[Samba] ERRNO=Operation not permitted in Logs
I'm receiving the following errors in my system logs... Log Jan 24 11:25:06 localhost nmbd[1276]: [2011/01/24 11:25:06.840799, 0] libsmb/nmblib.c:839(send_udp) Jan 24 11:25:06 localhost nmbd[1276]: Packet send failed to 10.40.0.124(138) ERRNO=Operation not permitted Jan 24 14:01:59 localhost nmbd[1276]: [2011/01/24 14:01:58.622688, 0] libsmb/nmblib.c:839(send_udp) Jan 24 14:01:59 localhost nmbd[1276]: Packet send failed to 10.40.0.58(138) ERRNO=Operation not permitted Jan 25 04:47:53 localhost nmbd[1276]: [2011/01/25 04:47:53.176812, 0] libsmb/nmblib.c:839(send_udp) Jan 25 04:47:53 localhost nmbd[1276]: Packet send failed to 10.40.0.42(138) ERRNO=Operation not permitted /Log This is on a Samba BDC on a remote subnet (PI-VPN) from the PDC both with an LDAP backend. The LDAP directory is replicated to the remote sever via syncrepl. Everything appears to be working fine but I'm curious what would be causing these errors to occur at random. Any ideas are greatly appreciated. -- Christopher Springer IS/IT Systems Administrator csprin...@brcrp.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ERRNO=Operation not permitted in Logs
I verified that the Windows XP firewall and our anti-virus/anti-malware is not blocking any of the traffic. Are there any other possibilities/reasons this error might occur in the log? Thanks for the insight! -- Christopher Springer IS/IT Systems Administrator csprin...@brcrp.com On 01/25/2011 09:32 AM, Volker Lendecke wrote: On Tue, Jan 25, 2011 at 09:11:01AM -0500, Christopher Springer wrote: I'm receiving the following errors in my system logs... Log Jan 24 11:25:06 localhost nmbd[1276]: [2011/01/24 11:25:06.840799, 0] libsmb/nmblib.c:839(send_udp) Jan 24 11:25:06 localhost nmbd[1276]: Packet send failed to 10.40.0.124(138) ERRNO=Operation not permitted Jan 24 14:01:59 localhost nmbd[1276]: [2011/01/24 14:01:58.622688, 0] libsmb/nmblib.c:839(send_udp) Jan 24 14:01:59 localhost nmbd[1276]: Packet send failed to 10.40.0.58(138) ERRNO=Operation not permitted Jan 25 04:47:53 localhost nmbd[1276]: [2011/01/25 04:47:53.176812, 0] libsmb/nmblib.c:839(send_udp) Jan 25 04:47:53 localhost nmbd[1276]: Packet send failed to 10.40.0.42(138) ERRNO=Operation not permitted /Log Firewall? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.
I've finally found the solution (or at least in my case) to this problem. After looking at the logs for LDAP (slapd) I found that every time a system on the domain tried to update it's associated account information in the database I would receive the following error: RESULT tag=103 err=53 text=shadow context; no update referral This lead me to find that the account information in LDAP was not being updated...however the machine's domain user accounts would still be able to login so it wasn't a major issue...just EXTREMELY annoying. I added the following line in my slapd.conf file to tell the slapd daemon where to send its updates since it's a read-only local authentication server at the remote plants: updateref ldap://xxx.xxx.xxx.xxx The remote server now sends the account database updates to the central master server and eventually replicates those changes back down to the remote sites...and, thus, eliminating the annoying error message that I was receiving in my samba and system logs. Just for reference, the original error was something similar to the following... _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ or _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ Thanks all! I hope this helps someone else. Chris On 08/19/2010 03:29 PM, Christopher Springer wrote: My configuration is a multi-subnet, multi-subnet Samba/OpenLDAP configuration. Everything works fine on both subnets but I'm getting the following error in /var/log/messages and in /var/log/samba/log.smbd... _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client XXX30874 machine account XXX30874$ This messages seems to be repeated every time someone logs into their machine or when the machine has to contact the server for authentication purposes. I have not had a chance to go through all of the logs and verify what OS's are the offenders but it appears that a lot of them are old WindowsNT4 machines. Please note that the only server on the subnet in question is the BDC. It has a local, replicated LDAP directory against which logins are authenticated. nmbd/wins is used for host name/netbios visibility. Any ideas to getting rid of this error in the log file? Again, it appears that access to files is working fine...it's just an annoyance because I don't understand why it's happening. Thanks. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.
