samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] Error: You do not have permission to ch

Re: [Samba] Error: You do not have permission to change your password

From: Daniel Müller <mueller_at_nospam>
Date: Wed Aug 18 2010 - 14:00:35 GMT
To: <gaiseric.vandal@gmail.com>, <samba@lists.samba.org>

You need
ldap passwd sync = yes
no unix password sync = yes

Then try to change it on your linux box.
-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------

-----Ursprüngliche Nachricht-----
Von: samba-bounces@lists.samba.org [mailto:samba-bounces@lists.samba.org] Im
Auftrag von Gaiseric Vandal
Gesendet: Mittwoch, 18. August 2010 15:48
An: samba@lists.samba.org
Betreff: Re: [Samba] Error: You do not have permission to change your
password

I am pretty sure that the password command and script is run as root,
not as the user changing the password. What happens if you run the
password commands on the samba server? I don't have smbldap tools on
my system (Solaris, so not provided by the Sun distro) so I had to rely
on the OS password tools. By default, root is not going to have
sufficient privledges to change ldap passwords.

If you don't enable password sync, are you able to change your Windows
password?

On 08/18/2010 08:49 AM, Christopher Springer wrote:
> I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend
> and do the following...
>
> 1. Login as user on Windows system using domain user name and
> password - Login successful
> 2. Press Ctrl-Alt-Del
> 3. Press Change Password
> 4. Enter old and new password as prompted
> 5. Receive response "You do not have permission to change your
> password."
>
> I receive the following repeated twice in "/var/log/samba/log.smbd"...
>
> [2010/08/17 16:13:53.884482, 0]
> libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)
> NTLMSSP NTLM1 packet check failed due to invalid signature!
> [2010/08/17 16:13:53.884592, 0]
> rpc_server/srv_pipe_hnd.c:398(process_request_pdu)
> process_request_pdu: failed to do auth processing.
> [2010/08/17 16:13:53.884668, 0]
> rpc_server/srv_pipe_hnd.c:399(process_request_pdu)
> process_request_pdu: error was NT_STATUS_ACCESS_DENIED.
>
> This was generated from a WindowsNT4 system. The issue can also be
> duplicated from Windows XP clients.
>
> My smb.conf file on this system (PDC):
>
> [global]
> log level = 1
> workgroup = CORPDOM
> netbios name = CORPPDC
> passdb backend = ldapsam:ldap://127.0.0.1
> enable privileges = yes
> #encrypt passwords = yes
> username map = /etc/samba/smbusers
> printcap name = cups
> add user script = /usr/sbin/smbldap-useradd -m '%u'
> delete user script = /usr/sbin/smbldap-userdel '%u'
> add group script = /usr/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
> add machine script = /usr/sbin/smbldap-useradd -w '%u'
> logon script = scripts/%U.bat
> logon path =
> logon drive =
> security = user
> domain logons = Yes
> os level = 35
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> smb ports = 139
> #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM
> 10.20.0.255/CORPDOM
> #remote browse sync = 10.20.255.255 10.30.255.255
> #remote announce = 10.30.255.255
> #remote browse sync = 10.30.255.255
> ldap suffix = dc=brcrp,dc=com
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=People
> ldap group suffix = ou=Group
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=brcrp,dc=com
> ldap ssl = no
> #ldap passwd sync = yes
> unix password sync = yes
> passwd program = /usr/sbin/smbldap-passwd %u
> passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
> #client lanman auth = yes
> #unix password sync = yes
> #passwd program = /usr/sbin/smbldap-passwd -u %u
> idmap backend = ldap:ldap://127.0.0.1
> idmap uid = 15000-20000
> idmap gid = 15000-20000
> printing = cups
>
> [netlogon]
> comment = Network Logon Service
> path = /pub
> guest ok = Yes
> browseable = No

-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba