samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: [Samba] Error: You do not have permission to change

[Samba] Error: You do not have permission to change your password

From: Christopher Springer <cspringer_at_nospam>
Date: Wed Aug 18 2010 - 12:49:21 GMT

  I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend
and do the following...

1. Login as user on Windows system using domain user name and password
- Login successful
2. Press Ctrl-Alt-Del
3. Press Change Password
4. Enter old and new password as prompted
5. Receive response "You do not have permission to change your password."

I receive the following repeated twice in "/var/log/samba/log.smbd"...

[2010/08/17 16:13:53.884482, 0]
   NTLMSSP NTLM1 packet check failed due to invalid signature!
[2010/08/17 16:13:53.884592, 0]
   process_request_pdu: failed to do auth processing.
[2010/08/17 16:13:53.884668, 0]
   process_request_pdu: error was NT_STATUS_ACCESS_DENIED.

This was generated from a WindowsNT4 system. The issue can also be
duplicated from Windows XP clients.

My smb.conf file on this system (PDC):

log level = 1
workgroup = CORPDOM
netbios name = CORPPDC
passdb backend = ldapsam:ldap://
enable privileges = yes
#encrypt passwords = yes
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security = user
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
smb ports = 139
#remote announce =
#remote browse sync =
#remote announce =
#remote browse sync =
ldap suffix = dc=brcrp,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=brcrp,dc=com
ldap ssl = no
#ldap passwd sync = yes
unix password sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
#client lanman auth = yes
#unix password sync = yes
#passwd program = /usr/sbin/smbldap-passwd -u %u
idmap backend = ldap:ldap://
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups

comment = Network Logon Service
path = /pub
guest ok = Yes
browseable = No
-- To unsubscribe from this list go to the following URL and read the instructions: