Re: [Samba] Changing passwords from Windows
I'm still getting a insufficient privileges message. My attributes in slapd.conf are below: access to dn.regex=".*,dc=at,dc=home" attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=root,dc=at,dc=home" write by self write by * auth access to dn.regex=".*,dc=at,dc=home" attrs=mail by dn="cn=root,dc=at,dc=home" write by self write by * read access to dn.regex=".*,ou=People,dc=at,dc=home" by * read access to dn.regex=".*,dc=at,dc=home" by self write by * read ---- > Date: Fri, 28 Jan 2011 00:55:19 +0900 > Subject: Re: [Samba] Changing passwords from Windows > From: mo...@monyo.com > To: joe_ts...@hotmail.com > CC: samba@lists.samba.org > > 2011/1/26 Joe Tseng : > > > > Is it possible for a user to change his/her password from Windows? I tried > > it > > out last night as a test user against my PDC and it only changed for Samba; > > I > > was still able to log into the PDC via SSH using the previous password. (I > > changed it for the test user as root and it took for both SSH and Windows.) > > Set "ldap password sync = yes" in LDAP environment or set "unix > password sync = yes" > and "pam password change = yes" in normal environment with PAM enabled. > > > I tried to use smbldap-passwd as the test user, but I got a message back > > saying > > I had insufficient privileges: > > Have you set "by self write" to both sambaLMPassword and sambaNTPassword? > > --- > TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Changing passwords from Windows
On 28 janv. 11, at 11:26, TAKAHASHI Motonobu wrote: 2011/1/28 Thierry Lacoste : On 27 janv. 11, at 16:55, TAKAHASHI Motonobu wrote: I tried to use smbldap-passwd as the test user, but I got a message back saying I had insufficient privileges: Have you set "by self write" to both sambaLMPassword and sambaNTPassword? AFAICT this is not needed. The user never accesses theses hashes for himself. The samba "ldap admin dn" and the smbldap-tools "masterDN" need write access to them. Have you examined? As far as I examined smbldap-tools 0.9.5, to set "by self write" to both sambaLMPassword and sambaNTPassword is needed for a user to change his own password with smbldap-passwd. I misread the OP. Moreover I've always used smbldap-passwd as root. Sorry for the noise. Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Changing passwords from Windows
2011/1/28 Thierry Lacoste : > > On 27 janv. 11, at 16:55, TAKAHASHI Motonobu wrote: >>> I tried to use smbldap-passwd as the test user, but I got a message back >>> saying I had insufficient privileges: >> >> Have you set "by self write" to both sambaLMPassword and sambaNTPassword? > > AFAICT this is not needed. The user never accesses theses hashes for > himself. > The samba "ldap admin dn" and the smbldap-tools "masterDN" need write access > to them. Have you examined? As far as I examined smbldap-tools 0.9.5, to set "by self write" to both sambaLMPassword and sambaNTPassword is needed for a user to change his own password with smbldap-passwd. --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Changing passwords from Windows
On 27 janv. 11, at 16:55, TAKAHASHI Motonobu wrote: 2011/1/26 Joe Tseng : Is it possible for a user to change his/her password from Windows? I tried it out last night as a test user against my PDC and it only changed for Samba; I was still able to log into the PDC via SSH using the previous password. (I changed it for the test user as root and it took for both SSH and Windows.) Set "ldap password sync = yes" in LDAP environment or set "unix password sync = yes" and "pam password change = yes" in normal environment with PAM enabled. I tried to use smbldap-passwd as the test user, but I got a message back saying I had insufficient privileges: Have you set "by self write" to both sambaLMPassword and sambaNTPassword? AFAICT this is not needed. The user never accesses theses hashes for himself. The samba "ldap admin dn" and the smbldap-tools "masterDN" need write access to them. I believe the smbldap-tools "masterDN" (and probably the samba "ldap admin dn") also needs write access to : - sambaPwdLastSet - sambaPwdCanChange - sambaPwdMustChange - sambaAcctFlags Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Changing passwords from Windows
2011/1/26 Joe Tseng : > > Is it possible for a user to change his/her password from Windows? I tried it > out last night as a test user against my PDC and it only changed for Samba; I > was still able to log into the PDC via SSH using the previous password. (I > changed it for the test user as root and it took for both SSH and Windows.) Set "ldap password sync = yes" in LDAP environment or set "unix password sync = yes" and "pam password change = yes" in normal environment with PAM enabled. > I tried to use smbldap-passwd as the test user, but I got a message back > saying > I had insufficient privileges: Have you set "by self write" to both sambaLMPassword and sambaNTPassword? --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Changing passwords from Windows
Is it possible for a user to change his/her password from Windows? I tried it out last night as a test user against my PDC and it only changed for Samba; I was still able to log into the PDC via SSH using the previous password. (I changed it for the test user as root and it took for both SSH and Windows.) I tried to use smbldap-passwd as the test user, but I got a message back saying I had insufficient privileges: == [testuser0@server0 ~]$ smbldap-passwd Identity validation... enter your UNIX password: Changing UNIX and samba passwords for testuser0 New password: Retype new password: Failed to modify SMB password: Insufficient access at /usr/sbin/smbldap-passwd line 238, line 3. Failed to modify UNIX password: Insufficient access at /usr/sbin/smbldap-passwd line 285, line 3. == Thanks for everyone's help, - Joe If you type "Google" into Google, you can break the Internet. -- Jen Barber -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] changing passwords from Windows XP Pro workstations
I'm wondering about the pros and cons of simplifying the default chat - maybe something like: *password* %n\n *password* %n\n *success* This should work on my system as well. I'm not sure about the system from the "Example 3.4. 130 User Network with tdbsam [globals] Section", since the final "success" condition may or may not report "success" after the password is reported changed. Anyway, a simpler default dialogue would make the chat more immune to differences between systems, so things like "retype" versus "re-enter" wouldn't come into play. Ben Walton wrote: Yes, I just verified this on my setup. I've never had luck in the past, but I must have had a non-working password chat at those times (quite some time ago now). Apologies for misleading anyone. I have a 'unique' setup for my user accounts, so my little script will still be useful for certain purposes here, but I can now allow normal password changes. Thanks Eric & Simo. -Ben On Thu, 2006-03-30 at 15:04 -0500, Eric J. Feldhusen wrote: > On a RHEL4, with Samba 3.0.10, I have the following password > options below. I just tested and with a WinXP Pro client, I did > the ctrl-alt-delete and changed my password. Once I did that, I > ssh'ed into the box and it used my new password. > > > [global] encrypt passwords = yes > > null passwords = yes > > obey pam restrictions = yes > > passwd chat = *New*UNIX*password* > %n\n*ReType*new*UNIX*password*%n\n > *passwd:*all*authentication*tokens*update d*successfully* > > passwd program = /usr/bin/passwd %u > > unix password sync = Yes > > > Ben Walton wrote: > >> A note on the password sync issue. Someone more knowledgeable >> correct me if I'm wrong. >> > -- Eric Feldhusen System Administrator http://www.remc1.org > [EMAIL PROTECTED] PO Box 270 (906) 482-4520 x239 809 > Hecla St (906) 482-5031 fax Hancock, MI 49930 (906) 370 > 6202 mobile -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing passwords from Windows XP Pro workstations
simo wrote: On Thu, 2006-03-30 at 14:31 -0500, Gary Dale wrote: re. 2) my current problem: your suggestion #2 worked. When "unix passwd synch" is commented out, I was able to change my Samba password. When it was set to "Yes", the password synch took forever, then failed silently. It looks like there is an issue with changing the Unix/Linux password that I have to resolve. It appears also that Windows may be waiting for a response such as is included in the passwd chat in By Example's "Example 3.4. 130 User Network with //tdbsam// [globals] Section". When I included the response, the Windows dialogue failed fairly quickly. You need to check your password chat option, that is a very senitive option that need to match exactly what your system asks on the command line when you want to change a password. Failing to do that may led the expect script to wait forever on a never coming input. Simo. Hey, you're good! That was exactly the problem. My original passwd chat was almost correct, except that it ended with a "." field. That, I gather, prevented it from reporting to Windows - hence the hang. I changed the entire chat to one from the Samba By Example, which didn't work on my system, but at least reported the failure. Changing the first two fields back to my original, and correcting the third one, got it humming along. Thanks again Simo! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing passwords from Windows XP Pro workstations
Yes, I just verified this on my setup. I've never had luck in the past, but I must have had a non-working password chat at those times (quite some time ago now). Apologies for misleading anyone. I have a 'unique' setup for my user accounts, so my little script will still be useful for certain purposes here, but I can now allow normal password changes. Thanks Eric & Simo. -Ben On Thu, 2006-03-30 at 15:04 -0500, Eric J. Feldhusen wrote: > On a RHEL4, with Samba 3.0.10, I have the following password options > below. I just tested and with a WinXP Pro client, I did the > ctrl-alt-delete and changed my password. Once I did that, I ssh'ed into > the box and it used my new password. > > > [global] > encrypt passwords = yes > > null passwords = yes > > obey pam restrictions = yes > > passwd chat = *New*UNIX*password* %n\n*ReType*new*UNIX*password*%n\n > *passwd:*all*authentication*tokens*update > d*successfully* > > passwd program = /usr/bin/passwd %u > > unix password sync = Yes > > > Ben Walton wrote: > > A note on the password sync issue. Someone more knowledgeable correct > > me if I'm wrong. > > > > -- > Eric Feldhusen > System Administrator http://www.remc1.org > [EMAIL PROTECTED] > PO Box 270 (906) 482-4520 x239 > 809 Hecla St(906) 482-5031 fax > Hancock, MI 49930 (906) 370 6202 mobile -- Ben Walton Systems Programmer Office of Planning & IT Faculty of Arts & Science University of Toronto Cell: 416.407.5610 PGP Key Id: 8E89F6D2 signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing passwords from Windows XP Pro workstations
On Thu, 2006-03-30 at 14:45 -0500, Ben Walton wrote: > A note on the password sync issue. Someone more knowledgeable correct > me if I'm wrong. You are wrong, see Eric's answer. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing passwords from Windows XP Pro workstations
On Thu, 2006-03-30 at 14:31 -0500, Gary Dale wrote: > re. 2) my current problem: your suggestion #2 worked. When "unix passwd > synch" is commented out, I was able to change my Samba password. When it > was set to "Yes", the password synch took forever, then failed silently. > It looks like there is an issue with changing the Unix/Linux password > that I have to resolve. It appears also that Windows may be waiting for > a response such as is included in the passwd chat in By Example's > "Example 3.4. 130 User Network with //tdbsam// [globals] Section". When > I included the response, the Windows dialogue failed fairly quickly. You need to check your password chat option, that is a very senitive option that need to match exactly what your system asks on the command line when you want to change a password. Failing to do that may led the expect script to wait forever on a never coming input. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing passwords from Windows XP Pro workstations
On a RHEL4, with Samba 3.0.10, I have the following password options below. I just tested and with a WinXP Pro client, I did the ctrl-alt-delete and changed my password. Once I did that, I ssh'ed into the box and it used my new password. [global] encrypt passwords = yes null passwords = yes obey pam restrictions = yes passwd chat = *New*UNIX*password* %n\n*ReType*new*UNIX*password*%n\n *passwd:*all*authentication*tokens*update d*successfully* passwd program = /usr/bin/passwd %u unix password sync = Yes Ben Walton wrote: A note on the password sync issue. Someone more knowledgeable correct me if I'm wrong. -- Eric Feldhusen System Administrator http://www.remc1.org [EMAIL PROTECTED] PO Box 270 (906) 482-4520 x239 809 Hecla St(906) 482-5031 fax Hancock, MI 49930 (906) 370 6202 mobile -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing passwords from Windows XP Pro workstations
A note on the password sync issue. Someone more knowledgeable correct me if I'm wrong. When using the password syncing feature, the password must be changed using the smbpasswd program on the pdc. The reason being that using the dialog from a windows client sends the updated password to the pdc as a pre-hashed value. The pdc never sees the clear text password...just like it doesn't during authentication. (This is a good thing.) When using smbpasswd, the smbpasswd binary actually has the clear text password to work with. It first attempts to update the unix password and only proceeds to change the samba password if the unix change was a success. So, in my implementation, I've done the following to allow clients to change their passwords (unix + samba) from the windows machine. It's clumsy (requires original password twice) and is text based (a linux login) rather than a pretty gui, but it does keep the passwords the same from the windows client. Step 1: Disable the password change buttons via policy, registry hack, etc. Step 2: I have a perl script that sets up a custom session (passwd) in putty, stuffs in the key for the password changing server (yes, this isn't ideal, keys are meant to be validated for a reason) and then launches putty, calling the custom session. The user sees a putty window pop up asking for their password. Once authenticated, I present some text, and then drive smbpasswd on the Linux side. If you didn't need to present any custom text, you could simply drive smbpasswd directly...I keep this script on a shared drive, and can therefore update the servers key very easily if it changes for some reason. I've attached my script. I hope someone else can make use of it. If I'm way off on my assessment of the different password changing methods (gui vs smbpasswd) and there is a way to do this from the gui, I'd appreciate someone letting me know. Thanks -Ben On Thu, 2006-03-30 at 14:31 -0500, Gary Dale wrote: > simo wrote: > > >On Wed, 2006-03-29 at 23:33 -0500, Gary Dale wrote: > > > > > >>--- > >> > >>OK, the logs aren't quite silent. Here's one when I tried to change my > >>password from a workstation (the log fragment is from > >>samba/log. - log.nmbd and log.smbd are silent for the > >>period). This time it came back with "you do not have permission to > >>change your password" after only a few seconds. The other passwords I've > >>been trying to change (and this password in previous attempts) have gone > >>away for more than 15 minutes before the dialogue box closed (without > >>changing the password): > >> > >> > >> > > > >Log level 0 is not that useful, you may raise it to 3 or 5 and see what > >error is returned on a password change. > > > >... > > > >Anyway, for some masochistic reason I took the time to go back and see > >your recent postings and ... well man, you really need to take a breath. > > > >All your attempts to set up samba with LDAP have failed just because you > >do not understand the openLdap ACL model and, more simply, you failed to > >do basic things like defining the same dn as ldap manager in slapd.conf > >and smb.conf (as the documentation clearly states). > > > >Anyway you got back to tdbsam, fine, it is the simpler option. > > > >Now can you check the smb.conf you posted earlier today and: > > > >1. Raise the log level > > > >2. comment out "password program", "password chat" and "unix password > >sync" so that we are sure they are not set up wrongly > > > >3. tell me how "add group script" and "add user to group script" can > >possibly ever work (unless the text of the conf has been mangled the > >first misses the only meaningful parameter which is the group name and > >the second has a wild back tick ...) > > > >And then also "invalid users" and "admin users" are in conflict about > >root and printing is set to cups yet you try to define a mysterious "lpq > >command = %p" > > > > > > > >I agree that one not need to be a developer to set up things, but at > >least, please, check carefully the configuration file AND the logs > >before shouting against the hard work of other people and claiming the > >documentation is wrong. > > > >Simo. > > > > > > > Thanks Simo. It really is better to light one candle than to curse the > darkness! > > re. 1) At various times I did have admin in both files and at others it > was samba in both. That didn't work either. > > re. 2) my current problem: your suggestion #2 worked. When "unix passwd > synch" is commented out, I was able to change my Samba password. When it > was set to "Yes", the password synch took forever, then failed silently. > It looks like there is an issue with changing the Unix/Linux password > that I have to resolve. It appears also that Windows may be waiting for > a response such as is included in the passwd chat in By Example's > "Example 3.4. 130 User Network with //tdbsam// [globals] Section". When > I included the response, the Wi
Re: [Samba] changing passwords from Windows XP Pro workstations
simo wrote: On Wed, 2006-03-29 at 23:33 -0500, Gary Dale wrote: --- OK, the logs aren't quite silent. Here's one when I tried to change my password from a workstation (the log fragment is from samba/log. - log.nmbd and log.smbd are silent for the period). This time it came back with "you do not have permission to change your password" after only a few seconds. The other passwords I've been trying to change (and this password in previous attempts) have gone away for more than 15 minutes before the dialogue box closed (without changing the password): Log level 0 is not that useful, you may raise it to 3 or 5 and see what error is returned on a password change. ... Anyway, for some masochistic reason I took the time to go back and see your recent postings and ... well man, you really need to take a breath. All your attempts to set up samba with LDAP have failed just because you do not understand the openLdap ACL model and, more simply, you failed to do basic things like defining the same dn as ldap manager in slapd.conf and smb.conf (as the documentation clearly states). Anyway you got back to tdbsam, fine, it is the simpler option. Now can you check the smb.conf you posted earlier today and: 1. Raise the log level 2. comment out "password program", "password chat" and "unix password sync" so that we are sure they are not set up wrongly 3. tell me how "add group script" and "add user to group script" can possibly ever work (unless the text of the conf has been mangled the first misses the only meaningful parameter which is the group name and the second has a wild back tick ...) And then also "invalid users" and "admin users" are in conflict about root and printing is set to cups yet you try to define a mysterious "lpq command = %p" I agree that one not need to be a developer to set up things, but at least, please, check carefully the configuration file AND the logs before shouting against the hard work of other people and claiming the documentation is wrong. Simo. Thanks Simo. It really is better to light one candle than to curse the darkness! re. 1) At various times I did have admin in both files and at others it was samba in both. That didn't work either. re. 2) my current problem: your suggestion #2 worked. When "unix passwd synch" is commented out, I was able to change my Samba password. When it was set to "Yes", the password synch took forever, then failed silently. It looks like there is an issue with changing the Unix/Linux password that I have to resolve. It appears also that Windows may be waiting for a response such as is included in the passwd chat in By Example's "Example 3.4. 130 User Network with //tdbsam// [globals] Section". When I included the response, the Windows dialogue failed fairly quickly. Possibly (probably) it an issue with the group script problems you identified. I'll work on it. Also, I never said the documentation was wrong, just not perfect. I also said I don't personally like the style it's written in. RTFM is rarely a useful response to anything except the most basic problems. :) Anyway, as proof that even bright and knowledgeable people miss things, your suggestions have got me further than my previous exchange with Jeremy Allison. :) I'm not going to send you the log file since I gather that people here have lost interest in my postings (I have a keen grasp of the obvious, to borrow a phrase Gary Trudeau used a few decades ago). Besides, you and Craig have given me enough help to follow through myself. So again thanks. Much appreciated! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing passwords from Windows XP Pro workstations
Gary Dale wrote: Craig White wrote: I'm keeping this on list. On Thu, 2006-03-30 at 08:52 -0500, Gary Dale wrote: Craig White wrote: if I was going to guess...I think your problems are... http://samba.org/samba/docs/man/Samba3-ByExample/small.html#id2525330 see items #3 through #7 you don't have a passwd chat script as I recall. That's probably important. your setup should track this setup as I see it. http://samba.org/samba/docs/man/Samba3-ByExample/secure.html since you have no interest in advancing your skills, count me out next time unless you learn to ask simple questions. The simple truth is, if you want know little, point and click Windows network administration, you are probably better off using a Microsoft Windows server. My interest is in helping people that actually are interested in learning something, yes gasp, those that actually do want to become expert. Lastly, I would heavily suggest you forget about LDAP until your attitude changes because it is hostile to administrators that don't want to become knowledgdable. Craig Thanks Craig. I think you'll see a problem here. You suggest that the issue may be a lack of a passwd chat script, while two others suggest I remove the passwd chat script - which is almost identical to the one in the second URL you just gave. The issue isn't about whether people want to learn. It's about how much they have to learn to get things to work. If something takes too much effort, in the real world it doesn't get done. There is nothing inherently complicated about managing a directory service. Look at the simple Linux tools for user or printer administration for proof. I see no virtue in making Samba-LDAP configuration a black art. A basic setup should be easy to achieve. In fact, from what I have been reading, LDAP should be the standard Samba backend. That won't happen if people have to spend a week or more learning how to use it. You completely do not get it. Samba is infinitely configurable. Windows - at the moment of setup you have to choose the role for a server, whether a domain controller or a member server. The workstation is sold separately. Samba provides all of those roles including a Windows 95/98 server too. There is no way that anyone can solve your problem with any certainty without suitable logs, an inspection of your tdbsam and your /etc/passwd files AND the smb.conf, the whole of which you dumped on us last night and undoubtedly have changed many times since. Proper mail list etiquette and a commitment to demonstrating that you are actually focused on the problem would dictate that you limit those items to only the minimum necessary logs, smb.conf, etc. Your information is incomplete and as I stated last night, I am not going to speculate any further on your problems. In fact, your reply has made me sorry that I even speculated on the solution to your problem. As for my 'seeing' the problem - that being in your mind - different suggestions to solve your problem - that is absolutely absurd. ***The problem*** is you don't know how to provide the information with which someone can tell you what the definitive solution would be. As for your suggestion that Samba-LDAP a black art...Samba is Samba and LDAP is LDAP - you understand neither package so expecting them to work for you is a rather pointless endeavor. Knowledge is power and you appear to be lacking both. Yet you expect them to work for you even though you don't understand them nor wish to understand them - I wish you luck. Let me be blunt - you are a help vampire. Please don't email me any more until you change your ways. Craig Under your rules, it is up to the patient to figure out what tests need to be performed before visiting the doctor. :) I have always regarded the help process as a dialogue - maybe that comes from my having worked in systems support at one time, or maybe it comes from my being a systems consultant (both inhouse and contract at various times) - but I have never expected the customer to tell me what is wrong in a manner that I can immediately say "here's what you have to do". In my experience, the customer/patient comes to the experts with a problem. The experts dig around to determine what the issue really is, including asking for specific tests or more information. Then they make a diagnosis and prescribe a treatment/solution. Insulting the patient/customer is usually not a good way to go about things. I've been working with PCs since 1978 and with Linux since 1998. I put a lot of effort into learning about making things work. And according the the Mensa test, I'm not stupid. :) But I'm also not someone who has a narrowly defined role. My customers expect me to be broadly knowledgeable on just about every topic associated with computers. Even if I became an LDAP guru, I'd be unlikely to maintain that level of expertice for long. That is a fact of life in the real worl
Re: [Samba] changing passwords from Windows XP Pro workstations
Craig White wrote: I'm keeping this on list. On Thu, 2006-03-30 at 08:52 -0500, Gary Dale wrote: Craig White wrote: if I was going to guess...I think your problems are... http://samba.org/samba/docs/man/Samba3-ByExample/small.html#id2525330 see items #3 through #7 you don't have a passwd chat script as I recall. That's probably important. your setup should track this setup as I see it. http://samba.org/samba/docs/man/Samba3-ByExample/secure.html since you have no interest in advancing your skills, count me out next time unless you learn to ask simple questions. The simple truth is, if you want know little, point and click Windows network administration, you are probably better off using a Microsoft Windows server. My interest is in helping people that actually are interested in learning something, yes gasp, those that actually do want to become expert. Lastly, I would heavily suggest you forget about LDAP until your attitude changes because it is hostile to administrators that don't want to become knowledgdable. Craig Thanks Craig. I think you'll see a problem here. You suggest that the issue may be a lack of a passwd chat script, while two others suggest I remove the passwd chat script - which is almost identical to the one in the second URL you just gave. The issue isn't about whether people want to learn. It's about how much they have to learn to get things to work. If something takes too much effort, in the real world it doesn't get done. There is nothing inherently complicated about managing a directory service. Look at the simple Linux tools for user or printer administration for proof. I see no virtue in making Samba-LDAP configuration a black art. A basic setup should be easy to achieve. In fact, from what I have been reading, LDAP should be the standard Samba backend. That won't happen if people have to spend a week or more learning how to use it. You completely do not get it. Samba is infinitely configurable. Windows - at the moment of setup you have to choose the role for a server, whether a domain controller or a member server. The workstation is sold separately. Samba provides all of those roles including a Windows 95/98 server too. There is no way that anyone can solve your problem with any certainty without suitable logs, an inspection of your tdbsam and your /etc/passwd files AND the smb.conf, the whole of which you dumped on us last night and undoubtedly have changed many times since. Proper mail list etiquette and a commitment to demonstrating that you are actually focused on the problem would dictate that you limit those items to only the minimum necessary logs, smb.conf, etc. Your information is incomplete and as I stated last night, I am not going to speculate any further on your problems. In fact, your reply has made me sorry that I even speculated on the solution to your problem. As for my 'seeing' the problem - that being in your mind - different suggestions to solve your problem - that is absolutely absurd. ***The problem*** is you don't know how to provide the information with which someone can tell you what the definitive solution would be. As for your suggestion that Samba-LDAP a black art...Samba is Samba and LDAP is LDAP - you understand neither package so expecting them to work for you is a rather pointless endeavor. Knowledge is power and you appear to be lacking both. Yet you expect them to work for you even though you don't understand them nor wish to understand them - I wish you luck. Let me be blunt - you are a help vampire. Please don't email me any more until you change your ways. Craig Under your rules, it is up to the patient to figure out what tests need to be performed before visiting the doctor. :) I have always regarded the help process as a dialogue - maybe that comes from my having worked in systems support at one time, or maybe it comes from my being a systems consultant (both inhouse and contract at various times) - but I have never expected the customer to tell me what is wrong in a manner that I can immediately say "here's what you have to do". In my experience, the customer/patient comes to the experts with a problem. The experts dig around to determine what the issue really is, including asking for specific tests or more information. Then they make a diagnosis and prescribe a treatment/solution. Insulting the patient/customer is usually not a good way to go about things. I've been working with PCs since 1978 and with Linux since 1998. I put a lot of effort into learning about making things work. And according the the Mensa test, I'm not stupid. :) But I'm also not someone who has a narrowly defined role. My customers expect me to be broadly knowledgeable on just about every topic associated with computers. Even if I became an LDAP guru, I'd be unlikely to maintain that level of expertice for long. That is a fact of life in the real world. Respon
Re: [Samba] changing passwords from Windows XP Pro workstations
I'm keeping this on list. On Thu, 2006-03-30 at 08:52 -0500, Gary Dale wrote: > Craig White wrote: > > > >if I was going to guess...I think your problems are... > > > >http://samba.org/samba/docs/man/Samba3-ByExample/small.html#id2525330 > > > >see items #3 through #7 > > > >you don't have a passwd chat script as I recall. That's probably > >important. > > > >your setup should track this setup as I see it. > > > >http://samba.org/samba/docs/man/Samba3-ByExample/secure.html > > > >since you have no interest in advancing your skills, count me out next > >time unless you learn to ask simple questions. The simple truth is, if > >you want know little, point and click Windows network administration, > >you are probably better off using a Microsoft Windows server. > > > >My interest is in helping people that actually are interested in > >learning something, yes gasp, those that actually do want to become > >expert. Lastly, I would heavily suggest you forget about LDAP until your > >attitude changes because it is hostile to administrators that don't want > >to become knowledgdable. > > > >Craig > > > > > > > Thanks Craig. I think you'll see a problem here. You suggest that the > issue may be a lack of a passwd chat script, while two others suggest I > remove the passwd chat script - which is almost identical to the one in > the second URL you just gave. > > The issue isn't about whether people want to learn. It's about how much > they have to learn to get things to work. If something takes too much > effort, in the real world it doesn't get done. There is nothing > inherently complicated about managing a directory service. Look at the > simple Linux tools for user or printer administration for proof. I see > no virtue in making Samba-LDAP configuration a black art. A basic setup > should be easy to achieve. In fact, from what I have been reading, LDAP > should be the standard Samba backend. That won't happen if people have > to spend a week or more learning how to use it. You completely do not get it. Samba is infinitely configurable. Windows - at the moment of setup you have to choose the role for a server, whether a domain controller or a member server. The workstation is sold separately. Samba provides all of those roles including a Windows 95/98 server too. There is no way that anyone can solve your problem with any certainty without suitable logs, an inspection of your tdbsam and your /etc/passwd files AND the smb.conf, the whole of which you dumped on us last night and undoubtedly have changed many times since. Proper mail list etiquette and a commitment to demonstrating that you are actually focused on the problem would dictate that you limit those items to only the minimum necessary logs, smb.conf, etc. Your information is incomplete and as I stated last night, I am not going to speculate any further on your problems. In fact, your reply has made me sorry that I even speculated on the solution to your problem. As for my 'seeing' the problem - that being in your mind - different suggestions to solve your problem - that is absolutely absurd. ***The problem*** is you don't know how to provide the information with which someone can tell you what the definitive solution would be. As for your suggestion that Samba-LDAP a black art...Samba is Samba and LDAP is LDAP - you understand neither package so expecting them to work for you is a rather pointless endeavor. Knowledge is power and you appear to be lacking both. Yet you expect them to work for you even though you don't understand them nor wish to understand them - I wish you luck. Let me be blunt - you are a help vampire. Please don't email me any more until you change your ways. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing passwords from Windows XP Pro workstations
On Wed, 2006-03-29 at 23:12 -0500, Gary Dale wrote: > Craig White wrote: > > >On Wed, 2006-03-29 at 21:49 -0500, Gary Dale wrote: > > > > > >>Craig White wrote: > >> > >> > >> > >>>On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote: > >>> > >>> > >>> > >>> > Back to square 1! I stripped out my unsuccessful attempts to get Samba > working with LDAP on my Debian Sarge server and am back with a tdbsam > backend. I actually tried to purge as much of the old Samba & LDAP as I > could then reinstalled fresh. This included removing the Windows groups > and users and even the old tdbsam data. > > Unfortunately, I'm back where I started - users can't change their own > passwords using the Windows password change dialogue. Their system will > go away for a very long time (more than 15 minutes) then silently fail > to change the password. > > For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) > on a 2.6.8 kernel. This should mean that this is NOT the old Windows > security patch issue. > > I've attached my smb.conf (minus the shares definitions) if that helps. > > Also, for what it's worth, the user accounts are all in Domain Users and > users. All but mine use /bin/false as the login shell (but none of us > can change passwords). My account is also in Domain Admins - and I can > add machine accounts with it. > > Any ideas anyone? > > > > > >>> > >>>I kept my mouth shut because you were following someone's step by step > >>>and not the samba official documentation. > >>> > >>>If you want to follow the Samba By Example, methodology, you will > >>>probably find a lot more people willing to help. > >>> > >>>Changing passwords seems to only require that samba, smbldap-tools be > >>>properly configured for your ldap setup and a script referenced in your > >>>smb.conf > >>> > >>>The smb.conf you attached of course has nothing to do with LDAP and it > >>>isn't clear what you are trying to do. > >>> > >>>I would suggest that you familiarize yourself with the Samba By Example > >>>book (dead tree form) or pdf or html from the samba.org web site and > >>>figure out what you are trying to do so someone could actually help. > >>> > >>>Craig > >>> > >>> > >>> > >>> > >>> > >>> > >>I've followed the Samba by example in this case. It was not very > >>helpful. Between the typos, omissions, errors, and general lack of > >>content, it's hard to get anything to work following it. Sorry to be so > >>negative about it, but it seems to assume that if you just install the > >>packages, things work. > >> > >>Now a plain vanilla Debian Sarge system is hardly esoteric, but my > >>experience has been that things only work if you are doing a virgin > >>setup. In my case, Samba was originally vampired from my old W2K server > >>and I've always had the password problem. Trying to install LDAP on a > >>system that previously had a not-quite-working tdbsam backend also isn't > >>something that the howto writers seem to have tried. > >> > >>The other howto I followed was one of several that were written > >>specifically for people trying to get Samba+LDAP to work on a Debian > >>system. After several days of trying to get it to work, even following > >>idealx.org's howto, it still wouldn't. So I ripped everything out and > >>went back to a basic Samba setup without LDAP. And now I'm back to the > >>same old problem I had before - users can't change their passwords. > >> > >>And yes, my current setup was following the Samba by Example - html > >>form. I also have the dead-tree Samba Howto collection. According to > >>them, I have a working system. :) > >> > >>The basic "by example" says in some very elegant story telling, after > >>assuming that you have Samba installed, to smbpasswd -a root, map the > >>Administrator account to it, add some groupmaps, stir in some users and > >>voila, everything works. My setup passes the validation and the > >>troubleshooting. It works, except that it doesn't. > >> > >>Again, I'll admit that this probably does work on a fresh system. I've > >>set up Samba PDCs from scratch before without problems. However, it > >>doesn't seem to want to work on this existing server, even after I > >>sacrificed my old accounts vampired from W2K to try to get this working. > >>I shouldn't have to rebuild my entire server just to be able to change > >>passwords! > >> > >>Finally, you need to recognize that Debian does things its way. It has > >>installation scripts that ask you questions up front and put the answers > >>in multiple files scattered across your system. Samba by Example doesn't > >>actually tell you what to put where or why. In fact, it's actually > >>difficult to tell exactly which program or file you need to be using at > >>any given moment. We're not all Samba developers, after all. SWAT, > >>smbpassw
Re: [Samba] changing passwords from Windows XP Pro workstations
On Wed, 2006-03-29 at 23:33 -0500, Gary Dale wrote: > --- > > OK, the logs aren't quite silent. Here's one when I tried to change my > password from a workstation (the log fragment is from > samba/log. - log.nmbd and log.smbd are silent for the > period). This time it came back with "you do not have permission to > change your password" after only a few seconds. The other passwords I've > been trying to change (and this password in previous attempts) have gone > away for more than 15 minutes before the dialogue box closed (without > changing the password): > Log level 0 is not that useful, you may raise it to 3 or 5 and see what error is returned on a password change. ... Anyway, for some masochistic reason I took the time to go back and see your recent postings and ... well man, you really need to take a breath. All your attempts to set up samba with LDAP have failed just because you do not understand the openLdap ACL model and, more simply, you failed to do basic things like defining the same dn as ldap manager in slapd.conf and smb.conf (as the documentation clearly states). Anyway you got back to tdbsam, fine, it is the simpler option. Now can you check the smb.conf you posted earlier today and: 1. Raise the log level 2. comment out "password program", "password chat" and "unix password sync" so that we are sure they are not set up wrongly 3. tell me how "add group script" and "add user to group script" can possibly ever work (unless the text of the conf has been mangled the first misses the only meaningful parameter which is the group name and the second has a wild back tick ...) And then also "invalid users" and "admin users" are in conflict about root and printing is set to cups yet you try to define a mysterious "lpq command = %p" I agree that one not need to be a developer to set up things, but at least, please, check carefully the configuration file AND the logs before shouting against the hard work of other people and claiming the documentation is wrong. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing passwords from Windows XP Pro workstations
On Wed, 2006-03-29 at 23:33 -0500, Gary Dale wrote: > Craig White wrote: > > >On Wed, 2006-03-29 at 21:49 -0500, Gary Dale wrote: > > > > > >>Craig White wrote: > >> > >> > >> > >>>On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote: > >>> > >>> > >>> > >>> > Back to square 1! I stripped out my unsuccessful attempts to get Samba > working with LDAP on my Debian Sarge server and am back with a tdbsam > backend. I actually tried to purge as much of the old Samba & LDAP as I > could then reinstalled fresh. This included removing the Windows groups > and users and even the old tdbsam data. > > Unfortunately, I'm back where I started - users can't change their own > passwords using the Windows password change dialogue. Their system will > go away for a very long time (more than 15 minutes) then silently fail > to change the password. > > For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) > on a 2.6.8 kernel. This should mean that this is NOT the old Windows > security patch issue. > > I've attached my smb.conf (minus the shares definitions) if that helps. > > Also, for what it's worth, the user accounts are all in Domain Users and > users. All but mine use /bin/false as the login shell (but none of us > can change passwords). My account is also in Domain Admins - and I can > add machine accounts with it. > > Any ideas anyone? > > > > > >>> > >>>I kept my mouth shut because you were following someone's step by step > >>>and not the samba official documentation. > >>> > >>>If you want to follow the Samba By Example, methodology, you will > >>>probably find a lot more people willing to help. > >>> > >>>Changing passwords seems to only require that samba, smbldap-tools be > >>>properly configured for your ldap setup and a script referenced in your > >>>smb.conf > >>> > >>>The smb.conf you attached of course has nothing to do with LDAP and it > >>>isn't clear what you are trying to do. > >>> > >>>I would suggest that you familiarize yourself with the Samba By Example > >>>book (dead tree form) or pdf or html from the samba.org web site and > >>>figure out what you are trying to do so someone could actually help. > >>> > >>>Craig > >>> > >>> > >>> > >>> > >>> > >>> > >>I've followed the Samba by example