[Samba] [samba4] Users can't change password from the server

Dirbaio Minikiwi dirbaio at dirbaio.net
Sat Apr 27 19:50:24 MDT 2013


Hello everyone,

I've installed Samba 4.0.4 from source on an Ubuntu Server 12.04 machine.
I've configured it as an AD DC following the instructions here:
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
Then I configured Winbind following the instructions here:
http://wiki.samba.org/index.php/Samba4/Winbind

Users can now login through SSH to the server and access their files and
it's all working fine.
But users can't change their password.

At first it didn't work at all. Some googling pointed out that I have to
modify /etc/pam.d/common-password. (Is it missing in the wiki article?)
It now contains the following:

============
# here are the per-package modules (the "Primary" block)
password        sufficient                      pam_winbind.so debug
password        requisite                       pam_unix.so obscure sha512
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
============

With these changes, it gets further but still fails:

Running passwd gives this output:

============
VGASMB\dirbaio at samba:~$ passwd
Changing password for VGASMB\dirbaio
(current) NT password:
Enter new NT password:
Retype new NT password:
passwd: User not known to the underlying authentication module
passwd: password unchanged
============

And the following gets printed to
/var/log/auth.log:<http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO>

============
Apr 28 03:27:33 samba passwd[3394]: pam_winbind(passwd:chauthtok): [pamh:
0x2547c60] ENTER: pam_sm_chauthtok (flags: 0x4000)
Apr 28 03:27:33 samba passwd[3394]: pam_winbind(passwd:chauthtok): username
[VGASMB\dirbaio] obtained
Apr 28 03:27:33 samba passwd[3394]: pam_winbind(passwd:chauthtok): getting
password (0x00000021)
Apr 28 03:27:36 samba passwd[3394]: pam_winbind(passwd:chauthtok): request
wbcLogonUser succeeded
Apr 28 03:27:36 samba passwd[3394]: pam_winbind(passwd:chauthtok): user
'VGASMB\dirbaio' granted access
Apr 28 03:27:36 samba passwd[3394]: pam_winbind(passwd:chauthtok): [pamh:
0x2547c60] LEAVE: pam_sm_chauthtok returning 0 (PAM_SUCCESS)
Apr 28 03:27:36 samba passwd[3394]: pam_winbind(passwd:chauthtok): [pamh:
0x2547c60] ENTER: pam_sm_chauthtok (flags: 0x2000)
Apr 28 03:27:36 samba passwd[3394]: pam_winbind(passwd:chauthtok): username
[VGASMB\dirbaio] obtained
Apr 28 03:27:36 samba passwd[3394]: pam_winbind(passwd:chauthtok): getting
password (0x00000001)
Apr 28 03:27:40 samba passwd[3394]: pam_winbind(passwd:chauthtok): user
'VGASMB\dirbaio' denied access (incorrect password or invalid membership)
Apr 28 03:27:40 samba passwd[3394]: pam_winbind(passwd:chauthtok): [pamh:
0x2547c60] LEAVE: pam_sm_chauthtok returning 7 (PAM_AUTH_ERR)
Apr 28 03:27:40 samba passwd[3394]: pam_unix(passwd:chauthtok): user
"VGASMB\dirbaio" does not exist in /etc/passwd
============

Running smbpasswd fails too:
============
VGASMB\dirbaio at samba:~$ /usr/local/samba/bin/smbpasswd
added interface eth0 ip=fe80::5054:ff:fe8f:d68f%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.1.12 bcast=192.168.1.255
netmask=255.255.255.0
Old SMB password:
New SMB password:
Retype new SMB password:
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
machine 127.0.0.1 rejected the password change: Error was : Wrong Password.
============

Running "smbpasswd dirbaio" as root works.
Running "passwd dirbaio" as root asks me for the old password (why?) and
fails the same way as running "passwd" as dirbaio.

(By the way, the wiki says getent passwd should print entries like this:

Administrator:x:0:100::/home/MATWS/Administrator:/bin/false

But I'm getting every entry prefixed with "VGASMB\", like this:

VGASMB\Administrator:*:0:100::/home/VGASMB/Administrator:/bin/bash

Could this be the issue?)

This is my smb.conf:
============
# Global parameters
[global]
workgroup = VGASMB
realm = VGASMB.VGAFIB.COM
 netbios name = SAMBA
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate
 template shell = /bin/bash
log level = 3

[homes]
comment = Home Directories
 browseable = yes
writable = yes
read only = no
 create mask = 0700
directory mask = 0700
valid users = %S
# force user = VGASMB\%S
force group = domainadmins
root preexec = /usr/local/samba/scripts/mksambahomedirs.sh %S

[netlogon]
path = /usr/local/samba/var/locks/sysvol/vgasmb.vgafib.com/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[public]
path = /home/public
writable = yes
public = yes
 read only = no
browseable = yes

create mask = 0640
 directory mask = 2770
force directory mode = 2770
force user = VGASMB\public
 force group = users
============

I'm clueless at how to fix this. I've tried modifying
/etc/pam.d/common-password in other ways, but it still doesn't work. I've
googled more, and nothing.
Any help is greatly appreciated.

Thanks in advance!


More information about the samba mailing list