samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] Error: You do not have permission to ch

Re: [Samba] Error: You do not have permission to change your password

From: Christopher Springer <cspringer_at_nospam>
Date: Wed Aug 18 2010 - 20:12:12 GMT
To: mueller@tropenklinik.de

  Well, I have a partially working configuration now...that is to say
that it DOES work for WinXP and later but it does NOT work for WinNT4
systems (2k not tested). I must've made a mistake in testing because
now it seems that the XP systems are able to change passwords just
fine. For the life of me I cannot get rid of the NTLM error messages
when trying to change passwords on a WinNT4 system. I'm also having
trouble figuring out what items in the Samba LDAP schema are still in
use and which ones should be controlled by other applications
(smbldap-usermod, pdbedit, etc). A good reference on deprecated LDAP
entries would be greatly appreciated! I realize I still need to change
the LDAP directory to use a separate user for replication, etc but I'm
trying to take small steps here :)

working smb.conf -

[global]
log level = 1
workgroup = CORPDOM
netbios name = CORPPDC
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts/%U.bat
logon path =
logon drive =
security = user
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
smb ports = 139
ldap suffix = dc=brcrp,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=brcrp,dc=com
ldap ssl = no
ldap passwd sync = yes
printing = cups

[netlogon]
comment = Network Logon Service
path = /pub
guest ok = Yes
browseable = No

working slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath /usr/lib/openldap # or /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client
software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb
suffix "dc=brcrp,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=brcrp,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw *omitted*
#rootpw {SSHA}5v9AquZvm/9fhFMcetO072dGd2BX8C5Q

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

# enable monitoring
# database monitor

# allow onlu rootdn to read the monitor
#access to *
# by dn.exact="cn=Manager,dc=brcrp,dc=com" write
# by * none
access to
attrs=userPassword,shadowLastChange,shadowMax,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaAcctFlags
     by dn="cn=Manager,dc=brcrp,dc=com" write
     by self write
     by anonymous auth
     by * none
access to *
     by * read
#access to *
# by * write

I have this server also acting as the WINS server for our multi-site
environment over VPN. It seems to work pretty well. Setup is PDC w/BDC
(both LDAP) at corporate with remote BDC (replicated LDAP) and DHCP
server with netbios-name-server option.

Again, thanks all for your help!

Chris

On 08/18/2010 10:47 AM, Daniel Müller wrote:
> You only changed unix-password:
>
>
> tuepdc:~ # smbldap-passwd --help
> (c) Jerome Tournier - IDEALX 2004 (http://www.idealx.com)- Licensed under
> the GPL
> Usage: /usr/local/sbin/smbldap-passwd [options] [username]
> -h, -?, --help show this help message
> -s update only samba password
> -u update only UNIX password
>
> Just use smbldap-passwd USER
>
>
>
> -----------------------------------------------
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller@tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
>
> -----Ursprüngliche Nachricht-----
> Von: Christopher Springer [mailto:cspringer@brcrp.com]
> Gesendet: Mittwoch, 18. August 2010 16:28
> An: mueller@tropenklinik.de
> Cc: gaiseric.vandal@gmail.com; samba@lists.samba.org
> Betreff: Re: [Samba] Error: You do not have permission to change your
> password
>
> I did some additional testing...
>
> It turns out that I was able to change the password successfully using...
>
> smbldap-passwd kennyz
>
> But then I tried changing with the -u option as follows...
>
> smbldap-passwd -u kennyz
>
> This did not return an error but it also apparently did not change the
> user's password because I can't login as the user now. I do not know
> how to interpret this behaviour but I'm hoping it can give you guys a
> clue as to what is truly the problem here.
>
> Thanks.
> --
> Chris
>
> On 08/18/2010 10:00 AM, Daniel Müller wrote:
>> You need
>> ldap passwd sync = yes
>> no unix password sync = yes
>>
>> Then try to change it on your linux box.
>> -----------------------------------------------
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>>
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail: mueller@tropenklinik.de
>> Internet: www.tropenklinik.de
>> -----------------------------------------------
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba-bounces@lists.samba.org [mailto:samba-bounces@lists.samba.org]
> Im
>> Auftrag von Gaiseric Vandal
>> Gesendet: Mittwoch, 18. August 2010 15:48
>> An: samba@lists.samba.org
>> Betreff: Re: [Samba] Error: You do not have permission to change your
>> password
>>
>> I am pretty sure that the password command and script is run as root,
>> not as the user changing the password. What happens if you run the
>> password commands on the samba server? I don't have smbldap tools on
>> my system (Solaris, so not provided by the Sun distro) so I had to rely
>> on the OS password tools. By default, root is not going to have
>> sufficient privledges to change ldap passwords.
>>
>> If you don't enable password sync, are you able to change your Windows
>> password?
>>
>>
>> On 08/18/2010 08:49 AM, Christopher Springer wrote:
>>> I'm using Samba v3.5.4-62 on Fedora 13 PDC Using LDAP passdb backend
>>> and do the following...
>>>
>>> 1. Login as user on Windows system using domain user name and
>>> password - Login successful
>>> 2. Press Ctrl-Alt-Del
>>> 3. Press Change Password
>>> 4. Enter old and new password as prompted
>>> 5. Receive response "You do not have permission to change your
>>> password."
>>>
>>> I receive the following repeated twice in "/var/log/samba/log.smbd"...
>>>
>>> [2010/08/17 16:13:53.884482, 0]
>>> libsmb/ntlmssp_sign.c:222(ntlmssp_check_packet)
>>> NTLMSSP NTLM1 packet check failed due to invalid signature!
>>> [2010/08/17 16:13:53.884592, 0]
>>> rpc_server/srv_pipe_hnd.c:398(process_request_pdu)
>>> process_request_pdu: failed to do auth processing.
>>> [2010/08/17 16:13:53.884668, 0]
>>> rpc_server/srv_pipe_hnd.c:399(process_request_pdu)
>>> process_request_pdu: error was NT_STATUS_ACCESS_DENIED.
>>>
>>> This was generated from a WindowsNT4 system. The issue can also be
>>> duplicated from Windows XP clients.
>>>
>>> My smb.conf file on this system (PDC):
>>>
>>> [global]
>>> log level = 1
>>> workgroup = CORPDOM
>>> netbios name = CORPPDC
>>> passdb backend = ldapsam:ldap://127.0.0.1
>>> enable privileges = yes
>>> #encrypt passwords = yes
>>> username map = /etc/samba/smbusers
>>> printcap name = cups
>>> add user script = /usr/sbin/smbldap-useradd -m '%u'
>>> delete user script = /usr/sbin/smbldap-userdel '%u'
>>> add group script = /usr/sbin/smbldap-groupadd -p '%g'
>>> delete group script = /usr/sbin/smbldap-groupdel '%g'
>>> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
>>> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
>>> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>>> add machine script = /usr/sbin/smbldap-useradd -w '%u'
>>> logon script = scripts/%U.bat
>>> logon path =
>>> logon drive =
>>> security = user
>>> domain logons = Yes
>>> os level = 35
>>> preferred master = Yes
>>> domain master = Yes
>>> wins support = Yes
>>> smb ports = 139
>>> #remote announce = 10.30.0.254/CORPDOM 10.20.255.255/CORPDOM
>>> 10.20.0.255/CORPDOM
>>> #remote browse sync = 10.20.255.255 10.30.255.255
>>> #remote announce = 10.30.255.255
>>> #remote browse sync = 10.30.255.255
>>> ldap suffix = dc=brcrp,dc=com
>>> ldap machine suffix = ou=Computers
>>> ldap user suffix = ou=People
>>> ldap group suffix = ou=Group
>>> ldap idmap suffix = ou=Idmap
>>> ldap admin dn = cn=Manager,dc=brcrp,dc=com
>>> ldap ssl = no
>>> #ldap passwd sync = yes
>>> unix password sync = yes
>>> passwd program = /usr/sbin/smbldap-passwd %u
>>> passwd chat = *New*password:*%n\n*Retype*new*password:*%n\n*
>>> #client lanman auth = yes
>>> #unix password sync = yes
>>> #passwd program = /usr/sbin/smbldap-passwd -u %u
>>> idmap backend = ldap:ldap://127.0.0.1
>>> idmap uid = 15000-20000
>>> idmap gid = 15000-20000
>>> printing = cups
>>>
>>> [netlogon]
>>> comment = Network Logon Service
>>> path = /pub
>>> guest ok = Yes
>>> browseable = No

-- Christopher Springer IS/IT Systems Administrator BRC Rubber& Plastics, Inc 260-693-2171 x389 cspringer@brcrp.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba