This is a discussion on Re: [Samba] changing passwords from Windows XP Pro workstations - Samba ; Craig White wrote: >On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote: > > >>Back to square 1! I stripped out my unsuccessful attempts to get Samba >>working with LDAP on my Debian Sarge server and am back with a ...
Craig White wrote:
>On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote:
>>Back to square 1! I stripped out my unsuccessful attempts to get Samba
>>working with LDAP on my Debian Sarge server and am back with a tdbsam
>>backend. I actually tried to purge as much of the old Samba & LDAP as I
>>could then reinstalled fresh. This included removing the Windows groups
>>and users and even the old tdbsam data.
>>Unfortunately, I'm back where I started - users can't change their own
>>passwords using the Windows password change dialogue. Their system will
>>go away for a very long time (more than 15 minutes) then silently fail
>>to change the password.
>>For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian)
>>on a 2.6.8 kernel. This should mean that this is NOT the old Windows
>>security patch issue.
>>I've attached my smb.conf (minus the shares definitions) if that helps.
>>Also, for what it's worth, the user accounts are all in Domain Users and
>>users. All but mine use /bin/false as the login shell (but none of us
>>can change passwords). My account is also in Domain Admins - and I can
>>add machine accounts with it.
>>Any ideas anyone?
>I kept my mouth shut because you were following someone's step by step
>and not the samba official documentation.
>If you want to follow the Samba By Example, methodology, you will
>probably find a lot more people willing to help.
>Changing passwords seems to only require that samba, smbldap-tools be
>properly configured for your ldap setup and a script referenced in your
>The smb.conf you attached of course has nothing to do with LDAP and it
>isn't clear what you are trying to do.
>I would suggest that you familiarize yourself with the Samba By Example
>book (dead tree form) or pdf or html from the samba.org web site and
>figure out what you are trying to do so someone could actually help.
I've followed the Samba by example in this case. It was not very
helpful. Between the typos, omissions, errors, and general lack of
content, it's hard to get anything to work following it. Sorry to be so
negative about it, but it seems to assume that if you just install the
packages, things work.
Now a plain vanilla Debian Sarge system is hardly esoteric, but my
experience has been that things only work if you are doing a virgin
setup. In my case, Samba was originally vampired from my old W2K server
and I've always had the password problem. Trying to install LDAP on a
system that previously had a not-quite-working tdbsam backend also isn't
something that the howto writers seem to have tried.
The other howto I followed was one of several that were written
specifically for people trying to get Samba+LDAP to work on a Debian
system. After several days of trying to get it to work, even following
idealx.org's howto, it still wouldn't. So I ripped everything out and
went back to a basic Samba setup without LDAP. And now I'm back to the
same old problem I had before - users can't change their passwords.
And yes, my current setup was following the Samba by Example - html
form. I also have the dead-tree Samba Howto collection. According to
them, I have a working system.
The basic "by example" says in some very elegant story telling, after
assuming that you have Samba installed, to smbpasswd -a root, map the
Administrator account to it, add some groupmaps, stir in some users and
voila, everything works. My setup passes the validation and the
troubleshooting. It works, except that it doesn't.
Again, I'll admit that this probably does work on a fresh system. I've
set up Samba PDCs from scratch before without problems. However, it
doesn't seem to want to work on this existing server, even after I
sacrificed my old accounts vampired from W2K to try to get this working.
I shouldn't have to rebuild my entire server just to be able to change
Finally, you need to recognize that Debian does things its way. It has
installation scripts that ask you questions up front and put the answers
in multiple files scattered across your system. Samba by Example doesn't
actually tell you what to put where or why. In fact, it's actually
difficult to tell exactly which program or file you need to be using at
any given moment. We're not all Samba developers, after all. SWAT,
smbpasswd, pdbedit, etc. all seem to do the similar things but heaven
help the poor user who's trying to find out when or why you should use
one over the other.
What I'm basically trying to say is you can't assume that everyone is
going to get to place by a particular route. Debian howtos are useful
for those of us with Debian-based systems because they give Debian
package names and follow Debian installation dialogues. If there is
something in the howto that you think is wrong or missing, then identify
it. It's not as if the "official" Samba documentation is all
encompassing and perfect. I've had to consult a couple of dozen
different guides in trying to get LDAP working. The official Samba ones
were less detailed and less informative than many of the others. And the
By Example guides spend far too much time in narrative and talking about
other software. Plus it's too Red Hat specific. A lot of the stuff it
tells you to do isn't right for Debian.
Do you have any suggestions other than rebuilding my entire server?
Under what conditions can a password change fail that doesn't
(apparently) affect other Samba services?
To unsubscribe from this list go to the following URL and read the