samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] Error: You do not have permission to ch

Re: [Samba] Error: You do not have permission to change your password

From: Christopher Springer <cspringer_at_nospam>
Date: Wed Aug 18 2010 - 14:05:22 GMT
To: samba@lists.samba.org

  Results of testing as requested -

[root@localhost ~]# smbldap-passwd kennyz
Changing UNIX and samba passwords for kennyz
New password: <enter pass>
Retype new password: <enter pass>

No errors returned. User is able to login with new password.

Commented out "unix password sync = yes". Still same result..."You do
not have permission to change your password."

Thank you for your help! We'll keep trying...

Chris

On 08/18/2010 09:48 AM, Gaiseric Vandal wrote:
> I am pretty sure that the password command and script is run as root,
> not as the user changing the password. What happens if you run the
> password commands on the samba server? I don't have smbldap tools on
> my system (Solaris, so not provided by the Sun distro) so I had to
> rely on the OS password tools. By default, root is not going to have
> sufficient privledges to change ldap passwords.
>
> If you don't enable password sync, are you able to change your Windows
> password?
>
>
> On 08/18/2010 08:49 AM, Christopher Springer wrote:
>> I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend
>> and do the following...
>>
>> 1. Login as user on Windows system using domain user name and
>> password - Login successful
>> 2. Press Ctrl-Alt-Del
>> 3. Press Change Password
>> 4. Enter old and new password as prompted
>> 5. Receive response "You do not have permission to change your
>> password."
>>
>> I receive the following repeated twice in "/var/log/samba/log.smbd"...
>>
>> [2010/08/17 16:13:53.884482, 0]
>> libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)
>> NTLMSSP NTLM1 packet check failed due to invalid signature!
>> [2010/08/17 16:13:53.884592, 0]
>> rpc_server/srv_pipe_hnd.c:398(process_request_pdu)
>> process_request_pdu: failed to do auth processing.
>> [2010/08/17 16:13:53.884668, 0]
>> rpc_server/srv_pipe_hnd.c:399(process_request_pdu)
>> process_request_pdu: error was NT_STATUS_ACCESS_DENIED.
>>
>> This was generated from a WindowsNT4 system. The issue can also be
>> duplicated from Windows XP clients.
>>
>> My smb.conf file on this system (PDC):
>>
>> [global]
>> log level = 1
>> workgroup = CORPDOM
>> netbios name = CORPPDC
>> passdb backend = ldapsam:ldap://127.0.0.1
>> enable privileges = yes
>> #encrypt passwords = yes
>> username map = /etc/samba/smbusers
>> printcap name = cups
>> add user script = /usr/sbin/smbldap-useradd -m '%u'
>> delete user script = /usr/sbin/smbldap-userdel '%u'
>> add group script = /usr/sbin/smbldap-groupadd -p '%g'
>> delete group script = /usr/sbin/smbldap-groupdel '%g'
>> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
>> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
>> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>> add machine script = /usr/sbin/smbldap-useradd -w '%u'
>> logon script = scripts/%U.bat
>> logon path =
>> logon drive =
>> security = user
>> domain logons = Yes
>> os level = 35
>> preferred master = Yes
>> domain master = Yes
>> wins support = Yes
>> smb ports = 139
>> #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM
>> 10.20.0.255/CORPDOM
>> #remote browse sync = 10.20.255.255 10.30.255.255
>> #remote announce = 10.30.255.255
>> #remote browse sync = 10.30.255.255
>> ldap suffix = dc=brcrp,dc=com
>> ldap machine suffix = ou=Computers
>> ldap user suffix = ou=People
>> ldap group suffix = ou=Group
>> ldap idmap suffix = ou=Idmap
>> ldap admin dn = cn=Manager,dc=brcrp,dc=com
>> ldap ssl = no
>> #ldap passwd sync = yes
>> unix password sync = yes
>> passwd program = /usr/sbin/smbldap-passwd %u
>> passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
>> #client lanman auth = yes
>> #unix password sync = yes
>> #passwd program = /usr/sbin/smbldap-passwd -u %u
>> idmap backend = ldap:ldap://127.0.0.1
>> idmap uid = 15000-20000
>> idmap gid = 15000-20000
>> printing = cups
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /pub
>> guest ok = Yes
>> browseable = No
>

-- Christopher Springer IS/IT Systems Administrator BRC Rubber& Plastics, Inc 260-693-2171 x389 cspringer@brcrp.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba