.255/CORPDOM

#remote browse sync = 10.20.255.255 10.30.255.255
#remote announce = 10.30.255.255
#remote browse sync = 10.30.255.255
ldap suffix = dc=brcrp,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=brcrp,dc=com
ldap ssl = no
ldap passwd sync = yes
#unix password sync = yes
passwd program = /usr/sbin/smbldap-passwd -u %u
#passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
#client lanman auth = yes
#unix password sync = yes
#passwd program = /usr/sbin/smbldap-passwd -u %u
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 15000-2
idmap gid = 15000-2
printing = cups

[netlogon]
comment = Network Logon Service
path = /pub
guest ok = Yes
browseable = No


I still receive the same error when trying to change the user password 
on the Windows system.


Chris

On 08/18/2010 10:00 AM, Daniel Müller wrote:

You need
ldap passwd sync = yes
no  unix password sync = yes

Then try to change it on your linux box.
---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Gaiseric Vandal
Gesendet: Mittwoch, 18. August 2010 15:48
An: samba@lists.samba.org
Betreff: Re: [Samba] Error: You do not have permission to change your
password

I am pretty sure that the password command and script is run as root,
not as the user changing the password.What happens if you run the
password commands on the samba server?   I don't have smbldap tools on
my system (Solaris, so not provided by the Sun distro) so I had to rely
on the OS password tools.   By default, root is not going to have
sufficient privledges to change ldap passwords.

If you don't enable password sync, are you able to change your Windows
password?


On 08/18/2010 08:49 AM, Christopher Springer wrote:

  I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend
and do the following...

1.  Login as user on Windows system using domain user name and
password - Login successful
2.  Press Ctrl-Alt-Del
3.  Press Change Password
4.  Enter old and new password as prompted
5.  Receive response You do not have permission to change your
password.

I receive the following repeated twice in /var/log/samba/log.smbd...

[2010/08/17 16:13:53.884482,  0]
libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)
   NTLMSSP NTLM1 packet check failed due to invalid signature!
[2010/08/17 16:13:53.884592,  0]
rpc_server/srv_pipe_hnd.c:398(process_request_pdu)
   process_request_pdu: failed to do auth processing.
[2010/08/17 16:13:53.884668,  0]
rpc_server/srv_pipe_hnd.c:399(process_request_pdu)
   process_request_pdu: error was NT_STATUS_ACCESS_DENIED.

This was generated from a WindowsNT4 system.  The issue can also be
duplicated from Windows XP clients.

My smb.conf file on this system (PDC):

[global]
log level = 1
workgroup = CORPDOM
netbios name = CORPPDC
passdb backend = ldapsam:ldap://127.0.0.1
enable privileges = yes
#encrypt passwords = yes
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security

Re: [Samba] Error: You do not have permission to change your password

2010-08-18 Thread Christopher Springer


 I did some additional testing...

It turns out that I was able to change the password successfully using...

smbldap-passwd kennyz

But then I tried changing with the -u option as follows...

smbldap-passwd -u kennyz

This did not return an error but it also apparently did not change the 
user's password because I can't login as the user now.  I do not know 
how to interpret this behaviour but I'm hoping it can give you guys a 
clue as to what is truly the problem here.


Thanks.
--
Chris

On 08/18/2010 10:00 AM, Daniel Müller wrote:

You need
ldap passwd sync = yes
no  unix password sync = yes

Then try to change it on your linux box.
---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Gaiseric Vandal
Gesendet: Mittwoch, 18. August 2010 15:48
An: samba@lists.samba.org
Betreff: Re: [Samba] Error: You do not have permission to change your
password

I am pretty sure that the password command and script is run as root,
not as the user changing the password.What happens if you run the
password commands on the samba server?   I don't have smbldap tools on
my system (Solaris, so not provided by the Sun distro) so I had to rely
on the OS password tools.   By default, root is not going to have
sufficient privledges to change ldap passwords.

If you don't enable password sync, are you able to change your Windows
password?


On 08/18/2010 08:49 AM, Christopher Springer wrote:

  I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend
and do the following...

1.  Login as user on Windows system using domain user name and
password - Login successful
2.  Press Ctrl-Alt-Del
3.  Press Change Password
4.  Enter old and new password as prompted
5.  Receive response You do not have permission to change your
password.

I receive the following repeated twice in /var/log/samba/log.smbd...

