[Samba] samba ssh change password Error was: Wrong password
barış tombul
bbtombul at gmail.com
Wed Oct 29 05:46:59 MDT 2014
passwd: Authentication token manipulation error
smbpasswd: machine 127.0.0.1 rejected the password change: Error was :
Wrong Password
best regards
[FACILITY/btombul at samba ~]$ passwd
Changing password for user FACILITY/btombul.
Changing password for FACILITY/btombul
(current) NT password:
New password:
Retype new password:
passwd: Authentication token manipulation error
[FACILITY/btombul at samba ~]$ smbpasswd
added interface ens192 ip=10.0.20.4 bcast=10.0.20.255 netmask=255.255.255.0
added interface lo ip=::1 bcast=
netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
Old SMB password:
New SMB password:
Retype new SMB password:
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
machine 127.0.0.1 rejected the password change: Error was : Wrong Password.
[FACILITY/btombul at samba ~]$
-----------------------------------------------------------
password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_pwquality.so pam_cracklib.so try_first_pass
local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_winbind.so
--------------------------------------------------------------
system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_pwquality.so pam_cracklib.so try_first_pass
local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_winbind.so
------------------------
sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
auth include system-auth
auth sufficient pam_winbind.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include system-auth
session include password-auth
session include postlogin
--------------------------------
smb.conf
[global]
server services = s3fs, winbindd, rpc, nbt, wrepl, cldap, ldap, kdc,
drepl, ntp_signd, kcc, dnsupdate
dcerpc endpoint servers = +winreg +srvsvc +netlogon +samr +epmapper
+rpcecho +lsarpc +dssetup +unixinfo +browser +eventlog6 +backupkey +remote
obey pam restrictions = yes
bind interfaces only = yes
interfaces = ens192 lo
max protocol = smb3
logon path =
logon script =
logon home =
kerberos method = system keytab
name resolve order = wins bcast hosts
server string = Samba Server
security = user
server role = active directory domain controller
netbios name = SAMBA
disable netbios = no
preferred master = yes
domain master = yes
local master = yes
domain logons = yes
workgroup = FACILITY
password server = samba.facility.local
realm = FACILITY.LOCAL
client ldap sasl wrapping = sign
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 1
winbind nss info = rfc2307
winbind nested groups = yes
winbind offline logon = yes
winbind refresh tickets = yes
winbind normalize names = yes
winbind rpc only = yes
winbind sealed pipes = no
winbind trusted domains only = no
winbind cache time = 3600
winbind reconnect delay = 30
winbind max clients = 2000
winbind use default domain = true
hosts allow = ALL, 127.0.0.1
encrypt passwords = yes
machine password timeout = 0
wins proxy = yes
wins support = yes
lanman auth = yes
ntlm auth = yes
client lanman auth = yes
client ntlmv2 auth = yes
client plaintext auth = yes
hostname lookups = no
nt pipe support = yes
dns forwarder = 127.0.0.1
allow dns updates = secure
dns proxy = no
passdb backend = ldapsam:ldap://127.0.0.1/
dead time = 0
nsupdate command = /usr/local/bin/nsupdate -g
dbwrap_tdb_mutexes:* = yes
idmap config ALL:backend = ldapsam:ldap://127.0.0.1/
idmap config ALL:default = yes
idmap config ALL:readonly = yes
idmap_ldb:use rfc2307 = yes
idmap config * : range = 2000000-2999999
idmap config * : backend = ldapsam:ldap://127.0.0.1/
idmap config * : schema_mode = rfc2307
idmap config * : readonly = no
idmap config * : default = yes
idmap config * : range = 2000000-2999999
idmap config * : ldap_url = ldap://127.0.0.1/
idmap config FACILITY : schema_mode = rfc2307
idmap config FACILITY : readonly = no
idmap config FACILITY : backend = ldapsam:ldap://127.0.0.1/
idmap config FACILITY : default = yes
idmap config FACILITY : range = 2000000-2999999
idmap config FACILITY : ldap_url = ldap://127.0.0.1/
ldap admin dn = CN=Administrator,CN=Users,DC=facility,DC=local
ldap suffix = DC=facility,DC=local
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Hosts
ldap user suffix = ou=User
ldap ssl = no
ldapsam:trusted = yes
ldapsam:editposix = yes
ldap delete dn = yes
ldap passwd sync = yes
pam password change = yes
passwd program = /usr/local/samba/bin/smbpasswd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
os level = 255
More information about the samba
mailing list