• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

Passwort ändern unter Windows

hauih

Newbie
Hallo habe einen Suse Linux9.1 mit Samba3 als PDC laufen.
Ich habe Benutzer angelegt und Rechner in die Domäne eingefügt klappt alles ohne Problem.
Wenn nun ein benutzer sein Anmeldekennwort unter Windows mit strg+alt+entf ändern will kommt immer eine Meldung dsa er nicht die Berechtigung dazu hat.
Ich finde nicht an was dsa leigen kann.

Hier meine Configfiles:
Samba Conf
# Samba config file created by haui
# from 0.0.0.0 (0.0.0.0)
# Date: 2005/12/14 15:19:40

# Global parameters
[global]

########Identifikation des Servers und der Arbeitsgruppe
workgroup = weinberger
netbios name = PDC-SRV
server string = SAMBA-LDAP PDC Server

########Drucker
# printig = cups
# printig name = cups

########Performance Einstellungen
debug level = 0
# read size = 1024
deadtime = 15
oplocks = yes
fake oplocks = no
getwd cache = yes
socket options = TCP_NODELAY
#socket options = SO_KEEPALIVE TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT SO_RCVBUF=16384 SO_SNDBUF=16384
# interfaces = 127.0.0.1, eth0
bind interfaces only = Yes

########Die Log-Files für Samba
log level = 0
log file = /var/log/samba/log.%m
max log size = 5000

########Definition des PDC
local master = yes
os level = 65
domain master = yes
preferred master = yes
domain logons = Yes
security = user
# password sync = no

null passwords = no
hide unreadable = yes


########Datenbank zugriff

passdb backend = ldapsam:ldap://192.168.10.111

ldap admin dn = cn=Manager,dc=weinberger,dc=de
ldap suffix = dc=weinberger,dc=de
ldap machine suffix = ou=machines
ldap user suffix = ou=people
ldap group suffix = ou=groups

ldap ssl = no
winbind uid = 1000-2000
winbind gid = 1000-2000

ldap passwd sync = yes

load printers = No
map to guest = Bad User
printer admin = @ntadmin, root, administrator

admin users = root, admin


########User login
logon script = %U.login.bat
logon path = \\%N\home\profile

## nächste Zeile nur für WIN9x/Me
logon home = \\%N\home
logon drive = H:


[netlogon]
path = /home/samba/netlogon
browseable = no
write list = ntadmin
read only = yes

[profiles]
path = /home/%U/profile
guest ok = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
preserve case = no
browseable = no
create mask = 0700
force create mode = 0700
force security mode = 0700
directory mask = 0700
force directory mode = 0700
force directory security mode = 0700
profile acls = yes
writeable = yes

###### Verzeichnisse auf Server Daten1

[home]
comment = Home Directories
valid users = %U
path = /home/%U
read only = No
create mask = 0770
directory mask = 0770
browseable = No

[fertigung]
comment = Fertigungsdaten
path = /fertigung
read only = no
valid users = root,admin,+fertigun,+user
read list = +user,+fertigun
force group = fertigun
write list = +fertigun
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin

[scpro]
comment = Orgfiles & SCPro
path = /scpro
read only = no
valid users = root,admin,+scpro,+Domainadmin,+user
read list = +user,+scpro
force group = scpro
write list = +scpro,+Domainadmin
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin

[entwicklung]
comment = Entwicklung
path = /entwicklung
read only = no
valid users = root,admin,+entwickl
read list = +entwick
force group = entwickl
write list = +entwickl
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin

[service]
comment = Service und Support
path = /service
read only = no
valid users = root,admin,+service,+user
read list = +user,+service
force group = service
write list = +service
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin

[software]
comment = Software
path = /software
read only = no
valid users = root,admin,+software,+user
read list = +user,+software
force group = software
write list = +software
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin

[einkauf]
comment = Einkauf und Beschaffung
path = /einkauf
read only = no
valid users = root,admin,+einkauf,+user
read list = +user,+einkauf
force group = einkauf
write list = +einkauf
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin

[mail]
comment = Mail-folders
path = /mail/%U
read only = no
valid users = root, +user
write list = +user
read list = +user
force group = user
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774

#######Verzeichnisse auf Server Daten2

[bildarchiv]
comment = Bildarchiv
path = /mnt/bildarchiv
read only = no
valid users = root,admin,+vertrieb,+marketing,+user
read list = +user
force group = vertrieb
write list = +vertrieb,+marketing
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin

[chefs]
comment = Chefs und Admin
path = /mnt/chefs
read only = no
valid users = root,admin,+chefs
read list = +chefs
force group = chefs
write list = +chefs
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin
browseable = no

[frei]
comment = Ungenutzer Platz
path = /mnt/frei
read only = no
valid users = root,admin,
read list = +root
force group = root
write list = +root
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin
browseable = no

[marketing]
comment = Marketing
path = /mnt/marketing
read only = no
valid users = root,admin,+marketing,+user
read list = +user
force group = marketing
write list = +marketing
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin

[schweiz]
comment = LW für die Schweiz
path = /mnt/schweiz
read only = no
valid users = root,admin,+schweiz,+user
read list = +user,+schweiz
force group = schweiz
write list = +schweiz
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin

[scratch]
comment = Scratch
path = /mnt/scratch
read only = no
valid users = root,admin,Domainadmin,+user
read list = +user
force group = user
write list = +user
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin

[sekreteriat]
comment = Sekreteriat
path = /mnt/sekreteriat
read only = no
valid users = root,admin,+sekret,+user
read list = +user
force group = sekret
write list = +sekret
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin

[vertrieb]
comment = vertrieb
path = /mnt/vertrieb
read only = no
valid users = root,admin,+vertrieb,+user
read list = +user,+vertrieb
force group = vertrieb
write list = +vertrieb
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin

[temp]
comment = temp wird jede Nacht gelöscht
path = /mnt/temp
read only = no
valid users = root,admin,+&user
read list = +&user
write list = +&user
guest ok = yes
public = yes
create mode = 0777
directory mode = 0777


[PDFwriter]
comment = PDF Creator
path = /var/spool/samba
printing = sysv
printable = yes
print command = /usr/bin/smbprngenpdf -J %J -c %c -s %s -u %u -z %z
create mask = 0600
browseable = yes
guest ok = yes
use client driver = yes


ldapconf

# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

host 127.0.0.1

BASE dc=weinberger,dc=de
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#rootbinddn cn=nssldap,ou=DSA,dc=weinberger,dc=de
rootbinddn cn=Manager,ou=DSA,dc=weinberger,dc=de

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_REQCERT allow

nss_base_passwd ou=Users,dc=weinberger,dc=de?one
nss_base_passwd ou=Computers,dc=weinberger,dc=de?one
nss_base_shadow ou=Users,dc=weinberger,dc=de?one
nss_base_group ou=Group,dc=weinberger,dc=de?one

ssl no
pam_password md5

slapdconf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
#include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast2userconfig.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema

schemacheck on
lastmod on

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/run/slapd.pid
argsfile /var/run/slapd/run/slapd.args

# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# bdb database definitions
#######################################################################

database bdb
checkpoint 1024 5
cachesize 10000
suffix "dc=weinberger,dc=de"
rootdn "cn=Manager,dc=weinberger,dc=de"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw geheim
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain

index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq

access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by self write
by dn="cn=Manager,dc=weinberger,dc=de" write
by anonymous auth
by * none
access to *
by * read
 

stka

Guru
Dr Fehler wird wohle deine ACL in der slapd.conf sein. Die haben im Datenbankteil der Datei nichts verloren. Die gehören in den oberen Teil.
Wenn das dann immer noch nicht klappt, solltest du dein Logfiles posten.
Btw. Für Samba gibt es eine extra Forum!
 
OP
hauih

hauih

Newbie
hallo

also nach meinen Infos ist das egal ob die oben oder unten stehen. Gibt auch genug Beispiele wo die unten stehen. Aber werd es trozdem mal Testen
 
OP
hauih

hauih

Newbie
so nun Funzt alles
hier meine lauffähigen conf-Files:

SMB.conf:
# Samba config file created by haui
# from 0.0.0.0 (0.0.0.0)
# Date: 2005/12/14 15:19:40

# Global parameters
[global]

########Identifikation des Servers und der Arbeitsgruppe
workgroup = weinberger
netbios name = PDC-SRV
server string = SAMBA-LDAP PDC Server

########Drucker
# printig = cups
# printig name = cups

########Performance Einstellungen
debug level = 0
read raw = yes
write raw = yes
deadtime = 15
oplocks = yes
fake oplocks = no
getwd cache = yes
#socket options = TCP_NODELAY
socket options = SO_KEEPALIVE TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT SO_RCVBUF=16384 SO_SNDBUF=16384
interfaces = 127.0.0.1, eth0
bind interfaces only = Yes

########Die Log-Files für Samba
log level = 0
log file = /var/log/samba/log.%m
max log size = 5000

########Definition des PDC
local master = yes
os level = 65
domain master = yes
preferred master = yes
domain logons = Yes
security = user

null passwords = no
hide unreadable = yes


########Datenbank zugriff

passdb backend = ldapsam:ldap://192.168.10.111

ldap admin dn = cn=Manager,dc=weinberger,dc=de
ldap suffix = dc=weinberger,dc=de
ldap machine suffix = ou=machines
ldap user suffix = ou=people
ldap group suffix = ou=groups

ldap ssl = no
winbind uid = 1000-2000
winbind gid = 1000-2000

load printers = No
map to guest = Bad User
printer admin = @ntadmin, root, administrator

admin users = root, admin


########User login
logon script = %U.login.bat
logon path = \\%N\home\profile

## nächste Zeile nur für WIN9x/Me
logon home = \\%N\home
logon drive = H:


[netlogon]
path = /home/samba/netlogon
browseable = no
write list = ntadmin
read only = yes

[profiles]
path = /home/%U/profile
guest ok = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
preserve case = no
browseable = no
create mask = 0700
force create mode = 0700
force security mode = 0700
directory mask = 0700
force directory mode = 0700
force directory security mode = 0700
profile acls = yes
writeable = yes

###### Verzeichnisse auf Server Daten1

[home]
comment = Home Directories
valid users = %U
path = /home/%U
read only = No
create mask = 0664
directory mask = 0775
browseable = No


[scratch]
comment = Scratch
path = /mnt/scratch
read only = no
valid users = root,admin,Domainadmin,+user
read list = +user
force group = user
write list = +user
force create mode = 02774
force directory mode = 02774
hide files = aquota.group/aquota.user/
msdfs proxy = no
security mask = 02774
force security mode = 02774
directory security mask = 02774
create mask = 02774
directory mask = 02774
admin users = root,admin



[temp]
comment = temp, Wird jeden Tag gelöscht
path = /mnt/temp
read only = no
valid users = root,admin,+&user
read list = +&user
write list = +&user
guest ok = yes
public = yes
create mode = 0777
directory mode = 0777


[PDFwriter]
comment = PDF Creator
path = /var/tmp
printing = sysv
printable = yes
print command = /usr/bin/smbprngenpdf -J '%J' -c %c -s %s -u '%u' -z %z
create mask = 0600
browseable = yes
guest ok = no
stscript = yes



##################################
ldap.conf

host 127.0.0.1

BASE dc=weinberger,dc=de
rootbinddn cn=Manager,dc=weinberger,dc=de
nss_base_passwd ou=Users,dc=weinberger,dc=de?one
nss_base_passwd ou=Computers,dc=weinberger,dc=de?one
nss_base_shadow ou=Users,dc=weinberger,dc=de?one
nss_base_group ou=Group,dc=weinberger,dc=de?one
ssl no
pam_password md5

#####################################
slapd.conf

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
#include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast2userconfig.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema

schemacheck on
lastmod on

loglevel 128


pidfile /var/run/slapd/run/slapd.pid
argsfile /var/run/slapd/run/slapd.args

modulepath /usr/lib/openldap/modules


database bdb
checkpoint 1024 5
cachesize 10000
suffix "dc=weinberger,dc=de"
rootdn "cn=Manager,dc=weinberger,dc=de"

rootpw GEHEIM

directory /var/lib/ldap

index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq

access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by self write
by anonymous auth
by * none
access to *
by * read
 
Oben