[Samba] passwd: Authentication token manipulation error

Keith Fernandez keith at theargoncompany.com
Sun Feb 2 13:50:30 GMT 2003 

Hi John,
Thanks for the help... will try out the "audit migrate" option and see what
I get

Regards,
Keith
--------
"The linuX Files -- The Source is Out There."
--------
----- Original Message -----
From: "John H Terpstra" <jht at samba.org>
To: "Keith Fernandez" <keith at theargoncompany.com>
Cc: <samba at lists.samba.org>
Sent: Sunday, February 02, 2003 5:30 AM
Subject: Re: [Samba] passwd: Authentication token manipulation error


> On Sun, 2 Feb 2003, Keith Fernandez wrote:
>
> Whoa Keith! Nowhere in your first email did you explain that you had
> already changed your Linux PAM configuration _AND_ are trying to use
> pam_smbpass.so.
>
> The smbpasswd utilitiy only changes the password in /etc/samba/smbpasswd.
> It does NOT use PAM at all.
>
> The system tool 'passwd' (/bin/passwd or /usr/bin/passwd) will use PAM.
> Whatever you configure PAM to do it will follow.
>
> Firstly, pam_smbpass.so does NOT do unix system password changing! It can
> be added to your PAM configuration to update the /etc/samba/smbpasswd
> file. If you want to update both /etc/passwd (/etc/shadow) entries as well
> as /etc/samba/smbpasswd then the following recommendation is included in
> the source code by the author:
>
> #%PAM-1.0
> # password-sync
> #
> # A sample PAM configuration that shows the use of pam_smbpass to make
> # sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow)
> # is changed.  Useful when an expired password might be changed by an
> # application (such as ssh).
>
> auth       requisite        pam_nologin.so
> auth       required         pam_unix.so
> account    required         pam_unix.so
> password   requisite        pam_cracklib.so retry=3
> password   requisite        pam_unix.so shadow md5 use_authtok
> try_first_pass
> password   required         pam_smbpass.so nullok use_authtok
> try_first_pass
> session    required         pam_unix.so
>
> And that is from the documentation in ~samba/source/pam_smbpass/samples.
>
> Your RH8 machine may use pam_pwdb.so, or pam_unix2.so, or similar for
> system account password changing.
>
>
> > I think it is a samba question,  I did try to use more than 8 characters
in
> > the password and it still gave the same error.
>
> If you do not have the pam_pwdb.so or pam_unix.so module in your PAM
> configuration then you have a hosed up PAM.
>
> > I got this error when I tried to add a new user to the unix system and
> > change his password. This is ONLY when I used the pam_smbpass option to
> > samba.
>
> Wait a moment. You added pam_smbpass.so to PAM - NOT to samba!
>
> > So I think it is a samba question.....
>
> Whatever!
>
> > the only workaround is what I had given below.
> > If you have got the pam_smbpass option to sync unixpassword with
smbpassword
> > for NEW users, Please let me know.
>
> > You say smbpassword adds any user present in /etc/password, TRUE... But
my
> > question is why cant I add a unix password to the user which will sync
it
> > with smbpassword the 1st time I create a user..
>
> Explained above.
>
> > Once I create my smbpassword and then I change my unix password then it
> > sync's it with smbpassword and no error, why cant it do it the first
time.
>
> Fix you PAM configuration.
>
> >
> > Here is my error again using 8 characters in my password .....
> > ---------------------------------------
> > [root at localhost named]# useradd -g users keith
> > [root at localhost named]# passwd keith
> > Changing password for user keith.
> > New password:
> > Retype new password:
> > Failed to find entry for user keith.
> >
> > passwd: Authentication token manipulation error
> > -----------------------------------------
>
> Right. Did you add the 'debug' or 'audit' options to the pam_smbpass.so
> line in your PAM configuration and then check /var/log/messages or
> /var/log/security for error messages?
>
>
> > NOW IF I HAD DONE THIS
> > ----------------------------------------
> > [root at localhost named]# useradd -g users keith
> > [root at localhost named]# smbpasswd -a keith
> > New SMB password:
> > Retype new SMB password:
> > Added user keith.
> > Password changed for user keith.
>
> Of course it worked! It just changes /etc/samba/smbpasswd entries.
> You added the account (with the -a option), so now pam_smbpass.so can
> change the password. The account entry in /etc/samba/smbpasswd has to
> exist first.
>
> > [root at localhost named]# passwd keith
> > Changing password for user keith.
> > New password:
> > Retype new password:
> > passwd: all authentication tokens updated successfully
> > ------------------------------------------
> >
> > Added this line to my /etc/pam.d/system-auth to get it to work after the
> > "pam_cracklib.so" line
> > password required /lib/security/pam_smbpass.so nullok use_authtok
> > try_first_pass
>
> Try:
> password required /lib/security/pam_smbpass.so nullok use_authtok
> try_first_pass audit migrate
>
> Cheers,
> John T.

More information about the samba mailing list