First of all, thanks a lot to John H Terpstra for his kind and useful help.
The problem was something quite simple, the password chat. It really needs
asterisks even at the beginning of each line.
For CentOS (Red-Hat), this works (notice the red asterisks):
password chat = *New*password* %n\n *Retype*password*
%n\n *updated*successfully*
This does not:
password chat = New*password* %n\n *Retype*password*
%n\n *updated*successfully*
This not either:
password chat = *New*password* %n\n Retype*password*
%n\n *updated*successfully*
Regards,
Arturo Limon
2009/3/26 Arturo Limon limonav...@gmail.com
Hello,
I have setup a Samba server with CentOS 5.2 and Samba 3.0.28-1.el5_2.1 (the
CentOS included versión).
I have configured Samba as a PDC following Samba-3 by example chapter 3,
Secure Office Networking. No DNS or DHCP active, as far as for now this is
just a test environment.
Most of it works fine, but trying to change user passwords for a MS-Windows
test computer (USRMGR.EXE from SRVTOOLS), has proved to be a nightmare. I
always get an Access Denied (Aceso denegado) error message. Connection from
MS-Windows computer is done as Administrator (root).
I have googled for hours, and the problem does not seem to be new, but no
advice has helped appart from NOT syncing Samba and Linux passwords, which I
do not want to do.
My smb.conf is as follows:
[global]
workgroup = MICASA
netbios name = TESTSERVER
interfaces = eth0, lo
bind interfaces only = Yes
passdb backend = tdbsam
unix password sync = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = New UNIX password:* %n\n Retype new UNIX
password:* %n\n passwd: all authentication to
username map = /etc/samba/smbusers
;syslog = 0
log file = /var/log/samba/%m
max log size = 150
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
logon home = \\%L\%U
domain logons = Yes
.
(I do not think rest of smb.conf may be of efect in the problem)
/etc/pam.d/samba is as follows (just like CentOS install leaves it):
#%PAM-1.0
auth required pam_nologin.so
auth include system-auth
accountinclude system-auth
sessioninclude system-auth
password include system-auth
/etc/pam.d/system-auth is as follows (also like CentOS install leaves it):
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid = 500 quiet
authrequired pam_deny.so
account required pam_unix.so
account sufficientpam_succeed_if.so uid 500 quiet
account required pam_permit.so
passwordrequisite pam_cracklib.so try_first_pass retry=3
passwordsufficientpam_unix.so md5 shadow nullok try_first_pass
use_authtok
passwordrequired pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
When trying to change password, messages are
From /var/log/samba/pc-prueba (pc-prueba is the name of the MS-Windows test
computer):
[2009/03/26 00:17:17, 1] smbd/service.c:make_connection_snum(1033)
pc-prueba (192.168.1.100) connect to service root initially as user root
(uid=0, gid=0) (pid 17133)
[2009/03/26 00:17:55, 0] auth/pampass.c:smb_pam_chauthtok(691)
PAM: UNKNOWN PAM ERROR (19) for User: arturo
[2009/03/26 00:17:55, 0] auth/pampass.c:smb_pam_passchange(847)
smb_pam_passchange: PAM: Password Change Failed for user arturo!
No error messages in smbd.log or nmbd.log.
I have tried with password chat debug = Yes and found no clue of what the
problem could be. Commenting out pam password change = Yes or changing it
to No have not helped. Only switching to No the Unix password sync.
I can't believe it does not work, I think something must be wrong
somewhere, or in what I am doing. I have spent several hours trying