[Samba] winbind use default domain & Linux passwd

[Matthias Leopold]

Hi,

on my Linux domain members (in Samba AD domain) password change in Linux 
with "passwd" only works when I use "winbind use default domain = yes". 
When I use recommended default "winbind use default domain = no" 
entering the current password is asked twice, then fails.

SMB\user123 at deepops-login-01:~$ passwd
Current Kerberos password:
Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged

/var/log/auth.log says:

Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
pam_unix(passwd:chauthtok): user "SMB\user123" does not exist in /etc/passwd
Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
pam_winbind(passwd:chauthtok): getting password (0x0000002a)
Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
pam_winbind(passwd:chauthtok): pam_get_item returned a password
Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
pam_winbind(passwd:chauthtok): user 'SMB\user123' granted access
Sep  4 18:14:45 deepops-login-01 passwd[2165]: 
pam_unix(passwd:chauthtok): user "SMB\user123" does not exist in /etc/passwd
Sep  4 18:14:45 deepops-login-01 passwd[2165]: 
pam_winbind(passwd:chauthtok): getting password (0x00000012)


I'm using Ubuntu 20.04 with Sernet Samba 4.16.11.

pam-auth-update enabled
[*] Kerberos authentication
[*] Unix authentication
[*] SerNet Samba Winbind authentication

/etc/krb5.conf

[libdefaults]
         default_realm = SMB.MEDUNIWIEN.AC.AT
         dns_lookup_realm = false
         dns_lookup_kdc = true

/etc/samba/smb.conf
         workgroup = SMB
         realm = SMB.MEDUNIWIEN.AC.AT
         security = ADS
...

/etc/pam.d/common-password
password	[success=3 default=ignore]	pam_krb5.so minimum_uid=1000
password	[success=2 default=ignore]	pam_unix.so obscure use_authtok 
try_first_pass sha512
password	[success=1 default=ignore]    pam_winbind.so use_authtok 
try_first_pass
...

thx 4 advice
Matthias