[Samba] samba ssh change password Error was: Wrong password
Rowland Penny
rowlandpenny at googlemail.com
Wed Oct 29 05:58:33 MDT 2014
On 29/10/14 11:46, barış tombul wrote:
> passwd: Authentication token manipulation error
> smbpasswd: machine 127.0.0.1 rejected the password change: Error was :
> Wrong Password
>
> best regards
>
>
>
> [FACILITY/btombul at samba ~]$ passwd
> Changing password for user FACILITY/btombul.
> Changing password for FACILITY/btombul
> (current) NT password:
> New password:
> Retype new password:
> passwd: Authentication token manipulation error
>
> [FACILITY/btombul at samba ~]$ smbpasswd
> added interface ens192 ip=10.0.20.4 bcast=10.0.20.255 netmask=255.255.255.0
> added interface lo ip=::1 bcast=
> netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Connecting to 127.0.0.1 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'sasl-DIGEST-MD5' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088235
> machine 127.0.0.1 rejected the password change: Error was : Wrong Password.
> [FACILITY/btombul at samba ~]$
>
> -----------------------------------------------------------
> password-auth-ac
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_winbind.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_winbind.so
> account required pam_permit.so
>
> password requisite pam_pwquality.so pam_cracklib.so try_first_pass
> local_users_only retry=3 authtok_type=
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_winbind.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_winbind.so
>
> --------------------------------------------------------------
> system-auth-ac
>
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_winbind.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_winbind.so
> account required pam_permit.so
>
> password requisite pam_pwquality.so pam_cracklib.so try_first_pass
> local_users_only retry=3 authtok_type=
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_winbind.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_winbind.so
>
>
> ------------------------
>
> sshd
>
> #%PAM-1.0
> auth required pam_sepermit.so
> auth substack password-auth
> auth include postlogin
> auth include system-auth
> auth sufficient pam_winbind.so
> account required pam_nologin.so
> account include password-auth
> password include password-auth
> # pam_selinux.so close should be the first session rule
> session required pam_selinux.so close
> session required pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be executed in
> the user context
> session required pam_selinux.so open env_params
> session optional pam_keyinit.so force revoke
> session include system-auth
> session include password-auth
> session include postlogin
>
>
> --------------------------------
>
>
> smb.conf
>
> [global]
> server services = s3fs, winbindd, rpc, nbt, wrepl, cldap, ldap, kdc,
> drepl, ntp_signd, kcc, dnsupdate
> dcerpc endpoint servers = +winreg +srvsvc +netlogon +samr +epmapper
> +rpcecho +lsarpc +dssetup +unixinfo +browser +eventlog6 +backupkey +remote
> obey pam restrictions = yes
> bind interfaces only = yes
> interfaces = ens192 lo
> max protocol = smb3
> logon path =
> logon script =
> logon home =
> kerberos method = system keytab
> name resolve order = wins bcast hosts
> server string = Samba Server
> security = user
> server role = active directory domain controller
> netbios name = SAMBA
> disable netbios = no
> preferred master = yes
> domain master = yes
> local master = yes
> domain logons = yes
> workgroup = FACILITY
> password server = samba.facility.local
> realm = FACILITY.LOCAL
> client ldap sasl wrapping = sign
> winbind separator = /
> winbind enum users = yes
> winbind enum groups = yes
> winbind expand groups = 1
> winbind nss info = rfc2307
> winbind nested groups = yes
> winbind offline logon = yes
> winbind refresh tickets = yes
> winbind normalize names = yes
> winbind rpc only = yes
> winbind sealed pipes = no
> winbind trusted domains only = no
> winbind cache time = 3600
> winbind reconnect delay = 30
> winbind max clients = 2000
> winbind use default domain = true
> hosts allow = ALL, 127.0.0.1
> encrypt passwords = yes
> machine password timeout = 0
> wins proxy = yes
> wins support = yes
> lanman auth = yes
> ntlm auth = yes
> client lanman auth = yes
> client ntlmv2 auth = yes
> client plaintext auth = yes
> hostname lookups = no
> nt pipe support = yes
> dns forwarder = 127.0.0.1
> allow dns updates = secure
> dns proxy = no
> passdb backend = ldapsam:ldap://127.0.0.1/
> dead time = 0
> nsupdate command = /usr/local/bin/nsupdate -g
> dbwrap_tdb_mutexes:* = yes
> idmap config ALL:backend = ldapsam:ldap://127.0.0.1/
> idmap config ALL:default = yes
> idmap config ALL:readonly = yes
> idmap_ldb:use rfc2307 = yes
> idmap config * : range = 2000000-2999999
> idmap config * : backend = ldapsam:ldap://127.0.0.1/
> idmap config * : schema_mode = rfc2307
> idmap config * : readonly = no
> idmap config * : default = yes
> idmap config * : range = 2000000-2999999
> idmap config * : ldap_url = ldap://127.0.0.1/
> idmap config FACILITY : schema_mode = rfc2307
> idmap config FACILITY : readonly = no
> idmap config FACILITY : backend = ldapsam:ldap://127.0.0.1/
> idmap config FACILITY : default = yes
> idmap config FACILITY : range = 2000000-2999999
> idmap config FACILITY : ldap_url = ldap://127.0.0.1/
> ldap admin dn = CN=Administrator,CN=Users,DC=facility,DC=local
> ldap suffix = DC=facility,DC=local
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Hosts
> ldap user suffix = ou=User
> ldap ssl = no
> ldapsam:trusted = yes
> ldapsam:editposix = yes
> ldap delete dn = yes
> ldap passwd sync = yes
> pam password change = yes
> passwd program = /usr/local/samba/bin/smbpasswd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> os level = 255
I am a bit lost here, you have this line in smb.conf:
server role = active directory domain controller
This says that you are running samba as an AD DC and presumably
provisioned samba, **BUT** the rest of your smb.conf says NT4 style PDC
using ldap =-O
Rowland
More information about the samba
mailing list