[Samba] winbind use default domain & Linux passwd
Matthias Leopold
matthias.leopold at meduniwien.ac.at
Mon Sep 4 17:28:42 UTC 2023
Hi,
on my Linux domain members (in Samba AD domain) password change in Linux
with "passwd" only works when I use "winbind use default domain = yes".
When I use recommended default "winbind use default domain = no"
entering the current password is asked twice, then fails.
SMB\user123 at deepops-login-01:~$ passwd
Current Kerberos password:
Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged
/var/log/auth.log says:
Sep 4 18:14:41 deepops-login-01 passwd[2165]:
pam_unix(passwd:chauthtok): user "SMB\user123" does not exist in /etc/passwd
Sep 4 18:14:41 deepops-login-01 passwd[2165]:
pam_winbind(passwd:chauthtok): getting password (0x0000002a)
Sep 4 18:14:41 deepops-login-01 passwd[2165]:
pam_winbind(passwd:chauthtok): pam_get_item returned a password
Sep 4 18:14:41 deepops-login-01 passwd[2165]:
pam_winbind(passwd:chauthtok): user 'SMB\user123' granted access
Sep 4 18:14:45 deepops-login-01 passwd[2165]:
pam_unix(passwd:chauthtok): user "SMB\user123" does not exist in /etc/passwd
Sep 4 18:14:45 deepops-login-01 passwd[2165]:
pam_winbind(passwd:chauthtok): getting password (0x00000012)
I'm using Ubuntu 20.04 with Sernet Samba 4.16.11.
pam-auth-update enabled
[*] Kerberos authentication
[*] Unix authentication
[*] SerNet Samba Winbind authentication
/etc/krb5.conf
[libdefaults]
default_realm = SMB.MEDUNIWIEN.AC.AT
dns_lookup_realm = false
dns_lookup_kdc = true
/etc/samba/smb.conf
workgroup = SMB
realm = SMB.MEDUNIWIEN.AC.AT
security = ADS
...
/etc/pam.d/common-password
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok
try_first_pass sha512
password [success=1 default=ignore] pam_winbind.so use_authtok
try_first_pass
...
thx 4 advice
Matthias
More information about the samba
mailing list