This is a discussion on Re: [Samba] changing passwords from Windows XP Pro workstations - Samba ; On Wed, 2006-03-29 at 21:49 -0500, Gary Dale wrote: > Craig White wrote: > > >On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote: > > > > > >>Back to square 1! I stripped out my unsuccessful attempts to ...
On Wed, 2006-03-29 at 21:49 -0500, Gary Dale wrote:
> Craig White wrote:
> >On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote:
> >>Back to square 1! I stripped out my unsuccessful attempts to get Samba
> >>working with LDAP on my Debian Sarge server and am back with a tdbsam
> >>backend. I actually tried to purge as much of the old Samba & LDAP as I
> >>could then reinstalled fresh. This included removing the Windows groups
> >>and users and even the old tdbsam data.
> >>Unfortunately, I'm back where I started - users can't change their own
> >>passwords using the Windows password change dialogue. Their system will
> >>go away for a very long time (more than 15 minutes) then silently fail
> >>to change the password.
> >>For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian)
> >>on a 2.6.8 kernel. This should mean that this is NOT the old Windows
> >>security patch issue.
> >>I've attached my smb.conf (minus the shares definitions) if that helps.
> >>Also, for what it's worth, the user accounts are all in Domain Users and
> >>users. All but mine use /bin/false as the login shell (but none of us
> >>can change passwords). My account is also in Domain Admins - and I can
> >>add machine accounts with it.
> >>Any ideas anyone?
> >I kept my mouth shut because you were following someone's step by step
> >and not the samba official documentation.
> >If you want to follow the Samba By Example, methodology, you will
> >probably find a lot more people willing to help.
> >Changing passwords seems to only require that samba, smbldap-tools be
> >properly configured for your ldap setup and a script referenced in your
> >The smb.conf you attached of course has nothing to do with LDAP and it
> >isn't clear what you are trying to do.
> >I would suggest that you familiarize yourself with the Samba By Example
> >book (dead tree form) or pdf or html from the samba.org web site and
> >figure out what you are trying to do so someone could actually help.
> I've followed the Samba by example in this case. It was not very
> helpful. Between the typos, omissions, errors, and general lack of
> content, it's hard to get anything to work following it. Sorry to be so
> negative about it, but it seems to assume that if you just install the
> packages, things work.
> Now a plain vanilla Debian Sarge system is hardly esoteric, but my
> experience has been that things only work if you are doing a virgin
> setup. In my case, Samba was originally vampired from my old W2K server
> and I've always had the password problem. Trying to install LDAP on a
> system that previously had a not-quite-working tdbsam backend also isn't
> something that the howto writers seem to have tried.
> The other howto I followed was one of several that were written
> specifically for people trying to get Samba+LDAP to work on a Debian
> system. After several days of trying to get it to work, even following
> idealx.org's howto, it still wouldn't. So I ripped everything out and
> went back to a basic Samba setup without LDAP. And now I'm back to the
> same old problem I had before - users can't change their passwords.
> And yes, my current setup was following the Samba by Example - html
> form. I also have the dead-tree Samba Howto collection. According to
> them, I have a working system.
> The basic "by example" says in some very elegant story telling, after
> assuming that you have Samba installed, to smbpasswd -a root, map the
> Administrator account to it, add some groupmaps, stir in some users and
> voila, everything works. My setup passes the validation and the
> troubleshooting. It works, except that it doesn't.
> Again, I'll admit that this probably does work on a fresh system. I've
> set up Samba PDCs from scratch before without problems. However, it
> doesn't seem to want to work on this existing server, even after I
> sacrificed my old accounts vampired from W2K to try to get this working.
> I shouldn't have to rebuild my entire server just to be able to change
> Finally, you need to recognize that Debian does things its way. It has
> installation scripts that ask you questions up front and put the answers
> in multiple files scattered across your system. Samba by Example doesn't
> actually tell you what to put where or why. In fact, it's actually
> difficult to tell exactly which program or file you need to be using at
> any given moment. We're not all Samba developers, after all. SWAT,
> smbpasswd, pdbedit, etc. all seem to do the similar things but heaven
> help the poor user who's trying to find out when or why you should use
> one over the other.
> What I'm basically trying to say is you can't assume that everyone is
> going to get to place by a particular route. Debian howtos are useful
> for those of us with Debian-based systems because they give Debian
> package names and follow Debian installation dialogues. If there is
> something in the howto that you think is wrong or missing, then identify
> it. It's not as if the "official" Samba documentation is all
> encompassing and perfect. I've had to consult a couple of dozen
> different guides in trying to get LDAP working. The official Samba ones
> were less detailed and less informative than many of the others. And the
> By Example guides spend far too much time in narrative and talking about
> other software. Plus it's too Red Hat specific. A lot of the stuff it
> tells you to do isn't right for Debian.
> Rant off.
> Do you have any suggestions other than rebuilding my entire server?
> Under what conditions can a password change fail that doesn't
> (apparently) affect other Samba services?
#1 - you are asking general questions and posting general issues which
can only at best get general answers. If you have a specific issue, you
have to ask a specific question. That is how this thing works.
As for your question about changing passwords...you give neither the
context of how you are trying to change the password (the methodology),
what you expect to happen and what is happening except in the most
general way. You offer not a single piece of logs, don't mention that
you checked the logs, in fact, don't give the slightest impression that
you know what logs do and how they work.
The point is...focus your problem to as simple a question that you can
ask and ask it. If you go more than 3 paragraphs, the likelihood of
getting and answer drops a lot. Specific questions get specific answers.
#2 - The official samba documentation is what it is. It is what you and
I make it and I know that JHT is gonna say, if there is something wrong
with the documentation, please let him know what it is and he is only
too glad to fix it.
My personal impression of the samba documentation is that it is far and
away the best documentation for any open source project that I have ever
used. Is it perfect...probably not, but probably close. Does it
anticipate all the things that you could possibly do wrong and then tell
you how to fix them - no probably not.
#3 - When I did my first migration from NT4 to Samba 3 (it was samba
3.0.0) and I remember it clearly because I was trying to learn how to
use LDAP at the same time. It was a nightmare and I'm sure the archives
showed I asked a lot of questions that evidenced the fact that I didn't
understand what I was doing. I put off the migration for a week until I
grasped LDAP first and then the integration with samba and the vampire
migration went a whole lot smoother. Still, I ended up doing the vampire
probably about 15 times because I wanted to get it right up front
because fixing it later was likely to be a bitch.
#4 - I recognize your frustration and general lack of patience with
this...might I suggest that you take a few days off and work on
something else while you get a breather, let go of your frustration and
can approach this with less of an attitude. I have to do this all the
time - in fact, I have learned to almost institutionalize the process
when I am learning something new because if I sit and keep pounding on
it, I am not likely to see what I am doing wrong.
Consider this - samba works - it works for thousands if not millions of
I use LDAP everywhere since I learned how to get it done...I use it even
on very small offices. I actually have 1 client that still does use tdb
and I don't think that they ever change their passwords but if you are
patient, I will try to change a users password via Windows which I
surmise is what you are attempting to do.
In the meantime, perhaps you want to get specific with what you are
trying to do, what you expect to happen, what does happen, and what the
logs say - perhaps you have to increase the log level to get a better
picture. Perhaps someone else with great knowledge of samba PDC's with
tdb passdb can answer what your issue is.
To unsubscribe from this list go to the following URL and read the