,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaAcctFlags by dn=cn=Manager,dc=example,dc=com write by self write by anonymous auth by * none access to * by * read #access to * # by * write smb.conf - Master Server - [global] log level = 1 workgroup = DOMAIN netbios name = SYSNAME passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = scripts/%U.bat logon path = logon drive = security = user domain logons = Yes os level = 35 preferred master = Yes domain master = Yes wins support = Yes smb ports = 139 lanman auth = yes ldap suffix = dc=example,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=example,dc=com ldap ssl = no ldap passwd sync = yes printing = cups [netlogon] comment = Network Logon Service path = /pub guest ok = Yes browseable = No My question to you is...why doesn't your PDC access your LDAP server? My configuration is a Samba domain with LDAP backend database...just FYI. Chris On 01/12/2011 01:49 PM, Martin Hochreiter wrote: Hi Christopher! Thank you for that information, I am very much appreciate any deeper information on that issue. Is there a chance that you give me the config of your central (major) ldap server and your smb.conf so we have the chance to compare it with our system, please? We see the same error but our PDC does directly access the main ldap server so it should not be a problem of an update - reference ... It would be nice to know the versions of your system too (we use ubuntu 8.04 and Centos 5.5 with ldap 2.4.XX and Samba 3.5.6) Thank you very much! regards Martin Am 12.01.2011 17:37 schrieb Christopher Springer: I've finally found the solution (or at least in my case) to this problem. After looking at the logs for LDAP (slapd) I found that every time a system on the domain tried to update it's associated account information in the database I would receive the following error: RESULT tag=103 err=53 text=shadow context; no update referral This lead me to find that the account information in LDAP was not being updated...however the machine's domain user accounts would still be able to login so it wasn't a major issue...just EXTREMELY annoying. I added the following line in my slapd.conf file to tell the slapd daemon where to send its updates since it's a read-only local authentication server at the remote plants: updateref ldap://xxx.xxx.xxx.xxx The remote server now sends the account database updates to the central master server and eventually replicates those changes back down to the remote sites...and, thus, eliminating the annoying error message that I was receiving in my samba and system logs. Just for reference, the original error was something similar to the following... _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ or _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ Thanks all! I hope this helps someone else. Chris On 08/19/2010 03:29 PM, Christopher Springer wrote: My configuration is a multi-subnet, multi-subnet Samba/OpenLDAP configuration. Everything works fine on both subnets but I'm getting the following error in /var/log/messages and in /var/log/samba/log.smbd... _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client XXX30874 machine account XXX30874$ This messages seems to be repeated every time someone logs into their machine or when the machine has to contact the server for authentication purposes. I have not had a chance to go through all of the logs and verify what OS's are the offenders but it appears that a lot of them are old WindowsNT4 machines. Please note that the only server on the subnet in question is the BDC. It has a local, replicated LDAP directory against which logins are authenticated. nmbd/wins is used for host name/netbios visibility. Any ideas to getting rid of this error in the log file? Again, it appears that access to files is working fine...it's just an annoyance because I don't understand why it's happening. Thanks. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Multinetwork environment without WINS server
If you use DHCP on your network the following directive (on a Linux server running dhcpd) will automatically distribute the WINS information: option netbios-name-servers XXX.XXX.XXX.XXX This is the easiest way I've found to handle the Netbios situation with Samba in a multi-site environment. We have 6 sites total and it has worked flawlessly since the time I installed it. -- Christopher Springer IS/IT Systems Administrator BRC Rubber Plastics, Inc Office: 260-693-2171 x389 Cell: 260-750-2929 csprin...@brcrp.com On 12/22/2010 09:24 PM, TAKAHASHI Motonobu wrote: 2010/12/23t...@tms3.com: Is there any way to use samba as pdc in multinetwork environment without WINS server? In this case (without wins), how will computers find pdc? -- Sure...LMHosts files on all the workstations. Kinda messy. Refer to the KB150800: Domain Browsing with TCP/IP and LMHOSTS Files http://support.microsoft.com/kb/150800/en-us where you will find how to setup your LMHOSTS files. You will use shared LMHOSTS file using #INCLUDE method: KB102725 http://support.microsoft.com/kb/102725/en-us You could allow the NETBios traffic to run wild on your network...with local workstations becoming local browse masters. All kinda messy. WINS can not reduce the traffic about NetBIOS browsing, which always use broadcasts regardless of WINS. But WINS can reduce the traffic about NetBIOS name resolution, using unicast to WINS servers instead of broadcasts. --- TAKAHASHI Motonobumo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Logs Filling With Errors - Login Working Fine
Hello All: Could someone please explain if the following log output is normal for my setup (see below)? Setup is WAN-based Samba/LDAP domain with Samba PDC and master LDAP at corporate location. 6 Samba/LDAP BDC's with 1 at same location as PDC and then 1 at each remote site connected via WAN. NetBIOS information communicated via WINS server on corporate PDC over VPN. LDAP directory is replicated using syncrepl module. Clients are XP and Windows 7. smbstatus --version: Version 3.5.4-63.fc13 rpm -qa | grep openldap: openldap-2.4.21-10.fc13.i686 openldap-devel-2.4.21-10.fc13.i686 openldap-servers-2.4.21-10.fc13.i686 openldap-clients-2.4.21-10.fc13.i686 Global section of smb.conf (from one of the servers in question - Remote BDC): [global] workgroup = XX netbios name = XX passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = scripts/%U.bat logon path = logon drive = security = user domain logons = Yes os level = 35 preferred master = Yes domain master = No lanman auth = Yes wins server = XXX.XXX.XXX.XXX smb ports = 139 ldap suffix = dc=x,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=brcrp,dc=com ldap ssl = no ldap passwd sync = yes printing = cups BEGIN LOG Dec 13 10:52:27 brc40684 smbd[1908]: [2010/12/13 10:52:27.451195, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) Dec 13 10:52:27 brc40684 smbd[1908]: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ Dec 13 10:54:20 brc40684 smbd[1912]: [2010/12/13 10:54:20.641430, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) Dec 13 10:54:20 brc40684 smbd[1912]: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ Dec 13 10:56:06 brc40684 smbd[1917]: [2010/12/13 10:56:06.112343, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) Dec 13 10:56:06 brc40684 smbd[1917]: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ Dec 13 11:07:27 brc40684 smbd[1944]: [2010/12/13 11:07:27.467410, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) Dec 13 11:07:27 brc40684 smbd[1944]: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ Dec 13 11:09:20 brc40684 smbd[1947]: [2010/12/13 11:09:20.843142, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) END LOG If anyone can tell me how to get rid of this error message it would be greatly appreciated! Thanks. -- Christopher Springer IS/IT Systems Administrator BRC Rubber Plastics, Inc Office: 260-693-2171 x389 Cell: 260-750-2929 csprin...@brcrp.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Examples for smbldap
Check the Samba-HOWTO that comes with the samba-doc package. It has several good examples that should get you pointed in the right direction. Chris On 08/31/2010 03:16 PM, John McMonagle wrote: What is a good reference samba pdc with smbldap? Originally used Samba-3 by Example but do not know if that is still current. My current samba domain controllers that were set up about 5 years ago are still broken after doing a lot of fixes. Looks like there have been some changes since I first set up and like to compare what I have to reference. In case it's matters running debian lenny samba 3.2.5-4 smbldap 0.9.4-1 slapd 2.4.11-1 John -- Christopher Springer IS/IT Systems Administrator BRC Rubber Plastics, Inc Office: 260-693-2171 x389 Cell: 260-750-2929 csprin...@brcrp.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New PDC
The basic concept here is making sure that the SID and RID's are the same on the new Samba PDC as on the old PDC. After you migrate that information using net setlocalsid and net setdomainsid it is possible to go into the passdb backend (in our case LDAP) and manually modify the users to match their old NT id (I believe they call the last 4 digits the RID). You can find the users' ID's in the Windows registry in the key for their respective profile. This will allow you to join the new domain without any of the profiles being re-created. I know this works because I've just done the same thing. However, I could not get net rpc vampire to work on our old domain controllers. Chris On 08/31/2010 04:47 AM, Daniel Müller wrote: Look at, net RPC VAMPIRE Export users, aliases and groups from remote server to local server. You need to run this against the PDC, from a Samba machine joined as a BDC. and net getlocalsid and net setlocalsid On Mon, 30 Aug 2010 15:11:02 -0700, Gregory A. Cain g...@gregorycain.net wrote: Hi - I'm setting up a new Samba PDC here in a 30-person architectural office. The current PDC is running on an older computer and hasn't been updated in a while. The new PDC will be Samba 3.4.0 running on Ubuntu 9.10. We don't use roaming profiles. My question is this - is there a way to seamlessly migrate the desktops to the new PDC from the old one without having to move or copy all their profile data? In other words, to have the desktops see the new PDC as the old PDC? Any information anyone can provide (the more detail the better - I don't do this stuff every day) - would be very, very much appreciated. Thanks in advance. Greg -- Christopher Springer IS/IT Systems Administrator BRC Rubber Plastics, Inc Office: 260-693-2171 x389 Cell: 260-750-2929 csprin...@brcrp.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] help making fileserver
I have a file server that I authenticate against LDAP/Samba. The smb.conf looks something like this...(which of course does not include the shares section of the config...) This configuration assumes using nss_ldap (for getting user accounts) and POSIX ACL's for permissions using getfacl and setfacl. [global] log file = /var/log/samba/%m.log passdb backend = ldapsam:ldap://ip address ldap suffix = ldap suffix ldap machine suffix = ou=Machine ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=IdMap ldap admin dn = ldap dn to connect as show add printer wizard = No dns proxy = No cups options = raw server string = File Server password server = SERVER1 SERVER2 domain logons = no domain master = no workgroup = CORPDOM printcap name = cups security = DOMAIN preferred master = No max log size = 50 disable spoolss = Yes On 08/18/2010 09:37 PM, Hernan Caffera wrote: Hi, folks ! Perhaps somebody can help me with a litle isuue. I´ve got a PDC with Ubuntu+Samba 3.5 +LDAP working fine in my network. But now I’m trying to implement a fileserver that autenticate against my domain server. If someone have any idea about how to do it and can give me a link or some clue about it, I really will apreciate it! Thank you very much for your time. -- Christopher Springer IS/IT Systems Administrator BRC Rubber Plastics, Inc 260-693-2171 x389 csprin...@brcrp.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error: You do not have permission to change your password
These fields are also duplicated in the LDAP directly (see sambaPwdCanChange, sambaPwdMustChange, etc) and do not have any affect when change in the LDAP directory. Apparently some of them are deprecated. My appeal for a reference of deprecated variables came from that issue. Thanks. -- Chris On 08/19/2010 03:44 AM, Daniel Müller wrote: tuepdc:~ # smbldap-useradd -? (c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under the GPL Usage: /usr/local/sbin/smbldap-useradd [-awmugdsckABCDEFGHMNPST?] username -oadd the user in the organizational unit (relative to the user suffix) -ais a Windows User (otherwise, Posix stuff only) -bis a AIX User -wis a Windows Workstation (otherwise, Posix stuff only) -iis a trust account (Windows Workstation) -uuid -ggid -Gsupplementary comma-separated groups -ndo not create a group -dhome -sshell -cgecos -mcreates home directory and copies /etc/skel -kskeleton dir (with -m) -ttime. Wait 'time' seconds before exiting (when adding Windows Workstation) -Pends by invoking smbldap-passwd -Acan change password ? 0 if no, 1 if yes ---see -Bmust change password ? 0 if no, 1 if yes -CsambaHomePath (SMB home share, like '\\PDC-SRV\homes') -DsambaHomeDrive (letter associated with home share, like 'H:') -EsambaLogonScript (DOS script to execute on login) -FsambaProfilePath (profile directory, like '\\PDC-SRV\profiles\foo') -HsambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]') -Nsurname -Sfamily name -Mlocal mailAddress (comma seperated) -TmailToAddress (forward address) (comma seperated) -?show this help message --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: Christopher Springer [mailto:csprin...@brcrp.com] Gesendet: Mittwoch, 18. August 2010 17:00 An: muel...@tropenklinik.de Cc: gaiseric.van...@gmail.com; samba@lists.samba.org Betreff: Re: AW: [Samba] Error: You do not have permission to change your password Using that from the command line I'm able to change the user's password and successfully login. However, that didn't solve my problem when the user tries to change their password and I receive You do not have permission to change your password. Thanks for your help thus far. Chris On 08/18/2010 10:47 AM, Daniel Müller wrote: You only changed unix-password: tuepdc:~ # smbldap-passwd --help (c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under the GPL Usage: /usr/local/sbin/smbldap-passwd [options] [username] -h, -?, --help show this help message -s update only samba password -u update only UNIX password Just use smbldap-passwd USER --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: Christopher Springer [mailto:csprin...@brcrp.com] Gesendet: Mittwoch, 18. August 2010 16:28 An: muel...@tropenklinik.de Cc: gaiseric.van...@gmail.com; samba@lists.samba.org Betreff: Re: [Samba] Error: You do not have permission to change your password I did some additional testing... It turns out that I was able to change the password successfully using... smbldap-passwd kennyz But then I tried changing with the -u option as follows... smbldap-passwd -u kennyz This did not return an error but it also apparently did not change the user's password because I can't login as the user now. I do not know how to interpret this behaviour but I'm hoping it can give you guys a clue as to what is truly the problem here. Thanks. -- Chris On 08/18/2010 10:00 AM, Daniel Müller wrote: You need ldap passwd sync = yes no unix password sync = yes Then try to change it on your linux box. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Gaiseric Vandal Gesendet: Mittwoch, 18. August 2010 15:48 An: samba@lists.samba.org Betreff: Re: [Samba] Error: You do not have permission to change your password I am pretty sure
Re: [Samba] Error: You do not have permission to change your password
Excellent find Daniel! I made the following change and I'm not able to change passwords for my NT4 machines... lanman auth = yes (was previously set to lanman auth = no (default) ) Thank you all very much for your help! Chris On 08/19/2010 03:49 AM, Daniel Müller wrote: Check this parameters in your global section With testparm -v lanman auth = ? ntlm auth = ? client NTLMv2 = ? client lanman auth = ? --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: Christopher Springer [mailto:csprin...@brcrp.com] Gesendet: Mittwoch, 18. August 2010 22:12 An: muel...@tropenklinik.de Cc: gaiseric.van...@gmail.com; samba@lists.samba.org Betreff: Re: AW: [Samba] Error: You do not have permission to change your password Well, I have a partially working configuration now...that is to say that it DOES work for WinXP and later but it does NOT work for WinNT4 systems (2k not tested). I must've made a mistake in testing because now it seems that the XP systems are able to change passwords just fine. For the life of me I cannot get rid of the NTLM error messages when trying to change passwords on a WinNT4 system. I'm also having trouble figuring out what items in the Samba LDAP schema are still in use and which ones should be controlled by other applications (smbldap-usermod, pdbedit, etc). A good reference on deprecated LDAP entries would be greatly appreciated! I realize I still need to change the LDAP directory to use a separate user for replication, etc but I'm trying to take small steps here :) working smb.conf - [global] log level = 1 workgroup = CORPDOM netbios name = CORPPDC passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = scripts/%U.bat logon path = logon drive = security = user domain logons = Yes os level = 35 preferred master = Yes domain master = Yes wins support = Yes smb ports = 139 ldap suffix = dc=brcrp,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=brcrp,dc=com ldap ssl = no ldap passwd sync = yes printing = cups [netlogon] comment = Network Logon Service path = /pub guest ok = Yes browseable = No working slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include/etc/openldap/schema/corba.schema include/etc/openldap/schema/core.schema include/etc/openldap/schema/cosine.schema include/etc/openldap/schema/duaconf.schema include/etc/openldap/schema/dyngroup.schema include/etc/openldap/schema/inetorgperson.schema include/etc/openldap/schema/java.schema include/etc/openldap/schema/misc.schema include/etc/openldap/schema/nis.schema include/etc/openldap/schema/openldap.schema include/etc/openldap/schema/ppolicy.schema include/etc/openldap/schema/collective.schema include/etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referralldap://root.openldap.org pidfile/var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath/usr/lib/openldap # or /usr/lib64/openldap # moduleload accesslog.la # moduleload auditlog.la # moduleload back_sql.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la moduleload syncprov.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running make slapd.pem, and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs
Re: [Samba] Error: You do not have permission to change your password
Oh sorry...bad typo LOL...I'm noW able to change passwords on my NT4 machines. Chris On 08/19/2010 09:09 AM, Michael Wood wrote: On 19 August 2010 15:05, Christopher Springercsprin...@brcrp.com wrote: Excellent find Daniel! I made the following change and I'm not able to change passwords for my NT4 machines... Did you mean you are NOW able to change passwords for your NT4 machines? Or still not? lanman auth = yes (was previously set to lanman auth = no (default) ) Thank you all very much for your help! -- Christopher Springer IS/IT Systems Administrator BRC Rubber Plastics, Inc 260-693-2171 x389 csprin...@brcrp.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.
My configuration is a multi-subnet, multi-subnet Samba/OpenLDAP configuration. Everything works fine on both subnets but I'm getting the following error in /var/log/messages and in /var/log/samba/log.smbd... _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client XXX30874 machine account XXX30874$ This messages seems to be repeated every time someone logs into their machine or when the machine has to contact the server for authentication purposes. I have not had a chance to go through all of the logs and verify what OS's are the offenders but it appears that a lot of them are old WindowsNT4 machines. Please note that the only server on the subnet in question is the BDC. It has a local, replicated LDAP directory against which logins are authenticated. nmbd/wins is used for host name/netbios visibility. Any ideas to getting rid of this error in the log file? Again, it appears that access to files is working fine...it's just an annoyance because I don't understand why it's happening. Thanks. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Error: You do not have permission to change your password
I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend and do the following... 1. Login as user on Windows system using domain user name and password - Login successful 2. Press Ctrl-Alt-Del 3. Press Change Password 4. Enter old and new password as prompted 5. Receive response You do not have permission to change your password. I receive the following repeated twice in /var/log/samba/log.smbd... [2010/08/17 16:13:53.884482, 0] libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet) NTLMSSP NTLM1 packet check failed due to invalid signature! [2010/08/17 16:13:53.884592, 0] rpc_server/srv_pipe_hnd.c:398(process_request_pdu) process_request_pdu: failed to do auth processing. [2010/08/17 16:13:53.884668, 0] rpc_server/srv_pipe_hnd.c:399(process_request_pdu) process_request_pdu: error was NT_STATUS_ACCESS_DENIED. This was generated from a WindowsNT4 system. The issue can also be duplicated from Windows XP clients. My smb.conf file on this system (PDC): [global] log level = 1 workgroup = CORPDOM netbios name = CORPPDC passdb backend = ldapsam:ldap://127.0.0.1 enable privileges = yes #encrypt passwords = yes username map = /etc/samba/smbusers printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = scripts/%U.bat logon path = logon drive = security = user domain logons = Yes os level = 35 preferred master = Yes domain master = Yes wins support = Yes smb ports = 139 #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM 10.20.0.255/CORPDOM #remote browse sync = 10.20.255.255 10.30.255.255 #remote announce = 10.30.255.255 #remote browse sync = 10.30.255.255 ldap suffix = dc=brcrp,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=brcrp,dc=com ldap ssl = no #ldap passwd sync = yes unix password sync = yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n* #client lanman auth = yes #unix password sync = yes #passwd program = /usr/sbin/smbldap-passwd -u %u idmap backend = ldap:ldap://127.0.0.1 idmap uid = 15000-2 idmap gid = 15000-2 printing = cups [netlogon] comment = Network Logon Service path = /pub guest ok = Yes browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error: You do not have permission to change your password
Results of testing as requested - [r...@localhost ~]# smbldap-passwd kennyz Changing UNIX and samba passwords for kennyz New password: enter pass Retype new password: enter pass No errors returned. User is able to login with new password. Commented out unix password sync = yes. Still same result...You do not have permission to change your password. Thank you for your help! We'll keep trying... Chris On 08/18/2010 09:48 AM, Gaiseric Vandal wrote: I am pretty sure that the password command and script is run as root, not as the user changing the password.What happens if you run the password commands on the samba server? I don't have smbldap tools on my system (Solaris, so not provided by the Sun distro) so I had to rely on the OS password tools. By default, root is not going to have sufficient privledges to change ldap passwords. If you don't enable password sync, are you able to change your Windows password? On 08/18/2010 08:49 AM, Christopher Springer wrote: I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend and do the following... 1. Login as user on Windows system using domain user name and password - Login successful 2. Press Ctrl-Alt-Del 3. Press Change Password 4. Enter old and new password as prompted 5. Receive response You do not have permission to change your password. I receive the following repeated twice in /var/log/samba/log.smbd... [2010/08/17 16:13:53.884482, 0] libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet) NTLMSSP NTLM1 packet check failed due to invalid signature! [2010/08/17 16:13:53.884592, 0] rpc_server/srv_pipe_hnd.c:398(process_request_pdu) process_request_pdu: failed to do auth processing. [2010/08/17 16:13:53.884668, 0] rpc_server/srv_pipe_hnd.c:399(process_request_pdu) process_request_pdu: error was NT_STATUS_ACCESS_DENIED. This was generated from a WindowsNT4 system. The issue can also be duplicated from Windows XP clients. My smb.conf file on this system (PDC): [global] log level = 1 workgroup = CORPDOM netbios name = CORPPDC passdb backend = ldapsam:ldap://127.0.0.1 enable privileges = yes #encrypt passwords = yes username map = /etc/samba/smbusers printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = scripts/%U.bat logon path = logon drive = security = user domain logons = Yes os level = 35 preferred master = Yes domain master = Yes wins support = Yes smb ports = 139 #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM 10.20.0.255/CORPDOM #remote browse sync = 10.20.255.255 10.30.255.255 #remote announce = 10.30.255.255 #remote browse sync = 10.30.255.255 ldap suffix = dc=brcrp,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=brcrp,dc=com ldap ssl = no #ldap passwd sync = yes unix password sync = yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n* #client lanman auth = yes #unix password sync = yes #passwd program = /usr/sbin/smbldap-passwd -u %u idmap backend = ldap:ldap://127.0.0.1 idmap uid = 15000-2 idmap gid = 15000-2 printing = cups [netlogon] comment = Network Logon Service path = /pub guest ok = Yes browseable = No -- Christopher Springer IS/IT Systems Administrator BRC Rubber Plastics, Inc 260-693-2171 x389 csprin...@brcrp.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error: You do not have permission to change your password
After changing these lines my smb.conf now looks like the following (just including this so we're clear on the changes I've made thus far) [global] log level = 1 workgroup = CORPDOM netbios name = CORPPDC passdb backend = ldapsam:ldap://127.0.0.1 enable privileges = yes #encrypt passwords = yes username map = /etc/samba/smbusers printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = scripts/%U.bat logon path = logon drive = security = user domain logons = Yes os level = 35 preferred master = Yes domain master = Yes wins support = Yes smb ports = 139 #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM 10.20.0.255/CORPDOM #remote browse sync = 10.20.255.255 10.30.255.255 #remote announce = 10.30.255.255 #remote browse sync = 10.30.255.255 ldap suffix = dc=brcrp,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=brcrp,dc=com ldap ssl = no ldap passwd sync = yes #unix password sync = yes passwd program = /usr/sbin/smbldap-passwd -u %u #passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n* #client lanman auth = yes #unix password sync = yes #passwd program = /usr/sbin/smbldap-passwd -u %u idmap backend = ldap:ldap://127.0.0.1 idmap uid = 15000-2 idmap gid = 15000-2 printing = cups [netlogon] comment = Network Logon Service path = /pub guest ok = Yes browseable = No I still receive the same error when trying to change the user password on the Windows system. Chris On 08/18/2010 10:00 AM, Daniel Müller wrote: You need ldap passwd sync = yes no unix password sync = yes Then try to change it on your linux box. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Gaiseric Vandal Gesendet: Mittwoch, 18. August 2010 15:48 An: samba@lists.samba.org Betreff: Re: [Samba] Error: You do not have permission to change your password I am pretty sure that the password command and script is run as root, not as the user changing the password.What happens if you run the password commands on the samba server? I don't have smbldap tools on my system (Solaris, so not provided by the Sun distro) so I had to rely on the OS password tools. By default, root is not going to have sufficient privledges to change ldap passwords. If you don't enable password sync, are you able to change your Windows password? On 08/18/2010 08:49 AM, Christopher Springer wrote: I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend and do the following... 1. Login as user on Windows system using domain user name and password - Login successful 2. Press Ctrl-Alt-Del 3. Press Change Password 4. Enter old and new password as prompted 5. Receive response You do not have permission to change your password. I receive the following repeated twice in /var/log/samba/log.smbd... [2010/08/17 16:13:53.884482, 0] libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet) NTLMSSP NTLM1 packet check failed due to invalid signature! [2010/08/17 16:13:53.884592, 0] rpc_server/srv_pipe_hnd.c:398(process_request_pdu) process_request_pdu: failed to do auth processing. [2010/08/17 16:13:53.884668, 0] rpc_server/srv_pipe_hnd.c:399(process_request_pdu) process_request_pdu: error was NT_STATUS_ACCESS_DENIED. This was generated from a WindowsNT4 system. The issue can also be duplicated from Windows XP clients. My smb.conf file on this system (PDC): [global] log level = 1 workgroup = CORPDOM netbios name = CORPPDC passdb backend = ldapsam:ldap://127.0.0.1 enable privileges = yes #encrypt passwords = yes username map = /etc/samba/smbusers printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = scripts/%U.bat logon path = logon drive = security
Re: [Samba] Error: You do not have permission to change your password
I did some additional testing... It turns out that I was able to change the password successfully using... smbldap-passwd kennyz But then I tried changing with the -u option as follows... smbldap-passwd -u kennyz This did not return an error but it also apparently did not change the user's password because I can't login as the user now. I do not know how to interpret this behaviour but I'm hoping it can give you guys a clue as to what is truly the problem here. Thanks. -- Chris On 08/18/2010 10:00 AM, Daniel Müller wrote: You need ldap passwd sync = yes no unix password sync = yes Then try to change it on your linux box. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Gaiseric Vandal Gesendet: Mittwoch, 18. August 2010 15:48 An: samba@lists.samba.org Betreff: Re: [Samba] Error: You do not have permission to change your password I am pretty sure that the password command and script is run as root, not as the user changing the password.What happens if you run the password commands on the samba server? I don't have smbldap tools on my system (Solaris, so not provided by the Sun distro) so I had to rely on the OS password tools. By default, root is not going to have sufficient privledges to change ldap passwords. If you don't enable password sync, are you able to change your Windows password? On 08/18/2010 08:49 AM, Christopher Springer wrote: I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend and do the following... 1. Login as user on Windows system using domain user name and password - Login successful 2. Press Ctrl-Alt-Del 3. Press Change Password 4. Enter old and new password as prompted 5. Receive response You do not have permission to change your password. I receive the following repeated twice in /var/log/samba/log.smbd... [2010/08/17 16:13:53.884482, 0] libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet) NTLMSSP NTLM1 packet check failed due to invalid signature! [2010/08/17 16:13:53.884592, 0] rpc_server/srv_pipe_hnd.c:398(process_request_pdu) process_request_pdu: failed to do auth processing. [2010/08/17 16:13:53.884668, 0] rpc_server/srv_pipe_hnd.c:399(process_request_pdu) process_request_pdu: error was NT_STATUS_ACCESS_DENIED. This was generated from a WindowsNT4 system. The issue can also be duplicated from Windows XP clients. My smb.conf file on this system (PDC): [global] log level = 1 workgroup = CORPDOM netbios name = CORPPDC passdb backend = ldapsam:ldap://127.0.0.1 enable privileges = yes #encrypt passwords = yes username map = /etc/samba/smbusers printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = scripts/%U.bat logon path = logon drive = security = user domain logons = Yes os level = 35 preferred master = Yes domain master = Yes wins support = Yes smb ports = 139 #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM 10.20.0.255/CORPDOM #remote browse sync = 10.20.255.255 10.30.255.255 #remote announce = 10.30.255.255 #remote browse sync = 10.30.255.255 ldap suffix = dc=brcrp,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=brcrp,dc=com ldap ssl = no #ldap passwd sync = yes unix password sync = yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n* #client lanman auth = yes #unix password sync = yes #passwd program = /usr/sbin/smbldap-passwd -u %u idmap backend = ldap:ldap://127.0.0.1 idmap uid = 15000-2 idmap gid = 15000-2 printing = cups [netlogon] comment = Network Logon Service path = /pub guest ok = Yes browseable = No -- Christopher Springer IS/IT Systems Administrator BRC Rubber Plastics, Inc 260-693-2171 x389 csprin...@brcrp.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error: You do not have permission to change your password
Using that from the command line I'm able to change the user's password and successfully login. However, that didn't solve my problem when the user tries to change their password and I receive You do not have permission to change your password. Thanks for your help thus far. Chris On 08/18/2010 10:47 AM, Daniel Müller wrote: You only changed unix-password: tuepdc:~ # smbldap-passwd --help (c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under the GPL Usage: /usr/local/sbin/smbldap-passwd [options] [username] -h, -?, --help show this help message -s update only samba password -u update only UNIX password Just use smbldap-passwd USER --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: Christopher Springer [mailto:csprin...@brcrp.com] Gesendet: Mittwoch, 18. August 2010 16:28 An: muel...@tropenklinik.de Cc: gaiseric.van...@gmail.com; samba@lists.samba.org Betreff: Re: [Samba] Error: You do not have permission to change your password I did some additional testing... It turns out that I was able to change the password successfully using... smbldap-passwd kennyz But then I tried changing with the -u option as follows... smbldap-passwd -u kennyz This did not return an error but it also apparently did not change the user's password because I can't login as the user now. I do not know how to interpret this behaviour but I'm hoping it can give you guys a clue as to what is truly the problem here. Thanks. -- Chris On 08/18/2010 10:00 AM, Daniel Müller wrote: You need ldap passwd sync = yes no unix password sync = yes Then try to change it on your linux box. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Gaiseric Vandal Gesendet: Mittwoch, 18. August 2010 15:48 An: samba@lists.samba.org Betreff: Re: [Samba] Error: You do not have permission to change your password I am pretty sure that the password command and script is run as root, not as the user changing the password.What happens if you run the password commands on the samba server? I don't have smbldap tools on my system (Solaris, so not provided by the Sun distro) so I had to rely on the OS password tools. By default, root is not going to have sufficient privledges to change ldap passwords. If you don't enable password sync, are you able to change your Windows password? On 08/18/2010 08:49 AM, Christopher Springer wrote: I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend and do the following... 1. Login as user on Windows system using domain user name and password - Login successful 2. Press Ctrl-Alt-Del 3. Press Change Password 4. Enter old and new password as prompted 5. Receive response You do not have permission to change your password. I receive the following repeated twice in /var/log/samba/log.smbd... [2010/08/17 16:13:53.884482, 0] libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet) NTLMSSP NTLM1 packet check failed due to invalid signature! [2010/08/17 16:13:53.884592, 0] rpc_server/srv_pipe_hnd.c:398(process_request_pdu) process_request_pdu: failed to do auth processing. [2010/08/17 16:13:53.884668, 0] rpc_server/srv_pipe_hnd.c:399(process_request_pdu) process_request_pdu: error was NT_STATUS_ACCESS_DENIED. This was generated from a WindowsNT4 system. The issue can also be duplicated from Windows XP clients. My smb.conf file on this system (PDC): [global] log level = 1 workgroup = CORPDOM netbios name = CORPPDC passdb backend = ldapsam:ldap://127.0.0.1 enable privileges = yes #encrypt passwords = yes username map = /etc/samba/smbusers printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = scripts/%U.bat logon path = logon drive = security = user domain logons = Yes os level = 35 preferred master = Yes domain master = Yes wins support = Yes smb ports = 139 #remote announce = 10.30.0.254/CORPDOM 10.20.255.255
Re: [Samba] Error: You do not have permission to change your password
I've done some additional testing via ldapmodify and found that I can login as the LDAP user and the user has permission to change his/her own password hash. Does Samba bind to the LDAP directory as the user that is changing the password or as the user as defined by ldap admin dn? Any other thoughts on this issue? Thanks all for your help! Chris On 08/18/2010 10:47 AM, Daniel Müller wrote: You only changed unix-password: tuepdc:~ # smbldap-passwd --help (c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under the GPL Usage: /usr/local/sbin/smbldap-passwd [options] [username] -h, -?, --help show this help message -s update only samba password -u update only UNIX password Just use smbldap-passwd USER --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: Christopher Springer [mailto:csprin...@brcrp.com] Gesendet: Mittwoch, 18. August 2010 16:28 An: muel...@tropenklinik.de Cc: gaiseric.van...@gmail.com; samba@lists.samba.org Betreff: Re: [Samba] Error: You do not have permission to change your password I did some additional testing... It turns out that I was able to change the password successfully using... smbldap-passwd kennyz But then I tried changing with the -u option as follows... smbldap-passwd -u kennyz This did not return an error but it also apparently did not change the user's password because I can't login as the user now. I do not know how to interpret this behaviour but I'm hoping it can give you guys a clue as to what is truly the problem here. Thanks. -- Chris On 08/18/2010 10:00 AM, Daniel Müller wrote: You need ldap passwd sync = yes no unix password sync = yes Then try to change it on your linux box. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Gaiseric Vandal Gesendet: Mittwoch, 18. August 2010 15:48 An: samba@lists.samba.org Betreff: Re: [Samba] Error: You do not have permission to change your password I am pretty sure that the password command and script is run as root, not as the user changing the password.What happens if you run the password commands on the samba server? I don't have smbldap tools on my system (Solaris, so not provided by the Sun distro) so I had to rely on the OS password tools. By default, root is not going to have sufficient privledges to change ldap passwords. If you don't enable password sync, are you able to change your Windows password? On 08/18/2010 08:49 AM, Christopher Springer wrote: I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend and do the following... 1. Login as user on Windows system using domain user name and password - Login successful 2. Press Ctrl-Alt-Del 3. Press Change Password 4. Enter old and new password as prompted 5. Receive response You do not have permission to change your password. I receive the following repeated twice in /var/log/samba/log.smbd... [2010/08/17 16:13:53.884482, 0] libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet) NTLMSSP NTLM1 packet check failed due to invalid signature! [2010/08/17 16:13:53.884592, 0] rpc_server/srv_pipe_hnd.c:398(process_request_pdu) process_request_pdu: failed to do auth processing. [2010/08/17 16:13:53.884668, 0] rpc_server/srv_pipe_hnd.c:399(process_request_pdu) process_request_pdu: error was NT_STATUS_ACCESS_DENIED. This was generated from a WindowsNT4 system. The issue can also be duplicated from Windows XP clients. My smb.conf file on this system (PDC): [global] log level = 1 workgroup = CORPDOM netbios name = CORPPDC passdb backend = ldapsam:ldap://127.0.0.1 enable privileges = yes #encrypt passwords = yes username map = /etc/samba/smbusers printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = scripts/%U.bat logon path = logon drive = security = user domain logons = Yes os level = 35 preferred master = Yes domain master = Yes wins support = Yes smb
Re: [Samba] Error: You do not have permission to change your password
! ### # ldbm and/or bdb database definitions ### databasebdb suffixdc=brcrp,dc=com checkpoint1024 15 rootdncn=Manager,dc=brcrp,dc=com # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw*omitted* #rootpw{SSHA}5v9AquZvm/9fhFMcetO072dGd2BX8C5Q # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory/var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShelleq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntryeq,pres,sub # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example@example.com overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # enable monitoring # database monitor # allow onlu rootdn to read the monitor #access to * #by dn.exact=cn=Manager,dc=brcrp,dc=com write #by * none access to attrs=userPassword,shadowLastChange,shadowMax,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaAcctFlags by dn=cn=Manager,dc=brcrp,dc=com write by self write by anonymous auth by * none access to * by * read #access to * #by * write I have this server also acting as the WINS server for our multi-site environment over VPN. It seems to work pretty well. Setup is PDC w/BDC (both LDAP) at corporate with remote BDC (replicated LDAP) and DHCP server with netbios-name-server option. Again, thanks all for your help! Chris On 08/18/2010 10:47 AM, Daniel Müller wrote: You only changed unix-password: tuepdc:~ # smbldap-passwd --help (c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under the GPL Usage: /usr/local/sbin/smbldap-passwd [options] [username] -h, -?, --help show this help message -s update only samba password -u update only UNIX password Just use smbldap-passwd USER --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: Christopher Springer [mailto:csprin...@brcrp.com] Gesendet: Mittwoch, 18. August 2010 16:28 An: muel...@tropenklinik.de Cc: gaiseric.van...@gmail.com; samba@lists.samba.org Betreff: Re: [Samba] Error: You do not have permission to change your password I did some additional testing... It turns out that I was able to change the password successfully using... smbldap-passwd kennyz But then I tried changing with the -u option as follows... smbldap-passwd -u kennyz This did not return an error but it also apparently did not change the user's password because I can't login as the user now. I do not know how to interpret this behaviour but I'm hoping it can give you guys a clue as to what is truly the problem here. Thanks. -- Chris On 08/18/2010 10:00 AM, Daniel Müller wrote: You need ldap passwd sync = yes no unix password sync = yes Then try to change it on your linux box. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Gaiseric Vandal Gesendet: Mittwoch, 18. August 2010 15:48 An: samba@lists.samba.org Betreff: Re: [Samba] Error: You do not have permission to change your password I am pretty sure that the password command and script is run as root, not as the user changing the password.What happens if you run the password commands on the samba server? I don't have smbldap tools on my system (Solaris, so not provided by the Sun distro) so I had to rely on the OS password tools. By default, root is not going to have sufficient privledges to change ldap passwords. If you don't enable password sync, are you able to change your Windows password? On 08/18/2010 08:49 AM, Christopher Springer wrote: I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend and do the following... 1. Login as user on Windows system using domain user name and password - Login