--===============0902853286==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=-KIND9aA01J9bxah0SQz7"


--=-KIND9aA01J9bxah0SQz7
Content-Type: multipart/mixed; boundary="=-6xJlpXo+/EV4bu2Bkh2P"


--=-6xJlpXo+/EV4bu2Bkh2P
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

A note on the password sync issue. Someone more knowledgeable correct
me if I'm wrong.

When using the password syncing feature, the password must be changed
using the smbpasswd program on the pdc. The reason being that using the
dialog from a windows client sends the updated password to the pdc as a
pre-hashed value. The pdc never sees the clear text password...just
like it doesn't during authentication. (This is a good thing.) When
using smbpasswd, the smbpasswd binary actually has the clear text
password to work with. It first attempts to update the unix password
and only proceeds to change the samba password if the unix change was a
success.

So, in my implementation, I've done the following to allow clients to
change their passwords (unix + samba) from the windows machine. It's
clumsy (requires original password twice) and is text based (a linux
login) rather than a pretty gui, but it does keep the passwords the same
from the windows client.

Step 1: Disable the password change buttons via policy, registry hack,
etc.

Step 2:
I have a perl script that sets up a custom session (passwd) in putty,
stuffs in the key for the password changing server (yes, this isn't
ideal, keys are meant to be validated for a reason) and then launches
putty, calling the custom session. The user sees a putty window pop up
asking for their password. Once authenticated, I present some text, and
then drive smbpasswd on the Linux side. If you didn't need to present
any custom text, you could simply drive smbpasswd directly...I keep this
script on a shared drive, and can therefore update the servers key very
easily if it changes for some reason.

I've attached my script. I hope someone else can make use of it.

If I'm way off on my assessment of the different password changing
methods (gui vs smbpasswd) and there is a way to do this from the gui,
I'd appreciate someone letting me know.

Thanks
-Ben

On Thu, 2006-03-30 at 14:31 -0500, Gary Dale wrote:
> simo wrote:
>=20
> >On Wed, 2006-03-29 at 23:33 -0500, Gary Dale wrote:
> > =20
> >
> >>-----------------------------------
> >>
> >>OK, the logs aren't quite silent. Here's one when I tried to change my=20
> >>password from a workstation (the log fragment is from=20
> >>samba/log. - log.nmbd and log.smbd are silent for the=20
> >>period). This time it came back with "you do not have permission to=20
> >>change your password" after only a few seconds. The other passwords I'v=

e=20
> >>been trying to change (and this password in previous attempts) have gon=

e=20
> >>away for more than 15 minutes before the dialogue box closed (without=20
> >>changing the password):
> >>
> >> =20
> >>

> >
> >Log level 0 is not that useful, you may raise it to 3 or 5 and see what
> >error is returned on a password change.
> >
> >...
> >
> >Anyway, for some masochistic reason I took the time to go back and see
> >your recent postings and ... well man, you really need to take a breath.
> >
> >All your attempts to set up samba with LDAP have failed just because you
> >do not understand the openLdap ACL model and, more simply, you failed to
> >do basic things like defining the same dn as ldap manager in slapd.conf
> >and smb.conf (as the documentation clearly states).
> >
> >Anyway you got back to tdbsam, fine, it is the simpler option.
> >
> >Now can you check the smb.conf you posted earlier today and:
> >
> >1. Raise the log level
> >
> >2. comment out "password program", "password chat" and "unix password
> >sync" so that we are sure they are not set up wrongly
> >
> >3. tell me how "add group script" and "add user to group script" can
> >possibly ever work (unless the text of the conf has been mangled the
> >first misses the only meaningful parameter which is the group name and
> >the second has a wild back tick ...)
> >
> >And then also "invalid users" and "admin users" are in conflict about
> >root and printing is set to cups yet you try to define a mysterious "lpq
> >command =3D %p"
> >
> >
> >
> >I agree that one not need to be a developer to set up things, but at
> >least, please, check carefully the configuration file AND the logs
> >before shouting against the hard work of other people and claiming the
> >documentation is wrong.
> >
> >Simo.
> >
> > =20
> >

> Thanks Simo. It really is better to light one candle than to curse the=20
> darkness!
>=20
> re. 1) At various times I did have admin in both files and at others it=20
> was samba in both. That didn't work either.
>=20
> re. 2) my current problem: your suggestion #2 worked. When "unix passwd=20
> synch" is commented out, I was able to change my Samba password. When it=20
> was set to "Yes", the password synch took forever, then failed silently.=20
> It looks like there is an issue with changing the Unix/Linux password=20
> that I have to resolve. It appears also that Windows may be waiting for=20
> a response such as is included in the passwd chat in By Example's=20
> "Example 3.4. 130 User Network with //tdbsam// [globals] Section". When=20
> I included the response, the Windows dialogue failed fairly quickly.
>=20
> Possibly (probably) it an issue with the group script problems you=20
> identified. I'll work on it.
>=20
> Also, I never said the documentation was wrong, just not perfect. I also=20
> said I don't personally like the style it's written in. RTFM is rarely a=20
> useful response to anything except the most basic problems.
>=20
> Anyway, as proof that even bright and knowledgeable people miss things,=20
> your suggestions have got me further than my previous exchange with=20
> Jeremy Allison.
>=20
> I'm not going to send you the log file since I gather that people here=20
> have lost interest in my postings (I have a keen grasp of the obvious,=20
> to borrow a phrase Gary Trudeau used a few decades ago). Besides, you=20
> and Craig have given me enough help to follow through myself.
>=20
> So again thanks. Much appreciated!

--=20
Ben Walton
Systems Programmer
Office of Planning & IT
Faculty of Arts & Science
University of Toronto
Cell: 416.407.5610
PGP Key Id: 8E89F6D2

--=-6xJlpXo+/EV4bu2Bkh2P--

--=-KIND9aA01J9bxah0SQz7
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQBELDVH8vuMHY6J9tIRAlrXAJ9DaqzLrB17hNavMmSbxb ur7RJdCwCfcKrV
XGUwHRJl4zJPDDRJTQoPDDk=
=4lkr
-----END PGP SIGNATURE-----

--=-KIND9aA01J9bxah0SQz7--


--===============0902853286==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--===============0902853286==--