Re: [Samba] Unable to change Windows password on Samba BDC

Date: Thu, 01 May 2008 15:45:19 -0500
From: Adam Williams <awilliam@xxxxxxxxxxxxxxxx>
Subject: Re: [Samba] Unable to change Windows password on Samba BDC

in the BDC, take out:

	passwd program = /usr/sbin/smbldap-passwd -u %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
	unix password sync = yes


add:

ldap passwd sync = yes
encrypt passwords = yes
update encrypted = Yes
unix password sync = no

Matt Anderson wrote:

Dear Help,

We are currently running Samba 3.0.22 on a distributed network/domain as a PDC
(primary domain controller) and several as BDCs (Backup domain controllers) in
our branch offices located around the country.

At this point, the PDC is set up in our corporate office (where I'm located) and
users have no trouble authenticating (via logging into windows and accessing
shares) and also have no trouble changing passwords (either when they expire or
manually) through the Windows interface.

However, users located in the branch offices (where the BDCs are located), they
have no trouble authenticating (via logging into windows and accessing shares)
BUT are unable to change their password through the Windows interface, getting
the error that "The system cannot change your password now because the domain
<name> is not available".  All clients are Windows XP with SP2 installed.

I have added (see below) the smb.conf for our PDC as well as the BDC that's
causing problems -- all BDCs basically have the exact same config.

I've tried raising the log level to 3 on the BDC that's not working properly,

but it turns out that trying to change the password doesn't generate ANY log.However, I know that the domain is available since immediately before attempting

to change password I logged on to Windows using the domain...  I've poked around
various forums and newsgroups but haven't found anything that has stuck (or
particularly pertains to BDCs).  If anyone has ANY suggestions whatsoever, I'd
be glad to hear them!

Thanks,
Matt

======= PDC smb.conf (global section only) =============
[global]
	netbios name = ds-tem-1
	workgroup = DOMAIN
	server string = Samba PDC %v %h
	obey pam restrictions = Yes
	passdb backend = "ldapsam:ldaps://ip.goes.here ldaps://ip.goes.here"
	security = user

log level = 3log file = /var/log/samba/%m.logmax log size = 5000add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null/ -g machine -c

'Machine Account for %u' -s /bin/false %u

logon path =logon home =domain logons = Yes

	os level = 128
	preferred master = Yes
	domain master = Yes
	ldap admin dn = cn=name,o=organization
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=IDMap
	ldap machine suffix = ou=Workstations

ldap user suffix =ldap filter = (uid=%u)

	ldap suffix = o=organization

ldap passwd sync = Nounix password sync = Yes

	passwd program = /usr/sbin/smbldap-passwd -u %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
	idmap backend = "ldaps://ip.goes.here ldaps://ip.goes.here"
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	veto files = /.?*/
	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

wins support = Yesencrypt passwords = Yes

	logon script = %U.bat
	map to guest = Bad User

======== BDC smb.conf (global section only) =========
[global]
	workgroup = DOMAIN
	server string = Samba BDC %v %h
	obey pam restrictions = Yes
	passdb backend = "ldapsam:ldaps://ip.goes.here ldaps://ip.goes.here"

log level = 2log file = /var/log/samba/%m.log

	max log size = 1000

logon path =logon home =

	domain logons = Yes
	domain master = No
	preferred master = Yes
	ldap admin dn = cn=name,o=organization
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=IDMap
	ldap machine suffix = ou=Workstations
	ldap suffix = o=organization
	ldap passwd sync = No
	ldap filter = (uid=%u)
	unix password sync = Yes
	passwd program = /usr/sbin/smbldap-passwd -u %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
	idmap backend = "ldaps://ip.goes.here ldaps://ip.goes.here"
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	veto files = /.?*/
	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
	wins server = ip.of.PDC.here
	map to guest = Bad User

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Follow-Ups:
- Re: [Samba] Unable to change Windows password on Samba BDC
  - From: Andrew Bartlett
- [Samba] Re: Unable to change Windows password on Samba BDC
  - From: Matt Anderson

References:
- [Samba] Unable to change Windows password on Samba BDC
  - From: Matt Anderson

Prev by Date: [Samba] users home folders, with windbind AD auth.
Next by Date: [Samba] Re: Unable to change Windows password on Samba BDC
Previous by thread: [Samba] Unable to change Windows password on Samba BDC
Next by thread: [Samba] Re: Unable to change Windows password on Samba BDC
Index(es):
- Date
- Thread

lists-archives.org

Re: [Samba] Unable to change Windows password on Samba BDC