in this case. It was not very > >>helpful. Between the typos, omissions, errors, and general lack of > >>content, it's hard to get anything to work following it. Sorry to be so > >>negative about it, but it seems to assume that if you just install the > >>packages, things work. > >> > >>Now a plain vanilla Debian Sarge system is hardly esoteric, but my > >>experience has been that things only work if you are doing a virgin > >>setup. In my case, Samba was originally vampired from my old W2K server > >>and I've always had the password problem. Trying to install LDAP on a > >>system that previously had a not-quite-working tdbsam backend also isn't > >>something that the howto writers seem to have tried. > >> > >>The other howto I followed was one of several that were written > >>specifically for people trying to get Samba+LDAP to work on a Debian > >>system. After several days of trying to get it to work, even following > >>idealx.org's howto, it still wouldn't. So I ripped everything out and > >>went back to a basic Samba setup without LDAP. And now I'm back to the > >>same old problem I had before - users can't change their passwords. > >> > >>And yes, my current setup was following the Samba by Example - html > >>form. I also have the dead-tree Samba Howto collection. According to > >>them, I have a working system. :) > >> > >>The basic "by example" says in some very elegant story telling, after > >>assuming that you have Samba installed, to smbpasswd -a root, map the > >>Administrator account to it, add some groupmaps, stir in some users and > >>voila, everything works. My setup passes the validation and the > >>troubleshooting. It works, except that it doesn't. > >> > >>Again, I'll admit that this probably does work on a fresh system. I've > >>set up Samba PDCs from scratch before without problems. However, it > >>doesn't seem to want to work on this existing server, even after I > >>sacrificed my old accounts vampired from W2K to try to get this working. > >>I shouldn't have to rebuild my entire server just to be able to change > >>passwords! > >> > >>Finally, you need to recognize that Debian does things its way. It has > >>installation scripts that ask you questions up front and put the answers > >>in multiple files scattered across your system. Samba by Example doesn't > >>actually tell you what to put where or why. In fact, it's actually > >>difficult to tell exactly which program or file you need to be using at > >>any given moment. We're not all Samba developers, after all. SWAT, > >>smbpassw
Re: [Samba] changing passwords from Windows XP Pro workstations
Craig White wrote: On Wed, 2006-03-29 at 21:49 -0500, Gary Dale wrote: Craig White wrote: On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote: Back to square 1! I stripped out my unsuccessful attempts to get Samba working with LDAP on my Debian Sarge server and am back with a tdbsam backend. I actually tried to purge as much of the old Samba & LDAP as I could then reinstalled fresh. This included removing the Windows groups and users and even the old tdbsam data. Unfortunately, I'm back where I started - users can't change their own passwords using the Windows password change dialogue. Their system will go away for a very long time (more than 15 minutes) then silently fail to change the password. For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) on a 2.6.8 kernel. This should mean that this is NOT the old Windows security patch issue. I've attached my smb.conf (minus the shares definitions) if that helps. Also, for what it's worth, the user accounts are all in Domain Users and users. All but mine use /bin/false as the login shell (but none of us can change passwords). My account is also in Domain Admins - and I can add machine accounts with it. Any ideas anyone? I kept my mouth shut because you were following someone's step by step and not the samba official documentation. If you want to follow the Samba By Example, methodology, you will probably find a lot more people willing to help. Changing passwords seems to only require that samba, smbldap-tools be properly configured for your ldap setup and a script referenced in your smb.conf The smb.conf you attached of course has nothing to do with LDAP and it isn't clear what you are trying to do. I would suggest that you familiarize yourself with the Samba By Example book (dead tree form) or pdf or html from the samba.org web site and figure out what you are trying to do so someone could actually help. Craig I've followed the Samba by example in this case. It was not very helpful. Between the typos, omissions, errors, and general lack of content, it's hard to get anything to work following it. Sorry to be so negative about it, but it seems to assume that if you just install the packages, things work. Now a plain vanilla Debian Sarge system is hardly esoteric, but my experience has been that things only work if you are doing a virgin setup. In my case, Samba was originally vampired from my old W2K server and I've always had the password problem. Trying to install LDAP on a system that previously had a not-quite-working tdbsam backend also isn't something that the howto writers seem to have tried. The other howto I followed was one of several that were written specifically for people trying to get Samba+LDAP to work on a Debian system. After several days of trying to get it to work, even following idealx.org's howto, it still wouldn't. So I ripped everything out and went back to a basic Samba setup without LDAP. And now I'm back to the same old problem I had before - users can't change their passwords. And yes, my current setup was following the Samba by Example - html form. I also have the dead-tree Samba Howto collection. According to them, I have a working system. :) The basic "by example" says in some very elegant story telling, after assuming that you have Samba installed, to smbpasswd -a root, map the Administrator account to it, add some groupmaps, stir in some users and voila, everything works. My setup passes the validation and the troubleshooting. It works, except that it doesn't. Again, I'll admit that this probably does work on a fresh system. I've set up Samba PDCs from scratch before without problems. However, it doesn't seem to want to work on this existing server, even after I sacrificed my old accounts vampired from W2K to try to get this working. I shouldn't have to rebuild my entire server just to be able to change passwords! Finally, you need to recognize that Debian does things its way. It has installation scripts that ask you questions up front and put the answers in multiple files scattered across your system. Samba by Example doesn't actually tell you what to put where or why. In fact, it's actually difficult to tell exactly which program or file you need to be using at any given moment. We're not all Samba developers, after all. SWAT, smbpasswd, pdbedit, etc. all seem to do the similar things but heaven help the poor user who's trying to find out when or why you should use one over the other. What I'm basically trying to say is you can't assume that everyone is going to get to place by a particular route. Debian howtos are useful for those of us with Debian-based systems because they give Debian package names and follow Debian installation dialogues. If there is something in the howto that you think is wrong or missing, then identify it. It's not as if the "official" Samba documentatio
Re: [Samba] changing passwords from Windows XP Pro workstations
Craig White wrote: On Wed, 2006-03-29 at 21:49 -0500, Gary Dale wrote: Craig White wrote: On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote: Back to square 1! I stripped out my unsuccessful attempts to get Samba working with LDAP on my Debian Sarge server and am back with a tdbsam backend. I actually tried to purge as much of the old Samba & LDAP as I could then reinstalled fresh. This included removing the Windows groups and users and even the old tdbsam data. Unfortunately, I'm back where I started - users can't change their own passwords using the Windows password change dialogue. Their system will go away for a very long time (more than 15 minutes) then silently fail to change the password. For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) on a 2.6.8 kernel. This should mean that this is NOT the old Windows security patch issue. I've attached my smb.conf (minus the shares definitions) if that helps. Also, for what it's worth, the user accounts are all in Domain Users and users. All but mine use /bin/false as the login shell (but none of us can change passwords). My account is also in Domain Admins - and I can add machine accounts with it. Any ideas anyone? I kept my mouth shut because you were following someone's step by step and not the samba official documentation. If you want to follow the Samba By Example, methodology, you will probably find a lot more people willing to help. Changing passwords seems to only require that samba, smbldap-tools be properly configured for your ldap setup and a script referenced in your smb.conf The smb.conf you attached of course has nothing to do with LDAP and it isn't clear what you are trying to do. I would suggest that you familiarize yourself with the Samba By Example book (dead tree form) or pdf or html from the samba.org web site and figure out what you are trying to do so someone could actually help. Craig I've followed the Samba by example in this case. It was not very helpful. Between the typos, omissions, errors, and general lack of content, it's hard to get anything to work following it. Sorry to be so negative about it, but it seems to assume that if you just install the packages, things work. Now a plain vanilla Debian Sarge system is hardly esoteric, but my experience has been that things only work if you are doing a virgin setup. In my case, Samba was originally vampired from my old W2K server and I've always had the password problem. Trying to install LDAP on a system that previously had a not-quite-working tdbsam backend also isn't something that the howto writers seem to have tried. The other howto I followed was one of several that were written specifically for people trying to get Samba+LDAP to work on a Debian system. After several days of trying to get it to work, even following idealx.org's howto, it still wouldn't. So I ripped everything out and went back to a basic Samba setup without LDAP. And now I'm back to the same old problem I had before - users can't change their passwords. And yes, my current setup was following the Samba by Example - html form. I also have the dead-tree Samba Howto collection. According to them, I have a working system. :) The basic "by example" says in some very elegant story telling, after assuming that you have Samba installed, to smbpasswd -a root, map the Administrator account to it, add some groupmaps, stir in some users and voila, everything works. My setup passes the validation and the troubleshooting. It works, except that it doesn't. Again, I'll admit that this probably does work on a fresh system. I've set up Samba PDCs from scratch before without problems. However, it doesn't seem to want to work on this existing server, even after I sacrificed my old accounts vampired from W2K to try to get this working. I shouldn't have to rebuild my entire server just to be able to change passwords! Finally, you need to recognize that Debian does things its way. It has installation scripts that ask you questions up front and put the answers in multiple files scattered across your system. Samba by Example doesn't actually tell you what to put where or why. In fact, it's actually difficult to tell exactly which program or file you need to be using at any given moment. We're not all Samba developers, after all. SWAT, smbpasswd, pdbedit, etc. all seem to do the similar things but heaven help the poor user who's trying to find out when or why you should use one over the other. What I'm basically trying to say is you can't assume that everyone is going to get to place by a particular route. Debian howtos are useful for those of us with Debian-based systems because they give Debian package names and follow Debian installation dialogues. If there is something in the howto that you think is wrong or missing, then identify it. It's not as if the "official" Samba documentatio
Re: [Samba] changing passwords from Windows XP Pro workstations
On Wed, 2006-03-29 at 21:49 -0500, Gary Dale wrote: > Craig White wrote: > > >On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote: > > > > > >>Back to square 1! I stripped out my unsuccessful attempts to get Samba > >>working with LDAP on my Debian Sarge server and am back with a tdbsam > >>backend. I actually tried to purge as much of the old Samba & LDAP as I > >>could then reinstalled fresh. This included removing the Windows groups > >>and users and even the old tdbsam data. > >> > >>Unfortunately, I'm back where I started - users can't change their own > >>passwords using the Windows password change dialogue. Their system will > >>go away for a very long time (more than 15 minutes) then silently fail > >>to change the password. > >> > >>For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) > >>on a 2.6.8 kernel. This should mean that this is NOT the old Windows > >>security patch issue. > >> > >>I've attached my smb.conf (minus the shares definitions) if that helps. > >> > >>Also, for what it's worth, the user accounts are all in Domain Users and > >>users. All but mine use /bin/false as the login shell (but none of us > >>can change passwords). My account is also in Domain Admins - and I can > >>add machine accounts with it. > >> > >>Any ideas anyone? > >> > >> > > > >I kept my mouth shut because you were following someone's step by step > >and not the samba official documentation. > > > >If you want to follow the Samba By Example, methodology, you will > >probably find a lot more people willing to help. > > > >Changing passwords seems to only require that samba, smbldap-tools be > >properly configured for your ldap setup and a script referenced in your > >smb.conf > > > >The smb.conf you attached of course has nothing to do with LDAP and it > >isn't clear what you are trying to do. > > > >I would suggest that you familiarize yourself with the Samba By Example > >book (dead tree form) or pdf or html from the samba.org web site and > >figure out what you are trying to do so someone could actually help. > > > >Craig > > > > > > > > > I've followed the Samba by example in this case. It was not very > helpful. Between the typos, omissions, errors, and general lack of > content, it's hard to get anything to work following it. Sorry to be so > negative about it, but it seems to assume that if you just install the > packages, things work. > > Now a plain vanilla Debian Sarge system is hardly esoteric, but my > experience has been that things only work if you are doing a virgin > setup. In my case, Samba was originally vampired from my old W2K server > and I've always had the password problem. Trying to install LDAP on a > system that previously had a not-quite-working tdbsam backend also isn't > something that the howto writers seem to have tried. > > The other howto I followed was one of several that were written > specifically for people trying to get Samba+LDAP to work on a Debian > system. After several days of trying to get it to work, even following > idealx.org's howto, it still wouldn't. So I ripped everything out and > went back to a basic Samba setup without LDAP. And now I'm back to the > same old problem I had before - users can't change their passwords. > > And yes, my current setup was following the Samba by Example - html > form. I also have the dead-tree Samba Howto collection. According to > them, I have a working system. :) > > The basic "by example" says in some very elegant story telling, after > assuming that you have Samba installed, to smbpasswd -a root, map the > Administrator account to it, add some groupmaps, stir in some users and > voila, everything works. My setup passes the validation and the > troubleshooting. It works, except that it doesn't. > > Again, I'll admit that this probably does work on a fresh system. I've > set up Samba PDCs from scratch before without problems. However, it > doesn't seem to want to work on this existing server, even after I > sacrificed my old accounts vampired from W2K to try to get this working. > I shouldn't have to rebuild my entire server just to be able to change > passwords! > > Finally, you need to recognize that Debian does things its way. It has > installation scripts that ask you questions up front and put the answers > in multiple files scattered across your system. Samba by Example doesn't > actually tell you what to put where or why. In fact, it's actually > difficult to tell exactly which program or file you need to be using at > any given moment. We're not all Samba developers, after all. SWAT, > smbpasswd, pdbedit, etc. all seem to do the similar things but heaven > help the poor user who's trying to find out when or why you should use > one over the other. > > What I'm basically trying to say is you can't assume that everyone is > going to get to place by a particular route. Debian howtos are useful > for those of us with Debian-based systems
Re: [Samba] changing passwords from Windows XP Pro workstations
Craig White wrote: On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote: Back to square 1! I stripped out my unsuccessful attempts to get Samba working with LDAP on my Debian Sarge server and am back with a tdbsam backend. I actually tried to purge as much of the old Samba & LDAP as I could then reinstalled fresh. This included removing the Windows groups and users and even the old tdbsam data. Unfortunately, I'm back where I started - users can't change their own passwords using the Windows password change dialogue. Their system will go away for a very long time (more than 15 minutes) then silently fail to change the password. For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) on a 2.6.8 kernel. This should mean that this is NOT the old Windows security patch issue. I've attached my smb.conf (minus the shares definitions) if that helps. Also, for what it's worth, the user accounts are all in Domain Users and users. All but mine use /bin/false as the login shell (but none of us can change passwords). My account is also in Domain Admins - and I can add machine accounts with it. Any ideas anyone? I kept my mouth shut because you were following someone's step by step and not the samba official documentation. If you want to follow the Samba By Example, methodology, you will probably find a lot more people willing to help. Changing passwords seems to only require that samba, smbldap-tools be properly configured for your ldap setup and a script referenced in your smb.conf The smb.conf you attached of course has nothing to do with LDAP and it isn't clear what you are trying to do. I would suggest that you familiarize yourself with the Samba By Example book (dead tree form) or pdf or html from the samba.org web site and figure out what you are trying to do so someone could actually help. Craig I've followed the Samba by example in this case. It was not very helpful. Between the typos, omissions, errors, and general lack of content, it's hard to get anything to work following it. Sorry to be so negative about it, but it seems to assume that if you just install the packages, things work. Now a plain vanilla Debian Sarge system is hardly esoteric, but my experience has been that things only work if you are doing a virgin setup. In my case, Samba was originally vampired from my old W2K server and I've always had the password problem. Trying to install LDAP on a system that previously had a not-quite-working tdbsam backend also isn't something that the howto writers seem to have tried. The other howto I followed was one of several that were written specifically for people trying to get Samba+LDAP to work on a Debian system. After several days of trying to get it to work, even following idealx.org's howto, it still wouldn't. So I ripped everything out and went back to a basic Samba setup without LDAP. And now I'm back to the same old problem I had before - users can't change their passwords. And yes, my current setup was following the Samba by Example - html form. I also have the dead-tree Samba Howto collection. According to them, I have a working system. :) The basic "by example" says in some very elegant story telling, after assuming that you have Samba installed, to smbpasswd -a root, map the Administrator account to it, add some groupmaps, stir in some users and voila, everything works. My setup passes the validation and the troubleshooting. It works, except that it doesn't. Again, I'll admit that this probably does work on a fresh system. I've set up Samba PDCs from scratch before without problems. However, it doesn't seem to want to work on this existing server, even after I sacrificed my old accounts vampired from W2K to try to get this working. I shouldn't have to rebuild my entire server just to be able to change passwords! Finally, you need to recognize that Debian does things its way. It has installation scripts that ask you questions up front and put the answers in multiple files scattered across your system. Samba by Example doesn't actually tell you what to put where or why. In fact, it's actually difficult to tell exactly which program or file you need to be using at any given moment. We're not all Samba developers, after all. SWAT, smbpasswd, pdbedit, etc. all seem to do the similar things but heaven help the poor user who's trying to find out when or why you should use one over the other. What I'm basically trying to say is you can't assume that everyone is going to get to place by a particular route. Debian howtos are useful for those of us with Debian-based systems because they give Debian package names and follow Debian installation dialogues. If there is something in the howto that you think is wrong or missing, then identify it. It's not as if the "official" Samba documentation is all encompassing and perfect. I've had to consult a couple of dozen different guides in trying
Re: [Samba] changing passwords from Windows XP Pro workstations
On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote: > Back to square 1! I stripped out my unsuccessful attempts to get Samba > working with LDAP on my Debian Sarge server and am back with a tdbsam > backend. I actually tried to purge as much of the old Samba & LDAP as I > could then reinstalled fresh. This included removing the Windows groups > and users and even the old tdbsam data. > > Unfortunately, I'm back where I started - users can't change their own > passwords using the Windows password change dialogue. Their system will > go away for a very long time (more than 15 minutes) then silently fail > to change the password. > > For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) > on a 2.6.8 kernel. This should mean that this is NOT the old Windows > security patch issue. > > I've attached my smb.conf (minus the shares definitions) if that helps. > > Also, for what it's worth, the user accounts are all in Domain Users and > users. All but mine use /bin/false as the login shell (but none of us > can change passwords). My account is also in Domain Admins - and I can > add machine accounts with it. > > Any ideas anyone? I kept my mouth shut because you were following someone's step by step and not the samba official documentation. If you want to follow the Samba By Example, methodology, you will probably find a lot more people willing to help. Changing passwords seems to only require that samba, smbldap-tools be properly configured for your ldap setup and a script referenced in your smb.conf The smb.conf you attached of course has nothing to do with LDAP and it isn't clear what you are trying to do. I would suggest that you familiarize yourself with the Samba By Example book (dead tree form) or pdf or html from the samba.org web site and figure out what you are trying to do so someone could actually help. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] changing passwords from Windows XP Pro workstations
Back to square 1! I stripped out my unsuccessful attempts to get Samba working with LDAP on my Debian Sarge server and am back with a tdbsam backend. I actually tried to purge as much of the old Samba & LDAP as I could then reinstalled fresh. This included removing the Windows groups and users and even the old tdbsam data. Unfortunately, I'm back where I started - users can't change their own passwords using the Windows password change dialogue. Their system will go away for a very long time (more than 15 minutes) then silently fail to change the password. For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) on a 2.6.8 kernel. This should mean that this is NOT the old Windows security patch issue. I've attached my smb.conf (minus the shares definitions) if that helps. Also, for what it's worth, the user accounts are all in Domain Users and users. All but mine use /bin/false as the login shell (but none of us can change passwords). My account is also in Domain Admins - and I can add machine accounts with it. Any ideas anyone? # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2006/03/28 22:32:02 # Global parameters [global] workgroup = RAHIM-DALE server string = %h PDC (Samba %v) passdb backend = tdbsam, guest passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . unix password sync = Yes log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 printcap name = cups add user script = /usr/sbin/useradd -g samba -c %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G `/usr/bin/id -G %g %u add machine script = /usr/sbin/useradd -g machines -c Machine -d /dev/null -s /bin/false %u logon script = scripts\logon.bat logon path = \\%L\Profiles\%U logon drive = M: logon home = \\%L\%U domain logons = Yes os level = 35 preferred master = Yes domain master = Yes wins support = no ldap ssl = no panic action = /usr/share/samba/panic-action %d idmap uid = 1-2 idmap gid = 1-2 invalid users = root admin users = garydale, root hosts allow = 192.168.2. 127. printing = cups print command = lpq command = %p lprm command = [netlogon] comment = Logon Server Share path = /home/samba/netlogon read only = No [profiles] path = /home/samba/profiles read only = No profile acls = Yes [printers] comment = All Printers path = /var/spool/samba printer admin = root, garydale create mask = 0600 guest ok = Yes printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers printer admin = root, garydale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba