[Samba] Change AD user password from Linux

Masao Garcia masaog at fshac.com
Wed Jan 20 12:22:43 MST 2010

Has anyone gotten Active Directory user passwords changed from a Linux
(Ubuntu 8.04) client?  I used
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto as a guide, so
I'm using Kerberos and Winbind (all apt-get).  Samba version is 3.0.28a with
a Windows Sever 2008 R2 DC, but running AD 2003 native.  The client box is
an LTSP box, and I'm able to ssh in with AD accounts.  However, when I type
passwd I get the error message "passwd: Authentication token manipulation
error".  In the auth.log file I get "pam_unix(passwd:chauthtok): user
"kmasters" does not exist in /etc/passwd".  Is it possible my Samba version
is too old?



auth    sufficient      pam_krb5.so

auth    required        pam_unix.so nullok_secure use_first_pass



account sufficient      pam_winbind.so

account required        pam_unix.so



session required        pam_mkhomedir.so umask=0022 skel=/etc/skel



password   sufficient   pam_unix.so nullok md5 shadow

password   sufficient   pam_ldap.so use_first_pass

password   required     pam_deny.so




        workgroup = MYDOMAIN

        realm = MYDOMAIN.COM

        server string = %h server (Samba, Ubuntu)

        security = ADS

        map to guest = Bad User

        obey pam restrictions = Yes

        password server = dc1.mydomain.com

        passdb backend = tdbsam

        pam password change = Yes

        passwd program = /usr/bin/passwd %u

        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

        unix password sync = Yes

        syslog = 0

        log file = /var/log/samba/log.%m

        max log size = 1000

        domain master = No

        dns proxy = No

        usershare allow guests = Yes

        panic action = /usr/share/samba/panic-action %d

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        template homedir = /home/%U

        template shell = /bin/bash

        winbind separator = +

        winbind enum users = Yes

        winbind enum groups = Yes

        winbind use default domain = Yes

        invalid users = root



More information about the samba mailing list