Re: [Samba] window, samba and ldap passwords
als nice to use. http://ldapadmin.sourceforge.net/ ( for management from windows pc ) You can create your own plugins, which is pretty easy. Louis >-Oorspronkelijk bericht- >Van: paik...@googlemail.com >[mailto:samba-boun...@lists.samba.org] Namens Dermot >Verzonden: 2011-08-23 14:10 >Aan: samba@lists.samba.org >Onderwerp: Re: [Samba] window, samba and ldap passwords > >>> remove : unix password sync = Yes >>> >>> and try again. >> >> I would like to avoid using smbldap-tools, did you manage to get it >> working without it? >> >> Kind regards, >> - -- >> Felipe Augusto van de Wiel > > >The solution to that problem was to remove the unix password sync. > >As for user management tools, I got the srvtools from >http://support.microsoft.com/kb/173673 > >I take a look at LAM (http://www.ldap-account-manager.org/) > >and some of the other options listed here >http://wiki.samba.org/index.php/Account_Management_Tools > >but I haven't really fired any in anger yet. >HTH, >Dermot. >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] window, samba and ldap passwords
>> remove : unix password sync = Yes >> >> and try again. > > I would like to avoid using smbldap-tools, did you manage to get it > working without it? > > Kind regards, > - -- > Felipe Augusto van de Wiel The solution to that problem was to remove the unix password sync. As for user management tools, I got the srvtools from http://support.microsoft.com/kb/173673 I take a look at LAM (http://www.ldap-account-manager.org/) and some of the other options listed here http://wiki.samba.org/index.php/Account_Management_Tools but I haven't really fired any in anger yet. HTH, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] window, samba and ldap passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 16-08-2011 08:40, L.P.H. van Belle wrote: > Hai, > > on your master, in smb.conf > > change these settings. ( im also running debian with > pdc/bdc ldap master and multiple slaves through syncrepl ) > > passwd program = /usr/sbin/smbldap-passwd "%u" > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *all*authentication*tokens*updated* > remove : unix password sync = Yes > > and try again. I would like to avoid using smbldap-tools, did you manage to get it working without it? Kind regards, - -- Felipe Augusto van de Wiel Tecnologia da Informação (TI) - Complexo Pequeno Príncipe http://www.pequenoprincipe.org.br/T: +55 41 3310 1747 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJOTuicAAoJECCPPxLgxLxPhKEP/0kGEtDJ3Wwv2ZL2mWR5YAaV I8ma78RBcEn+Tix88bK7lPsLwi+ZVGuyWlzIuQZYDyqxr3LhQYutv4sIFdDKi3OK wHg0ud4vQi8AGlnaeJAZEsvvFmJFCYdgCZWiU27zn1l/6NAA1Uvl/8OhADcOsE9u jkklocHOG5C7t48a1eAb2RKiprWBkdM4YrDjhPXIaHe3jgL9LeEJ1jdMe9AbVp3L bYxiSwCSjLg66URPUbf26eSTsVkz4ZUL8LOR04aCIYnXG14cT6zx8SzcPJfZtL+p wl1xygrVJzdl/rdmLjW5V+yqB/cac+zFhs3fVciHaWDlZtQ9ABIw+4e0MXuIbkwM F5h/N9BTNX8PwccuADwwLXPgOOW+dE/zCiW6b0MjxP8aFlA5A9hgaPaaKDFBFN3/ fm4ti61bKjpZX8Ii538KRX7OHeszkKT/yXogGBxLn7TRrrr4oYccg9Wtm48DGQfh 5AbmBUOPzgROYhZpJDxMYBcPKtTKgUCoH+jpJJT9Tr6p1gaEduKDhl8aD1nTYYlc 1BS9Z3CWwOqcIdzPAdJKGm28FGBR+Khuo6Behm1YwK+PQRdW7zkqgxXS+Ra/3itI r/zwAGiKKGksiv06N2UVq+xQ7PNw9pO+9Q9BKCewSsTd9mmwCrtEoOwxQ90zCI6a Baks02kCfpM2SRYW9df/ =orz1 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] window, samba and ldap passwords
Thanks you very much. That has fixed it. Brilliant. Dp. On 16 August 2011 12:40, L.P.H. van Belle wrote: > Hai, > > on your master, in smb.conf > > change these settings. ( im also running debian with pdc/bdc ldap master and > multiple slaves through syncrepl ) > > passwd program = /usr/sbin/smbldap-passwd "%u" > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *all*authentication*tokens*updated* > remove : unix password sync = Yes > > and try again. > > Louis > >>-Oorspronkelijk bericht- >>Van: paik...@googlemail.com >>[mailto:samba-boun...@lists.samba.org] Namens Dermot >>Verzonden: 2011-08-16 12:48 >>Aan: samba@lists.samba.org >>Onderwerp: [Samba] window, samba and ldap passwords >> >>Hi, >> >>I recently migrated to a Samba3x domain. One issue that has been >>reported to me is that XP users cannot change their password from >>their PC. I have done some searching and I haven't seen a straight >>forward answer to this. >> >>My config is >> >>ldap primary + Samba PDC on host A >>ldap slave + samba BDC on host B >> >>I see this error in the machine log when someone attempts to change >>their password: >> >>2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) >> smb_pam_passchange: PAM: Password Change Failed for user kreuze! >>[2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) >> PAM: UNKNOWN PAM ERROR (8) for User: kreuze >>[2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) >> smb_pam_passchange: PAM: Password Change Failed for user