[Samba] passwd: Authentication token manipulation error

John H Terpstra jht at samba.org
Sun Feb 2 00:00:09 GMT 2003 

On Sun, 2 Feb 2003, Keith Fernandez wrote:

Whoa Keith! Nowhere in your first email did you explain that you had
already changed your Linux PAM configuration _AND_ are trying to use
pam_smbpass.so.

The smbpasswd utilitiy only changes the password in /etc/samba/smbpasswd.
It does NOT use PAM at all.

The system tool 'passwd' (/bin/passwd or /usr/bin/passwd) will use PAM.
Whatever you configure PAM to do it will follow.

Firstly, pam_smbpass.so does NOT do unix system password changing! It can
be added to your PAM configuration to update the /etc/samba/smbpasswd
file. If you want to update both /etc/passwd (/etc/shadow) entries as well
as /etc/samba/smbpasswd then the following recommendation is included in
the source code by the author:

#%PAM-1.0
# password-sync
#
# A sample PAM configuration that shows the use of pam_smbpass to make
# sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow)
# is changed.  Useful when an expired password might be changed by an
# application (such as ssh).

auth       requisite        pam_nologin.so
auth       required         pam_unix.so
account    required         pam_unix.so
password   requisite        pam_cracklib.so retry=3
password   requisite        pam_unix.so shadow md5 use_authtok
try_first_pass
password   required         pam_smbpass.so nullok use_authtok
try_first_pass
session    required         pam_unix.so

And that is from the documentation in ~samba/source/pam_smbpass/samples.

Your RH8 machine may use pam_pwdb.so, or pam_unix2.so, or similar for
system account password changing.


> I think it is a samba question,  I did try to use more than 8 characters in
> the password and it still gave the same error.

If you do not have the pam_pwdb.so or pam_unix.so module in your PAM
configuration then you have a hosed up PAM.

> I got this error when I tried to add a new user to the unix system and
> change his password. This is ONLY when I used the pam_smbpass option to
> samba.

Wait a moment. You added pam_smbpass.so to PAM - NOT to samba!

> So I think it is a samba question.....

Whatever!

> the only workaround is what I had given below.
> If you have got the pam_smbpass option to sync unixpassword with smbpassword
> for NEW users, Please let me know.

> You say smbpassword adds any user present in /etc/password, TRUE... But my
> question is why cant I add a unix password to the user which will sync it
> with smbpassword the 1st time I create a user..

Explained above.

> Once I create my smbpassword and then I change my unix password then it
> sync's it with smbpassword and no error, why cant it do it the first time.

Fix you PAM configuration.

>
> Here is my error again using 8 characters in my password .....
> ---------------------------------------
> [root at localhost named]# useradd -g users keith
> [root at localhost named]# passwd keith
> Changing password for user keith.
> New password:
> Retype new password:
> Failed to find entry for user keith.
>
> passwd: Authentication token manipulation error
> -----------------------------------------

Right. Did you add the 'debug' or 'audit' options to the pam_smbpass.so
line in your PAM configuration and then check /var/log/messages or
/var/log/security for error messages?


> NOW IF I HAD DONE THIS
> ----------------------------------------
> [root at localhost named]# useradd -g users keith
> [root at localhost named]# smbpasswd -a keith
> New SMB password:
> Retype new SMB password:
> Added user keith.
> Password changed for user keith.

Of course it worked! It just changes /etc/samba/smbpasswd entries.
You added the account (with the -a option), so now pam_smbpass.so can
change the password. The account entry in /etc/samba/smbpasswd has to
exist first.

> [root at localhost named]# passwd keith
> Changing password for user keith.
> New password:
> Retype new password:
> passwd: all authentication tokens updated successfully
> ------------------------------------------
>
> Added this line to my /etc/pam.d/system-auth to get it to work after the
> "pam_cracklib.so" line
> password required /lib/security/pam_smbpass.so nullok use_authtok
> try_first_pass

Try:
password required /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit migrate

Cheers,
John T.

>
>
>
> Regards,
> Keith
> --------
> "The linuX Files -- The Source is Out There."
> --------
> ----- Original Message -----
> From: "John H Terpstra" <jht at samba.org>
> To: "Keith Fernandez" <keith at theargoncompany.com>
> Cc: <samba at lists.samba.org>
> Sent: Saturday, February 01, 2003 11:46 PM
> Subject: Re: [Samba] passwd: Authentication token manipulation error
>
>
> > On Sat, 1 Feb 2003, Keith Fernandez wrote:
> >
> > > Hi Can anyone tell me what this error is.
> >
> > Firstly, it's NOT a samba question.
> >
> > Secondly, it means the password you tried to use is too short. Your RH8
> > system has a PAM configuration that insists on a password being longer
> > than a certain number of characters.
> >
> > I think that if you do:
> > grep /etc/passwd mandy
> > you will find that the account was added, but it now has NO password.
> > You really DO want to enter a system password, or use Red Hat's method for
> > locking the Linux system account for mandy.
> >
> > smbpasswd will add any user who has an entry in the /etc/passwd file.
> >
> > SMB passwords are independant of the system password.
> >
> > - John T.
> >
> > >
> > > Thanks.
> > > Regards,
> > > Keith
> > > --------
> > > "The linuX Files -- The Source is Out There."
> > > --------
> > > ----- Original Message -----
> > > From: "Keith Fernandez" <keith at theargoncompany.com>
> > > To: <samba at lists.samba.org>
> > > Sent: Friday, January 31, 2003 8:34 PM
> > > Subject: [Samba] passwd: Authentication token manipulation error
> > >
> > >
> > > > Hi,
> > > >
> > > > I am trying to add a new user to my RedHat 8.0 System running samba
> > > 2.2.7-1a
> > > > This is the error I get.
> > > >
> > > > ---------------------------------------
> > > > [root at localhost named]# useradd -g users mandy
> > > > [root at localhost named]# passwd mandy
> > > > Changing password for user mandy.
> > > > New password:
> > > > BAD PASSWORD: it is too short
> > > > Retype new password:
> > > > Failed to find entry for user mandy.
> > > >
> > > > passwd: Authentication token manipulation error
> > > > -----------------------------------------
> > > >
> > > > This error is only when I am creating a new user. Password sync
> happens if
> > > there is an existing user.
> > > > if after using useradd -g users mandy
> > > > I do a smbpassword -a mandy
> > > > then everything is fine....
> > > > What could be the problem...
> > > >
> > > >
> > > > Regards,
> > > > Keith
> > > > --------
> > > > "The linuX Files -- The Source is Out There."
> > > > --------
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > > >
> > >
> > >
> >
> > --
> > John H Terpstra
> > Email: jht at samba.org
> >
>
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list