[2010/08/17 16:13:53.884482,  0]
libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)
   NTLMSSP NTLM1 packet check failed due to invalid signature!
[2010/08/17 16:13:53.884592,  0]
rpc_server/srv_pipe_hnd.c:398(process_request_pdu)
   process_request_pdu: failed to do auth processing.
[2010/08/17 16:13:53.884668,  0]
rpc_server/srv_pipe_hnd.c:399(process_request_pdu)
   process_request_pdu: error was NT_STATUS_ACCESS_DENIED.

This was generated from a WindowsNT4 system.  The issue can also be
duplicated from Windows XP clients.

My smb.conf file on this system (PDC):

[global]
log level = 1
workgroup = CORPDOM
netbios name = CORPPDC
passdb backend = ldapsam:ldap://127.0.0.1
enable privileges = yes
#encrypt passwords = yes
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security = user
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
smb ports = 139
#remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM
10.20.0.255/CORPDOM
#remote browse sync = 10.20.255.255 10.30.255.255
#remote announce = 10.30.255.255
#remote browse sync = 10.30.255.255
ldap suffix = dc=brcrp,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=brcrp,dc=com
ldap ssl = no
#ldap passwd sync = yes
unix password sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
#client lanman auth = yes
#unix password sync = yes
#passwd program = /usr/sbin/smbldap-passwd -u %u
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 15000-2
idmap gid = 15000-2
printing = cups

[netlogon]
comment = Network Logon Service
path = /pub
guest ok = Yes
browseable = No


--
Christopher Springer
IS/IT Systems Administrator
BRC Rubber  Plastics, Inc
260-693-2171 x389
csprin...@brcrp.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Error: You do not have permission to change your password

2010-08-18 Thread Christopher Springer

 Using that from the command line I'm able to change the user's 
password and successfully login.  However, that didn't solve my problem 
when the user tries to change their password and I receive You do not 
have permission to change your password.


Thanks for your help thus far.

Chris

On 08/18/2010 10:47 AM, Daniel Müller wrote:

You only changed unix-password:


tuepdc:~ # smbldap-passwd --help
(c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under
the GPL
Usage: /usr/local/sbin/smbldap-passwd [options] [username]
   -h, -?, --help show this help message
   -s update only samba password
   -u update only UNIX password

Just use smbldap-passwd USER



---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: Christopher Springer [mailto:csprin...@brcrp.com]
Gesendet: Mittwoch, 18. August 2010 16:28
An: muel...@tropenklinik.de
Cc: gaiseric.van...@gmail.com; samba@lists.samba.org
Betreff: Re: [Samba] Error: You do not have permission to change your
password

   I did some additional testing...

It turns out that I was able to change the password successfully using...

smbldap-passwd kennyz

But then I tried changing with the -u option as follows...

smbldap-passwd -u kennyz

This did not return an error but it also apparently did not change the
user's password because I can't login as the user now.  I do not know
how to interpret this behaviour but I'm hoping it can give you guys a
clue as to what is truly the problem here.

Thanks.
--
Chris

On 08/18/2010 10:00 AM, Daniel Müller wrote:

You need
ldap passwd sync = yes
no  unix password sync = yes

Then try to change it on your linux box.
---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]

Im

Auftrag von Gaiseric Vandal
Gesendet: Mittwoch, 18. August 2010 15:48
An: samba@lists.samba.org
Betreff: Re: [Samba] Error: You do not have permission to change your
password

I am pretty sure that the password command and script is run as root,
not as the user changing the password.What happens if you run the
password commands on the samba server?   I don't have smbldap tools on
my system (Solaris, so not provided by the Sun distro) so I had to rely
on the OS password tools.   By default, root is not going to have
sufficient privledges to change ldap passwords.

If you don't enable password sync, are you able to change your Windows
password?


On 08/18/2010 08:49 AM, Christopher Springer wrote:

   I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend
and do the following...

1.  Login as user on Windows system using domain user name and
password - Login successful
2.  Press Ctrl-Alt-Del
3.  Press Change Password
4.  Enter old and new password as prompted
5.  Receive response You do not have permission to change your
password.

I receive the following repeated twice in /var/log/samba/log.smbd...

[2010/08/17 16:13:53.884482,  0]
libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)
NTLMSSP NTLM1 packet check failed due to invalid signature!
[2010/08/17 16:13:53.884592,  0]
rpc_server/srv_pipe_hnd.c:398(process_request_pdu)
process_request_pdu: failed to do auth processing.
[2010/08/17 16:13:53.884668,  0]
rpc_server/srv_pipe_hnd.c:399(process_request_pdu)
process_request_pdu: error was NT_STATUS_ACCESS_DENIED.

This was generated from a WindowsNT4 system.  The issue can also be
duplicated from Windows XP clients.

My smb.conf file on this system (PDC):

[global]
log level = 1
workgroup = CORPDOM
netbios name = CORPPDC
passdb backend = ldapsam:ldap://127.0.0.1
enable privileges = yes
#encrypt passwords = yes
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security = user
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
smb ports = 139
#remote announce = 10.30.0.254/CORPDOM 10.20.255.255

Re: [Samba] Error: You do not have permission to change your password

2010-08-18 Thread Christopher Springer

 I've done some additional testing via ldapmodify and found that I can 
login as the LDAP user and the user has permission to change his/her own 
password hash.  Does Samba bind to the LDAP directory as the user that 
is changing the password or as the user as defined by ldap admin dn?


Any other thoughts on this issue?

Thanks all for your help!

Chris

On 08/18/2010 10:47 AM, Daniel Müller wrote:

You only changed unix-password:


tuepdc:~ # smbldap-passwd --help
(c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under
the GPL
Usage: /usr/local/sbin/smbldap-passwd [options] [username]
   -h, -?, --help show this help message
   -s update only samba password
   -u update only UNIX password

Just use smbldap-passwd USER



---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: Christopher Springer [mailto:csprin...@brcrp.com]
Gesendet: Mittwoch, 18. August 2010 16:28
An: muel...@tropenklinik.de
Cc: gaiseric.van...@gmail.com; samba@lists.samba.org
Betreff: Re: [Samba] Error: You do not have permission to change your
password

   I did some additional testing...

It turns out that I was able to change the password successfully using...

smbldap-passwd kennyz

But then I tried changing with the -u option as follows...

smbldap-passwd -u kennyz

This did not return an error but it also apparently did not change the
user's password because I can't login as the user now.  I do not know
how to interpret this behaviour but I'm hoping it can give you guys a
clue as to what is truly the problem here.

Thanks.
--
Chris

On 08/18/2010 10:00 AM, Daniel Müller wrote:

You need
ldap passwd sync = yes
no  unix password sync = yes

Then try to change it on your linux box.
---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]

Im

Auftrag von Gaiseric Vandal
Gesendet: Mittwoch, 18. August 2010 15:48
An: samba@lists.samba.org
Betreff: Re: [Samba] Error: You do not have permission to change your
password

I am pretty sure that the password command and script is run as root,
not as the user changing the password.What happens if you run the
password commands on the samba server?   I don't have smbldap tools on
my system (Solaris, so not provided by the Sun distro) so I had to rely
on the OS password tools.   By default, root is not going to have
sufficient privledges to change ldap passwords.

If you don't enable password sync, are you able to change your Windows
password?


On 08/18/2010 08:49 AM, Christopher Springer wrote:

   I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend
and do the following...

1.  Login as user on Windows system using domain user name and
password - Login successful
2.  Press Ctrl-Alt-Del
3.  Press Change Password
4.  Enter old and new password as prompted
5.  Receive response You do not have permission to change your
password.

I receive the following repeated twice in /var/log/samba/log.smbd...

[2010/08/17 16:13:53.884482,  0]
libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)
NTLMSSP NTLM1 packet check failed due to invalid signature!
[2010/08/17 16:13:53.884592,  0]
rpc_server/srv_pipe_hnd.c:398(process_request_pdu)
process_request_pdu: failed to do auth processing.
[2010/08/17 16:13:53.884668,  0]
rpc_server/srv_pipe_hnd.c:399(process_request_pdu)
process_request_pdu: error was NT_STATUS_ACCESS_DENIED.

This was generated from a WindowsNT4 system.  The issue can also be
duplicated from Windows XP clients.

My smb.conf file on this system (PDC):

[global]
log level = 1
workgroup = CORPDOM
netbios name = CORPPDC
passdb backend = ldapsam:ldap://127.0.0.1
enable privileges = yes
#encrypt passwords = yes
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security = user
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
smb

Re: [Samba] Error: You do not have permission to change your password

2010-08-18 Thread Christopher Springer

!

###
# ldbm and/or bdb database definitions
###

databasebdb
suffixdc=brcrp,dc=com
checkpoint1024 15
rootdncn=Manager,dc=brcrp,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw*omitted*
#rootpw{SSHA}5v9AquZvm/9fhFMcetO072dGd2BX8C5Q

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory/var/lib/ldap

# Indices to maintain for this database
index objectClass   eq,pres
index ou,cn,mail,surname,givenname  eq,pres,sub
index uidNumber,gidNumber,loginShelleq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntryeq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example@example.com
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

# enable monitoring
# database monitor

# allow onlu rootdn to read the monitor
#access to *
#by dn.exact=cn=Manager,dc=brcrp,dc=com write
#by * none
access to 
attrs=userPassword,shadowLastChange,shadowMax,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaAcctFlags

by dn=cn=Manager,dc=brcrp,dc=com write
by self write
by anonymous auth
by * none
access to *
by * read
#access to *
#by * write

I have this server also acting as the WINS server for our multi-site 
environment over VPN.  It seems to work pretty well.  Setup is PDC w/BDC 
(both LDAP) at corporate with remote BDC (replicated LDAP) and DHCP 
server with netbios-name-server option.


Again, thanks all for your help!

Chris

On 08/18/2010 10:47 AM, Daniel Müller wrote:

You only changed unix-password:


tuepdc:~ # smbldap-passwd --help
(c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under
the GPL
Usage: /usr/local/sbin/smbldap-passwd [options] [username]
   -h, -?, --help show this help message
   -s update only samba password
   -u update only UNIX password

Just use smbldap-passwd USER



---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: Christopher Springer [mailto:csprin...@brcrp.com]
Gesendet: Mittwoch, 18. August 2010 16:28
An: muel...@tropenklinik.de
Cc: gaiseric.van...@gmail.com; samba@lists.samba.org
Betreff: Re: [Samba] Error: You do not have permission to change your
password

   I did some additional testing...

It turns out that I was able to change the password successfully using...

smbldap-passwd kennyz

But then I tried changing with the -u option as follows...

smbldap-passwd -u kennyz

This did not return an error but it also apparently did not change the
user's password because I can't login as the user now.  I do not know
how to interpret this behaviour but I'm hoping it can give you guys a
clue as to what is truly the problem here.

Thanks.
--
Chris

On 08/18/2010 10:00 AM, Daniel Müller wrote:

You need
ldap passwd sync = yes
no  unix password sync = yes

Then try to change it on your linux box.
---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]

Im

Auftrag von Gaiseric Vandal
Gesendet: Mittwoch, 18. August 2010 15:48
An: samba@lists.samba.org
Betreff: Re: [Samba] Error: You do not have permission to change your
password

I am pretty sure that the password command and script is run as root,
not as the user changing the password.What happens if you run the
password commands on the samba server?   I don't have smbldap tools on
my system (Solaris, so not provided by the Sun distro) so I had to rely
on the OS password tools.   By default, root is not going to have
sufficient privledges to change ldap passwords.

If you don't enable password sync, are you able to change your Windows
password?


On 08/18/2010 08:49 AM, Christopher Springer wrote:

   I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend
and do the following...

1.  Login as user on Windows system using domain user name and
password - Login

[Samba] ERRNO=Operation not permitted in Logs

Re: [Samba] ERRNO=Operation not permitted in Logs

Re: [Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.

Re: [Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.

Re: [Samba] Multinetwork environment without WINS server

[Samba] Logs Filling With Errors - Login Working Fine

Re: [Samba] Examples for smbldap

Re: [Samba] New PDC

Re: [Samba] help making fileserver

Re: [Samba] Error: You do not have permission to change your password

Re: [Samba] Error: You do not have permission to change your password

Re: [Samba] Error: You do not have permission to change your password

[Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.

[Samba] Error: You do not have permission to change your password

Re: [Samba] Error: You do not have permission to change your password

Re: [Samba] Error: You do not have permission to change your password

Re: [Samba] Error: You do not have permission to change your password

Re: [Samba] Error: You do not have permission to change your password

Re: [Samba] Error: You do not have permission to change your password

Re: [Samba] Error: You do not have permission to change your password

20 matches

Site Navigation

Mail list logo

Footer information