[Samba] samba ssh change password Error was: Wrong password

Rowland Penny rowlandpenny at googlemail.com
Wed Oct 29 05:58:33 MDT 2014 

On 29/10/14 11:46, barış tombul wrote:
> passwd: Authentication token manipulation error
> smbpasswd: machine 127.0.0.1 rejected the password change: Error was :
> Wrong Password
>
> best regards
>
>
>
> [FACILITY/btombul at samba ~]$ passwd
> Changing password for user FACILITY/btombul.
> Changing password for FACILITY/btombul
> (current) NT password:
> New password:
> Retype new password:
> passwd: Authentication token manipulation error
>
> [FACILITY/btombul at samba ~]$ smbpasswd
> added interface ens192 ip=10.0.20.4 bcast=10.0.20.255 netmask=255.255.255.0
> added interface lo ip=::1 bcast=
> netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Connecting to 127.0.0.1 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'sasl-DIGEST-MD5' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088235
> machine 127.0.0.1 rejected the password change: Error was : Wrong Password.
> [FACILITY/btombul at samba ~]$
>
> -----------------------------------------------------------
> password-auth-ac
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        sufficient    pam_winbind.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
> account     required      pam_permit.so
>
> password    requisite     pam_pwquality.so pam_cracklib.so try_first_pass
> local_users_only retry=3 authtok_type=
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_winbind.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0077
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_winbind.so
>
> --------------------------------------------------------------
> system-auth-ac
>
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        sufficient    pam_winbind.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
> account     required      pam_permit.so
>
> password    requisite     pam_pwquality.so pam_cracklib.so try_first_pass
> local_users_only retry=3 authtok_type=
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_winbind.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0077
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_winbind.so
>
>
> ------------------------
>
> sshd
>
> #%PAM-1.0
> auth       required     pam_sepermit.so
> auth       substack     password-auth
> auth       include      postlogin
> auth       include      system-auth
> auth       sufficient   pam_winbind.so
> account    required     pam_nologin.so
> account    include      password-auth
> password   include      password-auth
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
> session    required     pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be executed in
> the user context
> session    required     pam_selinux.so open env_params
> session    optional     pam_keyinit.so force revoke
> session    include      system-auth
> session    include      password-auth
> session    include      postlogin
>
>
> --------------------------------
>
>
> smb.conf
>
> [global]
>     server services = s3fs, winbindd, rpc, nbt, wrepl, cldap, ldap, kdc,
> drepl, ntp_signd, kcc, dnsupdate
>     dcerpc endpoint servers = +winreg +srvsvc +netlogon +samr +epmapper
> +rpcecho +lsarpc +dssetup +unixinfo +browser +eventlog6 +backupkey +remote
>     obey pam restrictions = yes
>     bind interfaces only = yes
>     interfaces = ens192 lo
>     max protocol = smb3
>     logon path =
>     logon script =
>     logon home =
>     kerberos method = system keytab
>     name resolve order = wins bcast hosts
>     server string = Samba Server
>     security = user
>     server role = active directory domain controller
>     netbios name = SAMBA
>     disable netbios = no
>     preferred master = yes
>     domain master = yes
>     local master = yes
>     domain logons = yes
>     workgroup = FACILITY
>     password server = samba.facility.local
>     realm = FACILITY.LOCAL
>     client ldap sasl wrapping = sign
>     winbind separator = /
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind expand groups = 1
>     winbind nss info = rfc2307
>     winbind nested groups = yes
>     winbind offline logon = yes
>     winbind refresh tickets = yes
>     winbind normalize names = yes
>     winbind rpc only = yes
>     winbind sealed pipes = no
>     winbind trusted domains only = no
>     winbind cache time = 3600
>     winbind reconnect delay = 30
>     winbind max clients = 2000
>     winbind use default domain = true
>     hosts allow = ALL, 127.0.0.1
>     encrypt passwords = yes
>     machine password timeout = 0
>     wins proxy = yes
>     wins support = yes
>     lanman auth = yes
>     ntlm auth = yes
>     client lanman auth = yes
>     client ntlmv2 auth = yes
>     client plaintext auth = yes
>     hostname lookups = no
>     nt pipe support = yes
>     dns forwarder = 127.0.0.1
>     allow dns updates = secure
>     dns proxy = no
>     passdb backend = ldapsam:ldap://127.0.0.1/
>     dead time = 0
>     nsupdate command = /usr/local/bin/nsupdate -g
>     dbwrap_tdb_mutexes:* = yes
>     idmap config ALL:backend = ldapsam:ldap://127.0.0.1/
>     idmap config ALL:default = yes
>     idmap config ALL:readonly = yes
>     idmap_ldb:use rfc2307 = yes
>     idmap config * : range = 2000000-2999999
>     idmap config * : backend = ldapsam:ldap://127.0.0.1/
>     idmap config * : schema_mode = rfc2307
>     idmap config * : readonly = no
>     idmap config * : default = yes
>     idmap config * : range = 2000000-2999999
>     idmap config * : ldap_url = ldap://127.0.0.1/
>     idmap config FACILITY : schema_mode = rfc2307
>     idmap config FACILITY : readonly = no
>     idmap config FACILITY : backend = ldapsam:ldap://127.0.0.1/
>     idmap config FACILITY : default = yes
>     idmap config FACILITY : range = 2000000-2999999
>     idmap config FACILITY : ldap_url = ldap://127.0.0.1/
>     ldap admin dn = CN=Administrator,CN=Users,DC=facility,DC=local
>     ldap suffix = DC=facility,DC=local
>     ldap group suffix = ou=Groups
>     ldap idmap suffix = ou=Idmap
>     ldap machine suffix = ou=Hosts
>     ldap user suffix = ou=User
>     ldap ssl = no
>     ldapsam:trusted = yes
>     ldapsam:editposix = yes
>     ldap delete dn = yes
>     ldap passwd sync = yes
>     pam password change = yes
>     passwd program = /usr/local/samba/bin/smbpasswd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     os level = 255
I am a bit lost here, you have this line in smb.conf:

server role = active directory domain controller

This says that you are running samba as an AD DC and presumably 
provisioned samba, **BUT** the rest of your smb.conf says NT4 style PDC 
using ldap =-O

Rowland

More information about the samba mailing list