samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] Error: You do not have permission to ch

Re: [Samba] Error: You do not have permission to change your password

From: Christopher Springer <cspringer_at_nospam>
Date: Wed Aug 18 2010 - 14:28:25 GMT
To: mueller@tropenklinik.de

  I did some additional testing...

It turns out that I was able to change the password successfully using...

smbldap-passwd kennyz

But then I tried changing with the -u option as follows...

smbldap-passwd -u kennyz

This did not return an error but it also apparently did not change the
user's password because I can't login as the user now. I do not know
how to interpret this behaviour but I'm hoping it can give you guys a
clue as to what is truly the problem here.

Thanks.
-- Chris On 08/18/2010 10:00 AM, Daniel Müller wrote: > You need > ldap passwd sync = yes > no unix password sync = yes > > Then try to change it on your linux box. > ----------------------------------------------- > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: mueller@tropenklinik.de > Internet: www.tropenklinik.de > ----------------------------------------------- > > -----Ursprüngliche Nachricht----- > Von: samba-bounces@lists.samba.org [mailto:samba-bounces@lists.samba.org] Im > Auftrag von Gaiseric Vandal > Gesendet: Mittwoch, 18. August 2010 15:48 > An: samba@lists.samba.org > Betreff: Re: [Samba] Error: You do not have permission to change your > password > > I am pretty sure that the password command and script is run as root, > not as the user changing the password. What happens if you run the > password commands on the samba server? I don't have smbldap tools on > my system (Solaris, so not provided by the Sun distro) so I had to rely > on the OS password tools. By default, root is not going to have > sufficient privledges to change ldap passwords. > > If you don't enable password sync, are you able to change your Windows > password? > > > On 08/18/2010 08:49 AM, Christopher Springer wrote: >> I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend >> and do the following... >> >> 1. Login as user on Windows system using domain user name and >> password - Login successful >> 2. Press Ctrl-Alt-Del >> 3. Press Change Password >> 4. Enter old and new password as prompted >> 5. Receive response "You do not have permission to change your >> password." >> >> I receive the following repeated twice in "/var/log/samba/log.smbd"... >> >> [2010/08/17 16:13:53.884482, 0] >> libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet) >> NTLMSSP NTLM1 packet check failed due to invalid signature! >> [2010/08/17 16:13:53.884592, 0] >> rpc_server/srv_pipe_hnd.c:398(process_request_pdu) >> process_request_pdu: failed to do auth processing. >> [2010/08/17 16:13:53.884668, 0] >> rpc_server/srv_pipe_hnd.c:399(process_request_pdu) >> process_request_pdu: error was NT_STATUS_ACCESS_DENIED. >> >> This was generated from a WindowsNT4 system. The issue can also be >> duplicated from Windows XP clients. >> >> My smb.conf file on this system (PDC): >> >> [global] >> log level = 1 >> workgroup = CORPDOM >> netbios name = CORPPDC >> passdb backend = ldapsam:ldap://127.0.0.1 >> enable privileges = yes >> #encrypt passwords = yes >> username map = /etc/samba/smbusers >> printcap name = cups >> add user script = /usr/sbin/smbldap-useradd -m '%u' >> delete user script = /usr/sbin/smbldap-userdel '%u' >> add group script = /usr/sbin/smbldap-groupadd -p '%g' >> delete group script = /usr/sbin/smbldap-groupdel '%g' >> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' >> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' >> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' >> add machine script = /usr/sbin/smbldap-useradd -w '%u' >> logon script = scripts/%U.bat >> logon path = >> logon drive = >> security = user >> domain logons = Yes >> os level = 35 >> preferred master = Yes >> domain master = Yes >> wins support = Yes >> smb ports = 139 >> #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM >> 10.20.0.255/CORPDOM >> #remote browse sync = 10.20.255.255 10.30.255.255 >> #remote announce = 10.30.255.255 >> #remote browse sync = 10.30.255.255 >> ldap suffix = dc=brcrp,dc=com >> ldap machine suffix = ou=Computers >> ldap user suffix = ou=People >> ldap group suffix = ou=Group >> ldap idmap suffix = ou=Idmap >> ldap admin dn = cn=Manager,dc=brcrp,dc=com >> ldap ssl = no >> #ldap passwd sync = yes >> unix password sync = yes >> passwd program = /usr/sbin/smbldap-passwd %u >> passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n* >> #client lanman auth = yes >> #unix password sync = yes >> #passwd program = /usr/sbin/smbldap-passwd -u %u >> idmap backend = ldap:ldap://127.0.0.1 >> idmap uid = 15000-20000 >> idmap gid = 15000-20000 >> printing = cups >> >> [netlogon] >> comment = Network Logon Service >> path = /pub >> guest ok = Yes >> browseable = No -- Christopher Springer IS/IT Systems Administrator BRC Rubber& Plastics, Inc 260-693-2171 x389 cspringer@brcrp.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba