[Samba] Fwd: Re: Change AD user password from Linux

john lists.john at gmail.com
Mon Jan 25 16:02:34 MST 2010

Hi Gregorcy,

Here's what I sent along to Masao. I didn't cc the list either :-( So
here it comes now.
Hope it may be useful.

On Thu, Jan 21, 2010 at 12:05 PM, Masao Garcia <masaog at fshac.com> wrote:
> John,
> Yes, with my config, I can see all the domain users and groups with both
> wbinfo and getent.  I can log in via SSH and also from an LTSP terminal (I
> had to chown the test user's home directory because the user IDs didn't
> match from the old system) but when it comes to password changes, it just
> won't work.

Did you have a legacy /var/lib/samba/winbindd_idmap.tdb  lying around
from a previous active directory membership? If this computer had a
windows user called jdoe whos uid->sid mapping was stored in that
account, and you rejoined AD later on, you might cause yourself
problems when trying to change the "new" jdoe's passwd (e.g. his unix
uid would be mapped to a different windows SID as I understand it). I
am a bit fuzzy on this, others could be of more help. I get around
this because I use a static rid mapping (e.g. idmap backend =
rid:VANGUARD=10000-200000) so that I can scale AD accross servers and
uid->sid mappings stay consistent.

> I tried changing my pam.d config files with your settings and I can't SSH in
> with AD accounts.  wbinfo and getent still works.

Here's what my ssh entry in /etc/pam.d looks like (note the entry for winbind)

auth       required     pam_env.so # [1]
auth       required     pam_env.so envfile=/etc/default/locale
auth       sufficient   /lib/security/pam_winbind.so
@include common-auth
account    required     pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
@include common-account
@include common-session
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
@include common-password

> I use krb5 because according to the guide, Kerberos and Winbind are required
> for authentication and session information when interfacing with AD.

I believe you need krb5 to join AD but you don't need entries in
pam.d/common-* unless you are trying
to refresh kerberos tickets for various domain services. Again, others
would know more.

 I messed
around with automatically refreshing users kerberos tickets, but I
couldn't get it working well, so users
just have to present credentials when they want to get a windows share
for example. I really should revisit this. :-)

> Can I ask what version of Samba you're running and what your domain
> functional level is?

winbind                                  3.0.28a-1ubuntu4.9
samba-common                               3.0.28a-1ubuntu4.9

Our functional level is "windows 2003"

> Did you install the Unix services on the DCs?

No I decided I didn't want to mess with the DC's in any way.

> tried both with and without the Unix services and I get the same errors
> about the users not being in /etc/passwd in both cases.  It's got to be a
> pam.d or nsswitch configuration problem, but I can't find any answers on
> Google.  Somehow I have to tell the client to look for the users in AD when
> changing passwords, but from my understanding that's handled by
> nsswitch.conf, which looks right.

I think you are on the right track. Have you tried turning up the
verbosity on the logging? You can do that in the smb.conf file and
then try your transaction and check for messages in /var/log/samba

Here's a little blurb from O'reilly


> Anyway, I just got word from management that I need to raise the domain and
> forest functional levels to 2008R2, and from what I've read, you need Samba
> 3.2 for AD authentication to work right in that environment so now I'm
> messing with Ubuntu 9.10.  I appreciate your help.  I'll let you know how
> things turn out in the new environment.

I'll be interested to hear what you find out. I'm planning on
migrating to Lucid (the next LTS) sometime in the next 6 months, and I
would guess Karmic (9.10) and Lucid will be very similar with regards
to winbind and samba.

Btw, as an aside, I found out as long as I am only joining my servers
to AD and not actually hosting shares via samba on my Linux server, I
only need the winbind package on LTSP. Winbind installs a minimal
subset of the samba packages and doesn't run the samba daemon.

Good luck!


On Mon, Jan 25, 2010 at 2:02 PM, gregorcy <brian.gregorcy at utah.edu> wrote:
> whoops should have also sent to list.

> Hi Masao,
> Hey if you figure out how to get it too work will you post it to the list.  I have also been trying for a bit to get
> passwd to work.
> --Brian
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list