Re: [Samba] Password Change from Windows machines ("You do not have permission to change your password")
For anyone else trying to get this to work, I should also add that a problem in the Ubuntu auth-client-config package was also giving me the same (misleading) error message. In /etc/pam.d/common-password, you must remove the "use_authtok" option on the pam_ldap.so line: _Wrong:_ password[success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass _Correct:_ password[success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass This problem also resulted in the misleading "You do not have permission to change your password" error message. Between this and the problem below, I was pulling my hair out... Thanks, Derek On 12/01/2009 12:26 AM, Derek Simkowiak wrote: Hello, I just wasted several hours trying to figure out why I could not change Samba passwords from Windows XP computers. I'm posting here so that there is some form of documentation about this on the web. My setup is basically this: - Samba 3.3.2 (running under Ubuntu 9.04) - OpenLDAP user database - Full O.S. support for OpenLDAP auth, using nsswitch and PAM.(My client LDAP config was installed using *auth-client-config *as per https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html, plus some tweaking in /etc/smbldap-tools/. ) I can ssh into the box as a system user that exists only in LDAP (and not in /etc/passwd). I can also change my LDAP password at the bash prompt by typing "passwd" (via PAM), or smbldap-passwd, or smbpasswd. That all works as per the documentation. The problem: I could not change my password from Windows boxen. They kept giving me "You do not have permission to change your password." I found the solution by cranking up the log level to 10. I eventually found this golden snippet in all the noise: [2009/11/30 23:23:37, 4] auth/pampass.c:smb_pam_chauthtok(670) smb_pam_chauthtok: PAM: Password Change for User: dereks [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(284) smb_pam_passchange_conv: starting converstation for 1 messages [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(312) smb_pam_passchange_conv: Processing message 0 [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(346) smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: New password: [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352) smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*enter new * password:*| to |New password:| [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352) smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*retype new * password:*| to |New password:| [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352) smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*password updated successfully*| to |New password:| [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352) smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match || to |New password:| [2009/11/30 23:23:37, 3] auth/pampass.c:smb_pam_passchange_conv(370) smb_pam_passchange_conv: Could not find reply for PAM prompt: New password: [2009/11/30 23:23:37, 0] auth/pampass.c:smb_pam_chauthtok(699) PAM: User not known to PAM [2009/11/30 23:23:37, 2] auth/pampass.c:smb_pam_error_handler(77) smb_pam_error_handler: PAM: Password Change Failed : User not known to the underlying authentication module [2009/11/30 23:23:37, 0] auth/pampass.c:smb_pam_passchange(861) smb_pam_passchange: PAM: Password Change Failed for user dereks! [2009/11/30 23:23:37, 4] auth/pampass.c:smb_pam_end(450) smb_pam_end: PAM: PAM_END OK. [2009/11/30 23:23:37, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2 [2009/11/30 23:23:37, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (4202, 513) - sec_ctx_stack_ndx = 1 [2009/11/30 23:23:37, 5] rpc_server/srv_samr_nt.c:_samr_ChangePasswordUser2(1907) _samr_ChangePasswordUser2: 1907 samr_ChangePasswordUser2: struct samr_ChangePasswordUser2 out: struct samr_ChangePasswordUser2 result : NT_STATUS_ACCESS_DENIED Here you can see that the "password chat" was attempting to communicate with PAM in a fashion similar to 'expect'. My "passwd chat" setting in /etc/samba/smb.conf was not correct, so the password change failed. The resulting error code "NT_STATUS_ACCESS_DENIED" caused Windows to print that useless "You do not have permission to change your password" dialog box, and sent me on a wild goose chase. The comments in the smb.conf that come with Ubuntu say this: # For Unix password sync to work on a Debian GNU/Linux system, the following # parameters must be set (thanks to Ian Kahan < for # sending the correct chat script for the passwd program in Debian Sarge). passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\s
[Samba] Password Change from Windows machines ("You do not have permission to change your password")
Hello, I just wasted several hours trying to figure out why I could not change Samba passwords from Windows XP computers. I'm posting here so that there is some form of documentation about this on the web. My setup is basically this: - Samba 3.3.2 (running under Ubuntu 9.04) - OpenLDAP user database - Full O.S. support for OpenLDAP auth, using nsswitch and PAM. (My client LDAP config was installed using *auth-client-config *as per https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html, plus some tweaking in /etc/smbldap-tools/. ) I can ssh into the box as a system user that exists only in LDAP (and not in /etc/passwd). I can also change my LDAP password at the bash prompt by typing "passwd" (via PAM), or smbldap-passwd, or smbpasswd. That all works as per the documentation. The problem: I could not change my password from Windows boxen. They kept giving me "You do not have permission to change your password." I found the solution by cranking up the log level to 10. I eventually found this golden snippet in all the noise: [2009/11/30 23:23:37, 4] auth/pampass.c:smb_pam_chauthtok(670) smb_pam_chauthtok: PAM: Password Change for User: dereks [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(284) smb_pam_passchange_conv: starting converstation for 1 messages [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(312) smb_pam_passchange_conv: Processing message 0 [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(346) smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: New password: [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352) smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*enter new * password:*| to |New password:| [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352) smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*retype new * password:*| to |New password:| [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352) smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |*password updated successfully*| to |New password:| [2009/11/30 23:23:37, 10] auth/pampass.c:smb_pam_passchange_conv(352) smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match || to |New password:| [2009/11/30 23:23:37, 3] auth/pampass.c:smb_pam_passchange_conv(370) smb_pam_passchange_conv: Could not find reply for PAM prompt: New password: [2009/11/30 23:23:37, 0] auth/pampass.c:smb_pam_chauthtok(699) PAM: User not known to PAM [2009/11/30 23:23:37, 2] auth/pampass.c:smb_pam_error_handler(77) smb_pam_error_handler: PAM: Password Change Failed : User not known to the underlying authentication module [2009/11/30 23:23:37, 0] auth/pampass.c:smb_pam_passchange(861) smb_pam_passchange: PAM: Password Change Failed for user dereks! [2009/11/30 23:23:37, 4] auth/pampass.c:smb_pam_end(450) smb_pam_end: PAM: PAM_END OK. [2009/11/30 23:23:37, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2 [2009/11/30 23:23:37, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (4202, 513) - sec_ctx_stack_ndx = 1 [2009/11/30 23:23:37, 5] rpc_server/srv_samr_nt.c:_samr_ChangePasswordUser2(1907) _samr_ChangePasswordUser2: 1907 samr_ChangePasswordUser2: struct samr_ChangePasswordUser2 out: struct samr_ChangePasswordUser2 result : NT_STATUS_ACCESS_DENIED Here you can see that the "password chat" was attempting to communicate with PAM in a fashion similar to 'expect'. My "passwd chat" setting in /etc/samba/smb.conf was not correct, so the password change failed. The resulting error code "NT_STATUS_ACCESS_DENIED" caused Windows to print that useless "You do not have permission to change your password" dialog box, and sent me on a wild goose chase. The comments in the smb.conf that come with Ubuntu say this: # For Unix password sync to work on a Debian GNU/Linux system, the following # parameters must be set (thanks to Ian Kahan < for # sending the correct chat script for the passwd program in Debian Sarge). passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . # This boolean controls whether PAM will be used for password changes # when requested by an SMB client instead of the program listed in # 'passwd program'. The default is 'no'. pam password change = yes My reading of these comments is that either "passwd program" with matching "passwd chat" will be used, or else "pam password change = yes" will be used. In my troubleshooting, I commented out either the first one (to use PAM), or else the latter one (to use /usr/bin/passwd with the chat setting). That interpretation was also consistent with all the Samba docs and forum postings I found online. But, as shown in the logs above, the correct answer was "pam password change = yes"