kreuze! >>[2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) >> PAM: UNKNOWN PAM ERROR (8) for User: kreuze >>[2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) >> smb_pam_passchange: PAM: Password Change Failed for user kreuze! >> >> >>I have seen this article: >>http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam. >>html#id2667199 >>but I am not sure if it's appropriate for my environment. I suspect >>the answer to this may very dependent on my config. >>Can anyone offer any advice? >>Thanks in advance. >>Dermot. >> >> >>=== smb.conf on PDC === >> >> dos charset = UTF-8 >> display charset = UTF-8 >> workgroup = FOO >> server string = %h server >> map to guest = Bad User >> passdb backend = ldapsam:ldap://127.0.0.1/ >> pam password change = Yes >> passwd program = /usr/sbin/smbldap-passwd -u %u >> passwd chat = *New*password* %n\n *Retype*new*password* %n\n >>*all*authentication*tokens*updated* >> unix password sync = Yes >> log level = 1 >> syslog = 0 >> log file = /var/log/samba/log.%m >> max log size = 1000 >> smb ports = 139 445 >> name resolve order = wins hosts bcast >> time server = Yes >> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >> load printers = No >> add user script = /usr/sbin/smbldap-useradd -m %u >> delete user script = /usr/sbin/smbldap-userdel '%u' >> delete group script = /usr/sbin/smbldap-groupdel %g >> add user to group script = /usr/sbin/smbldap-groupmod -m %u %g >> delete user from group script = >>/usr/sbin/smbldap-groupmod -x %u %g >> set primary group script = /usr/sbin/smbldap-usermod -g %g %u >> add machine script = /usr/sbin/smbldap-useradd -w %u >> logon script = logon.bat >> logon path = >> logon drive = U: >> logon home = >> domain logons = Yes >> os level = 65 >> preferred master = Auto >> domain master = Yes >> dns proxy = No >> ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk >> ldap delete dn = Yes >> ldap group suffix = ou=Groups >> ldap idmap suffix = ou=idmap >> ldap machine suffix = ou=Computers, ou=Users >> ldap passwd sync = yes >> ldap suffix = dc=mydomain,dc=co,dc=uk >> ldap ssl = no >> ldap timeout = 20 >> ldap user suffix = ou=Users >> panic action = /usr/share/samba/panic-action %d >> idmap backend = ldap:"ldap://127.0.0.1/"; >> idmap uid = 15000-2 >> idmap gid = 15000-2 >> map acl inherit = Yes >> case sensitive = No >> hide unreadable = Yes >>-- >>To unsubscribe from this list go to the following URL and read the >>instructions: https://lists.samba.org/mailman/options/samba >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] window, samba and ldap passwords
Hai, on your master, in smb.conf change these settings. ( im also running debian with pdc/bdc ldap master and multiple slaves through syncrepl ) passwd program = /usr/sbin/smbldap-passwd "%u" passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* remove : unix password sync = Yes and try again. Louis >-Oorspronkelijk bericht- >Van: paik...@googlemail.com >[mailto:samba-boun...@lists.samba.org] Namens Dermot >Verzonden: 2011-08-16 12:48 >Aan: samba@lists.samba.org >Onderwerp: [Samba] window, samba and ldap passwords > >Hi, > >I recently migrated to a Samba3x domain. One issue that has been >reported to me is that XP users cannot change their password from >their PC. I have done some searching and I haven't seen a straight >forward answer to this. > >My config is > >ldap primary + Samba PDC on host A >ldap slave + samba BDC on host B > >I see this error in the machine log when someone attempts to change >their password: > >2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) > smb_pam_passchange: PAM: Password Change Failed for user kreuze! >[2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) > PAM: UNKNOWN PAM ERROR (8) for User: kreuze >[2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) > smb_pam_passchange: PAM: Password Change Failed for user kreuze! >[2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) > PAM: UNKNOWN PAM ERROR (8) for User: kreuze >[2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) > smb_pam_passchange: PAM: Password Change Failed for user kreuze! > > >I have seen this article: >http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam. >html#id2667199 >but I am not sure if it's appropriate for my environment. I suspect >the answer to this may very dependent on my config. >Can anyone offer any advice? >Thanks in advance. >Dermot. > > >=== smb.conf on PDC === > > dos charset = UTF-8 > display charset = UTF-8 > workgroup = FOO > server string = %h server > map to guest = Bad User > passdb backend = ldapsam:ldap://127.0.0.1/ > pam password change = Yes > passwd program = /usr/sbin/smbldap-passwd -u %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n >*all*authentication*tokens*updated* > unix password sync = Yes > log level = 1 > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > smb ports = 139 445 > name resolve order = wins hosts bcast > time server = Yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > load printers = No > add user script = /usr/sbin/smbldap-useradd -m %u > delete user script = /usr/sbin/smbldap-userdel '%u' > delete group script = /usr/sbin/smbldap-groupdel %g > add user to group script = /usr/sbin/smbldap-groupmod -m %u %g > delete user from group script = >/usr/sbin/smbldap-groupmod -x %u %g > set primary group script = /usr/sbin/smbldap-usermod -g %g %u > add machine script = /usr/sbin/smbldap-useradd -w %u > logon script = logon.bat > logon path = > logon drive = U: > logon home = > domain logons = Yes > os level = 65 > preferred master = Auto > domain master = Yes > dns proxy = No > ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk > ldap delete dn = Yes > ldap group suffix = ou=Groups > ldap idmap suffix = ou=idmap > ldap machine suffix = ou=Computers, ou=Users > ldap passwd sync = yes > ldap suffix = dc=mydomain,dc=co,dc=uk > ldap ssl = no > ldap timeout = 20 > ldap user suffix = ou=Users > panic action = /usr/share/samba/panic-action %d > idmap backend = ldap:"ldap://127.0.0.1/"; > idmap uid = 15000-2 > idmap gid = 15000-2 > map acl inherit = Yes > case sensitive = No > hide unreadable = Yes >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] window, samba and ldap passwords
The master is a xenamd64 debian 5.0.6 samba is Version 3.5.6 ldap is 2.4.11 (installed via apt) Dp. On 16 August 2011 12:13, J. Echter wrote: > Am 16.08.2011 13:06, schrieb Dermot: >> >> I have a stanza like this in the slapd.conf on the ldap master. >> >> # users can authenticate and change their password >> access to >> attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet >> by self write >> by anonymous auth >> by * none >> >> >> I have a lot of debug messages from ldap going into the logs but I >> can't any errors. I can't see any attempt at a password change in the >> log. >> >> I know that the ldap password had not changed either. What do you mean >> by dynamically configured ldap? >> Thanks, >> Dp. >> >> >> >> On 16 August 2011 11:51, J. Echter >> wrote: >>> >>> Am 16.08.2011 12:48, schrieb Dermot: Hi, I recently migrated to a Samba3x domain. One issue that has been reported to me is that XP users cannot change their password from their PC. I have done some searching and I haven't seen a straight forward answer to this. My config is ldap primary + Samba PDC on host A ldap slave + samba BDC on host B I see this error in the machine log when someone attempts to change their password: 2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! I have seen this article: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199 but I am not sure if it's appropriate for my environment. I suspect the answer to this may very dependent on my config. Can anyone offer any advice? Thanks in advance. Dermot. === smb.conf on PDC === dos charset = UTF-8 display charset = UTF-8 workgroup = FOO server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 smb ports = 139 445 name resolve order = wins hosts bcast time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel '%u' delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon path = logon drive = U: logon home = domain logons = Yes os level = 65 preferred master = Auto domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=Computers, ou=Users ldap passwd sync = yes ldap suffix = dc=mydomain,dc=co,dc=uk ldap ssl = no ldap timeout = 20 ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d idmap backend = ldap:"ldap://127.0.0.1/"; idmap uid = 15000-2 idmap gid = 15000-2 map acl inherit = Yes case sensitive = No hide unreadable = Yes >>> >>> Hi, >>> >>> afaik, you have to authenticate users to change NTpasswd and stull like >>> that. >>> >>> i have seen this example for slapd.conf >>> >>> # The userPassword by default can be changed >>> # by the entry owning it if they are authenticated. >>> # Others should no
Re: [Samba] window, samba and ldap passwords
Am 16.08.2011 13:06, schrieb Dermot: I have a stanza like this in the slapd.conf on the ldap master. # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet by self write by anonymous auth by * none I have a lot of debug messages from ldap going into the logs but I can't any errors. I can't see any attempt at a password change in the log. I know that the ldap password had not changed either. What do you mean by dynamically configured ldap? Thanks, Dp. On 16 August 2011 11:51, J. Echter wrote: Am 16.08.2011 12:48, schrieb Dermot: Hi, I recently migrated to a Samba3x domain. One issue that has been reported to me is that XP users cannot change their password from their PC. I have done some searching and I haven't seen a straight forward answer to this. My config is ldap primary + Samba PDC on host A ldap slave + samba BDC on host B I see this error in the machine log when someone attempts to change their password: 2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! I have seen this article: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199 but I am not sure if it's appropriate for my environment. I suspect the answer to this may very dependent on my config. Can anyone offer any advice? Thanks in advance. Dermot. === smb.conf on PDC === dos charset = UTF-8 display charset = UTF-8 workgroup = FOO server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 smb ports = 139 445 name resolve order = wins hosts bcast time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel '%u' delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon path = logon drive = U: logon home = domain logons = Yes os level = 65 preferred master = Auto domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=Computers, ou=Users ldap passwd sync = yes ldap suffix = dc=mydomain,dc=co,dc=uk ldap ssl = no ldap timeout = 20 ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d idmap backend = ldap:"ldap://127.0.0.1/"; idmap uid = 15000-2 idmap gid = 15000-2 map acl inherit = Yes case sensitive = No hide unreadable = Yes Hi, afaik, you have to authenticate users to change NTpasswd and stull like that. i have seen this example for slapd.conf # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=meinnetz,dc=xx" write by anonymous auth by self write by * none but i don't know how to add it to dynamically configured ldap. cheers juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba which distro do you use? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] window, samba and ldap passwords
I have a stanza like this in the slapd.conf on the ldap master. # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet by self write by anonymous auth by * none I have a lot of debug messages from ldap going into the logs but I can't any errors. I can't see any attempt at a password change in the log. I know that the ldap password had not changed either. What do you mean by dynamically configured ldap? Thanks, Dp. On 16 August 2011 11:51, J. Echter wrote: > Am 16.08.2011 12:48, schrieb Dermot: >> >> Hi, >> >> I recently migrated to a Samba3x domain. One issue that has been >> reported to me is that XP users cannot change their password from >> their PC. I have done some searching and I haven't seen a straight >> forward answer to this. >> >> My config is >> >> ldap primary + Samba PDC on host A >> ldap slave + samba BDC on host B >> >> I see this error in the machine log when someone attempts to change >> their password: >> >> 2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) >> smb_pam_passchange: PAM: Password Change Failed for user kreuze! >> [2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) >> PAM: UNKNOWN PAM ERROR (8) for User: kreuze >> [2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) >> smb_pam_passchange: PAM: Password Change Failed for user kreuze! >> [2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) >> PAM: UNKNOWN PAM ERROR (8) for User: kreuze >> [2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) >> smb_pam_passchange: PAM: Password Change Failed for user kreuze! >> >> >> I have seen this article: >> >> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199 >> but I am not sure if it's appropriate for my environment. I suspect >> the answer to this may very dependent on my config. >> Can anyone offer any advice? >> Thanks in advance. >> Dermot. >> >> >> === smb.conf on PDC === >> >> dos charset = UTF-8 >> display charset = UTF-8 >> workgroup = FOO >> server string = %h server >> map to guest = Bad User >> passdb backend = ldapsam:ldap://127.0.0.1/ >> pam password change = Yes >> passwd program = /usr/sbin/smbldap-passwd -u %u >> passwd chat = *New*password* %n\n *Retype*new*password* %n\n >> *all*authentication*tokens*updated* >> unix password sync = Yes >> log level = 1 >> syslog = 0 >> log file = /var/log/samba/log.%m >> max log size = 1000 >> smb ports = 139 445 >> name resolve order = wins hosts bcast >> time server = Yes >> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >> load printers = No >> add user script = /usr/sbin/smbldap-useradd -m %u >> delete user script = /usr/sbin/smbldap-userdel '%u' >> delete group script = /usr/sbin/smbldap-groupdel %g >> add user to group script = /usr/sbin/smbldap-groupmod -m %u %g >> delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g >> set primary group script = /usr/sbin/smbldap-usermod -g %g %u >> add machine script = /usr/sbin/smbldap-useradd -w %u >> logon script = logon.bat >> logon path = >> logon drive = U: >> logon home = >> domain logons = Yes >> os level = 65 >> preferred master = Auto >> domain master = Yes >> dns proxy = No >> ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk >> ldap delete dn = Yes >> ldap group suffix = ou=Groups >> ldap idmap suffix = ou=idmap >> ldap machine suffix = ou=Computers, ou=Users >> ldap passwd sync = yes >> ldap suffix = dc=mydomain,dc=co,dc=uk >> ldap ssl = no >> ldap timeout = 20 >> ldap user suffix = ou=Users >> panic action = /usr/share/samba/panic-action %d >> idmap backend = ldap:"ldap://127.0.0.1/"; >> idmap uid = 15000-2 >> idmap gid = 15000-2 >> map acl inherit = Yes >> case sensitive = No >> hide unreadable = Yes > > Hi, > > afaik, you have to authenticate users to change NTpasswd and stull like > that. > > i have seen this example for slapd.conf > > # The userPassword by default can be changed > # by the entry owning it if they are authenticated. > # Others should not be able to see it, except the > # admin entry below > # These access lines apply to database #1 only > access to > attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword > by dn="cn=admin,dc=meinnetz,dc=xx" write > by anonymous auth > by self write > by * none > > but i don't know how to add it to dynamically configured ldap. > > cheers > > juergen > -- > To unsubscribe from this list go to the following URL and read the > inst
Re: [Samba] window, samba and ldap passwords
Am 16.08.2011 12:48, schrieb Dermot: Hi, I recently migrated to a Samba3x domain. One issue that has been reported to me is that XP users cannot change their password from their PC. I have done some searching and I haven't seen a straight forward answer to this. My config is ldap primary + Samba PDC on host A ldap slave + samba BDC on host B I see this error in the machine log when someone attempts to change their password: 2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! I have seen this article: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199 but I am not sure if it's appropriate for my environment. I suspect the answer to this may very dependent on my config. Can anyone offer any advice? Thanks in advance. Dermot. === smb.conf on PDC === dos charset = UTF-8 display charset = UTF-8 workgroup = FOO server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 smb ports = 139 445 name resolve order = wins hosts bcast time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel '%u' delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon path = logon drive = U: logon home = domain logons = Yes os level = 65 preferred master = Auto domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=Computers, ou=Users ldap passwd sync = yes ldap suffix = dc=mydomain,dc=co,dc=uk ldap ssl = no ldap timeout = 20 ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d idmap backend = ldap:"ldap://127.0.0.1/"; idmap uid = 15000-2 idmap gid = 15000-2 map acl inherit = Yes case sensitive = No hide unreadable = Yes Hi, afaik, you have to authenticate users to change NTpasswd and stull like that. i have seen this example for slapd.conf # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=meinnetz,dc=xx" write by anonymous auth by self write by * none but i don't know how to add it to dynamically configured ldap. cheers juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] window, samba and ldap passwords
Hi, I recently migrated to a Samba3x domain. One issue that has been reported to me is that XP users cannot change their password from their PC. I have done some searching and I haven't seen a straight forward answer to this. My config is ldap primary + Samba PDC on host A ldap slave + samba BDC on host B I see this error in the machine log when someone attempts to change their password: 2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! I have seen this article: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199 but I am not sure if it's appropriate for my environment. I suspect the answer to this may very dependent on my config. Can anyone offer any advice? Thanks in advance. Dermot. === smb.conf on PDC === dos charset = UTF-8 display charset = UTF-8 workgroup = FOO server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 smb ports = 139 445 name resolve order = wins hosts bcast time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel '%u' delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon path = logon drive = U: logon home = domain logons = Yes os level = 65 preferred master = Auto domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=Computers, ou=Users ldap passwd sync = yes ldap suffix = dc=mydomain,dc=co,dc=uk ldap ssl = no ldap timeout = 20 ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d idmap backend = ldap:"ldap://127.0.0.1/"; idmap uid = 15000-2 idmap gid = 15000-2 map acl inherit = Yes case sensitive = No hide unreadable = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba