[Samba] winbind use default domain & Linux passwd

Rowland Penny rpenny at samba.org
Mon Sep 4 17:52:54 UTC 2023 

On Mon, 4 Sep 2023 19:28:42 +0200
Matthias Leopold via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> on my Linux domain members (in Samba AD domain) password change in
> Linux with "passwd" only works when I use "winbind use default domain
> = yes". When I use recommended default "winbind use default domain =
> no" entering the current password is asked twice, then fails.
> 
> SMB\user123 at deepops-login-01:~$ passwd
> Current Kerberos password:
> Current Kerberos password:
> passwd: Authentication token manipulation error
> passwd: password unchanged
> 
> /var/log/auth.log says:
> 
> Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
> pam_unix(passwd:chauthtok): user "SMB\user123" does not exist
> in /etc/passwd Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
> pam_winbind(passwd:chauthtok): getting password (0x0000002a)
> Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
> pam_winbind(passwd:chauthtok): pam_get_item returned a password
> Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
> pam_winbind(passwd:chauthtok): user 'SMB\user123' granted access
> Sep  4 18:14:45 deepops-login-01 passwd[2165]: 
> pam_unix(passwd:chauthtok): user "SMB\user123" does not exist
> in /etc/passwd Sep  4 18:14:45 deepops-login-01 passwd[2165]: 
> pam_winbind(passwd:chauthtok): getting password (0x00000012)
> 
> 
> I'm using Ubuntu 20.04 with Sernet Samba 4.16.11.
> 
> pam-auth-update enabled
> [*] Kerberos authentication
> [*] Unix authentication
> [*] SerNet Samba Winbind authentication
> 
> /etc/krb5.conf
> 
> [libdefaults]
>          default_realm = SMB.MEDUNIWIEN.AC.AT
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
> 
> /etc/samba/smb.conf
>          workgroup = SMB
>          realm = SMB.MEDUNIWIEN.AC.AT
>          security = ADS
> ...
> 
> /etc/pam.d/common-password
> password	[success=3 default=ignore]	pam_krb5.so
> minimum_uid=1000 password	[success=2 default=ignore]
> pam_unix.so obscure use_authtok try_first_pass sha512
> password	[success=1 default=ignore]    pam_winbind.so
> use_authtok try_first_pass
> ...
> 
> thx 4 advice
> Matthias

First, I recommend you remove the libpam-krb5 package and ensure the
the libpam-winbind & libnss-winbind packages are installed.

Can you please post the output of 'testparm -s' when run on a domain
member

Rowland

More information about the samba mailing list