Check this parameters in your global section With testparm -v
lanman auth = ? ntlm auth = ? client NTLMv2 = ? client lanman auth = ? ----------------------------------------------- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de ----------------------------------------------- -----Ursprüngliche Nachricht----- Von: Christopher Springer [mailto:csprin...@brcrp.com] Gesendet: Mittwoch, 18. August 2010 22:12 An: muel...@tropenklinik.de Cc: gaiseric.van...@gmail.com; samba@lists.samba.org Betreff: Re: AW: [Samba] Error: You do not have permission to change your password Well, I have a partially working configuration now...that is to say that it DOES work for WinXP and later but it does NOT work for WinNT4 systems (2k not tested). I must've made a mistake in testing because now it seems that the XP systems are able to change passwords just fine. For the life of me I cannot get rid of the NTLM error messages when trying to change passwords on a WinNT4 system. I'm also having trouble figuring out what items in the Samba LDAP schema are still in use and which ones should be controlled by other applications (smbldap-usermod, pdbedit, etc). A good reference on deprecated LDAP entries would be greatly appreciated! I realize I still need to change the LDAP directory to use a separate user for replication, etc but I'm trying to take small steps here :) working smb.conf - [global] log level = 1 workgroup = CORPDOM netbios name = CORPPDC passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = scripts/%U.bat logon path = logon drive = security = user domain logons = Yes os level = 35 preferred master = Yes domain master = Yes wins support = Yes smb ports = 139 ldap suffix = dc=brcrp,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=brcrp,dc=com ldap ssl = no ldap passwd sync = yes printing = cups [netlogon] comment = Network Logon Service path = /pub guest ok = Yes browseable = No working slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/lib/openldap # or /usr/lib64/openldap # moduleload accesslog.la # moduleload auditlog.la # moduleload back_sql.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la moduleload syncprov.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=brcrp,dc=com" checkpoint 1024 15 rootdn "cn=Manager,dc=brcrp,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw *omitted* #rootpw {SSHA}5v9AquZvm/9fhFMcetO072dGd2BX8C5Q # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example....@example.com overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # enable monitoring # database monitor # allow onlu rootdn to read the monitor #access to * # by dn.exact="cn=Manager,dc=brcrp,dc=com" write # by * none access to attrs=userPassword,shadowLastChange,shadowMax,sambaNTPassword,sambaLMPasswor d,sambaPwdLastSet,sambaPwdMustChange,sambaAcctFlags by dn="cn=Manager,dc=brcrp,dc=com" write by self write by anonymous auth by * none access to * by * read #access to * # by * write I have this server also acting as the WINS server for our multi-site environment over VPN. It seems to work pretty well. Setup is PDC w/BDC (both LDAP) at corporate with remote BDC (replicated LDAP) and DHCP server with netbios-name-server option. Again, thanks all for your help! Chris On 08/18/2010 10:47 AM, Daniel Müller wrote: > You only changed unix-password: > > > tuepdc:~ # smbldap-passwd --help > (c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under > the GPL > Usage: /usr/local/sbin/smbldap-passwd [options] [username] > -h, -?, --help show this help message > -s update only samba password > -u update only UNIX password > > Just use smbldap-passwd USER > > > > ----------------------------------------------- > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: muel...@tropenklinik.de > Internet: www.tropenklinik.de > ----------------------------------------------- > > -----Ursprüngliche Nachricht----- > Von: Christopher Springer [mailto:csprin...@brcrp.com] > Gesendet: Mittwoch, 18. August 2010 16:28 > An: muel...@tropenklinik.de > Cc: gaiseric.van...@gmail.com; samba@lists.samba.org > Betreff: Re: [Samba] Error: You do not have permission to change your > password > > I did some additional testing... > > It turns out that I was able to change the password successfully using... > > smbldap-passwd kennyz > > But then I tried changing with the -u option as follows... > > smbldap-passwd -u kennyz > > This did not return an error but it also apparently did not change the > user's password because I can't login as the user now. I do not know > how to interpret this behaviour but I'm hoping it can give you guys a > clue as to what is truly the problem here. > > Thanks. > -- > Chris > > On 08/18/2010 10:00 AM, Daniel Müller wrote: >> You need >> ldap passwd sync = yes >> no unix password sync = yes >> >> Then try to change it on your linux box. >> ----------------------------------------------- >> EDV Daniel Müller >> >> Leitung EDV >> Tropenklinik Paul-Lechler-Krankenhaus >> Paul-Lechler-Str. 24 >> 72076 Tübingen >> >> Tel.: 07071/206-463, Fax: 07071/206-499 >> eMail: muel...@tropenklinik.de >> Internet: www.tropenklinik.de >> ----------------------------------------------- >> >> -----Ursprüngliche Nachricht----- >> Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] > Im >> Auftrag von Gaiseric Vandal >> Gesendet: Mittwoch, 18. August 2010 15:48 >> An: samba@lists.samba.org >> Betreff: Re: [Samba] Error: You do not have permission to change your >> password >> >> I am pretty sure that the password command and script is run as root, >> not as the user changing the password. What happens if you run the >> password commands on the samba server? I don't have smbldap tools on >> my system (Solaris, so not provided by the Sun distro) so I had to rely >> on the OS password tools. By default, root is not going to have >> sufficient privledges to change ldap passwords. >> >> If you don't enable password sync, are you able to change your Windows >> password? >> >> >> On 08/18/2010 08:49 AM, Christopher Springer wrote: >>> I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend >>> and do the following... >>> >>> 1. Login as user on Windows system using domain user name and >>> password - Login successful >>> 2. Press Ctrl-Alt-Del >>> 3. Press Change Password >>> 4. Enter old and new password as prompted >>> 5. Receive response "You do not have permission to change your >>> password." >>> >>> I receive the following repeated twice in "/var/log/samba/log.smbd"... >>> >>> [2010/08/17 16:13:53.884482, 0] >>> libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet) >>> NTLMSSP NTLM1 packet check failed due to invalid signature! >>> [2010/08/17 16:13:53.884592, 0] >>> rpc_server/srv_pipe_hnd.c:398(process_request_pdu) >>> process_request_pdu: failed to do auth processing. >>> [2010/08/17 16:13:53.884668, 0] >>> rpc_server/srv_pipe_hnd.c:399(process_request_pdu) >>> process_request_pdu: error was NT_STATUS_ACCESS_DENIED. >>> >>> This was generated from a WindowsNT4 system. The issue can also be >>> duplicated from Windows XP clients. >>> >>> My smb.conf file on this system (PDC): >>> >>> [global] >>> log level = 1 >>> workgroup = CORPDOM >>> netbios name = CORPPDC >>> passdb backend = ldapsam:ldap://127.0.0.1 >>> enable privileges = yes >>> #encrypt passwords = yes >>> username map = /etc/samba/smbusers >>> printcap name = cups >>> add user script = /usr/sbin/smbldap-useradd -m '%u' >>> delete user script = /usr/sbin/smbldap-userdel '%u' >>> add group script = /usr/sbin/smbldap-groupadd -p '%g' >>> delete group script = /usr/sbin/smbldap-groupdel '%g' >>> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' >>> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' >>> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' >>> add machine script = /usr/sbin/smbldap-useradd -w '%u' >>> logon script = scripts/%U.bat >>> logon path = >>> logon drive = >>> security = user >>> domain logons = Yes >>> os level = 35 >>> preferred master = Yes >>> domain master = Yes >>> wins support = Yes >>> smb ports = 139 >>> #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM >>> 10.20.0.255/CORPDOM >>> #remote browse sync = 10.20.255.255 10.30.255.255 >>> #remote announce = 10.30.255.255 >>> #remote browse sync = 10.30.255.255 >>> ldap suffix = dc=brcrp,dc=com >>> ldap machine suffix = ou=Computers >>> ldap user suffix = ou=People >>> ldap group suffix = ou=Group >>> ldap idmap suffix = ou=Idmap >>> ldap admin dn = cn=Manager,dc=brcrp,dc=com >>> ldap ssl = no >>> #ldap passwd sync = yes >>> unix password sync = yes >>> passwd program = /usr/sbin/smbldap-passwd %u >>> passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n* >>> #client lanman auth = yes >>> #unix password sync = yes >>> #passwd program = /usr/sbin/smbldap-passwd -u %u >>> idmap backend = ldap:ldap://127.0.0.1 >>> idmap uid = 15000-20000 >>> idmap gid = 15000-20000 >>> printing = cups >>> >>> [netlogon] >>> comment = Network Logon Service >>> path = /pub >>> guest ok = Yes >>> browseable = No -- Christopher Springer IS/IT Systems Administrator BRC Rubber& Plastics, Inc 260-693-2171 x389 csprin...@brcrp.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
