[Samba] Changing User password from ssh member server

Guilherme Boing kolt+samba at frag.com.br
Thu Oct 8 18:34:16 UTC 2015 

Yes, it is an AD DC.

The thing is, the only way I know to change the user password is from a
Windows workstation (CTRL+ALT+DEL and go to Change password).
I was trying to achieve the same thing through another Linux server that is
not the AD DC. So I thought that it would be possible for them to change
their AD passwords through "passwd", but it didn't seem to work properly,
because it is only updating the userPassword attribute.

On Thu, Oct 8, 2015 at 3:29 PM, Rowland Penny <rowlandpenny241155 at gmail.com>
wrote:

> On 08/10/15 19:16, Guilherme Boing wrote:
>
>> I have removed use_auhtok from /etc/pam.d/system-auth and now passwd is
>> "kind of" working...
>> I am still able to login with my old password and the new one also. But
>> only on the linux servers that are authenticating through LDAP.
>>
>> On my workstation only the old password (the one I was trying to change
>> through passwd(ssh)) works.
>>
>> I have noticed that my user now has a userPassword attribute set, where
>> the other users that have never tried to change the password from passwd
>> (ssh) do not have.
>> It seems that my windows workstation does not rely on userPassword,
>> however the linux servers that are authenticating through LDAP are
>> considering both userPassword and the AD password also... ?!
>>
>> smb.conf is pretty much the one that comes with the tarball.
>> smb.conf and pam configurations: http://pastebin.ca/3185721
>>
>>
>> On Thu, Oct 8, 2015 at 3:03 PM, Rowland Penny <
>> rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>
>> wrote:
>>
>>     On 08/10/15 18:59, Guilherme Boing wrote:
>>
>>         Hi Rowland,
>>
>>         This is a CentOS 6.7 server.
>>         I was able to make some progress. I have edited
>>         /etc/pam.d/system-auth, and now it looks like:
>>
>>         auth        required      pam_env.so
>>         auth        sufficient    pam_unix.so nullok try_first_pass
>>         auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>         auth        sufficient    pam_ldap.so use_first_pass
>>         auth        required      pam_deny.so
>>
>>         account     required      pam_unix.so
>>         account     sufficient    pam_localuser.so
>>         account     sufficient    pam_succeed_if.so uid < 500 quiet
>>         account     [default=bad success=ok user_unknown=ignore]
>>         pam_ldap.so
>>         account     required      pam_permit.so
>>
>>         password    requisite     pam_cracklib.so try_first_pass
>>         retry=3 type=
>>         password    sufficient    pam_unix.so sha512 shadow nullok
>>         try_first_pass
>>         password    sufficient    pam_ldap.so use_authtok
>>         password    required      pam_deny.so
>>
>>         session     optional      pam_keyinit.so revoke
>>         session     required      pam_limits.so
>>         session     [success=1 default=ignore] pam_succeed_if.so
>>         service in crond quiet use_uid
>>         session     optional      pam_ldap.so
>>         session     required      pam_mkhomedir.so skel=/etc/skel
>>         umask=0022
>>         session     required      pam_unix.so
>>
>>         Now passwd works, but not really:
>>         [Guilherme at server ~]$ passwd
>>         Changing password for user Guilherme.
>>         Enter login(LDAP) password:
>>         New password:
>>         Retype new password:
>>         LDAP password information changed for Guilherme
>>         passwd: all authentication tokens updated successfully.
>>
>>         After that, I have logged out and logged in with the same old
>>         password. The password didn't seem to update.
>>
>>
>>         On Thu, Oct 8, 2015 at 2:47 PM, Rowland Penny
>>         <rowlandpenny241155 at gmail.com
>>         <mailto:rowlandpenny241155 at gmail.com>
>>         <mailto:rowlandpenny241155 at gmail.com
>>
>>         <mailto:rowlandpenny241155 at gmail.com>>> wrote:
>>
>>             On 08/10/15 18:38, Guilherme Boing wrote:
>>
>>                 Hi,
>>
>>                 I am authenticating users on our linux servers using
>>                 nslcd/pam_ldap.
>>                 Authentication is fine, however, it is not possible
>>         for the
>>                 user to change
>>                 the password from the server.
>>
>>                 Is there a way to make it work ?
>>
>>                 [Guilherme at server ~]$ passwd
>>                 Changing password for user Guilherme.
>>                 passwd: Authentication token manipulation error
>>
>>                 Oct  8 14:37:53 server passwd: pam_unix(passwd:chauthtok):
>>                 user "Guilherme"
>>                 does not exist in /etc/passwd
>>
>>
>>             What sort of Linux server?
>>
>>             Rowland
>>
>>             --     To unsubscribe from this list go to the following
>>         URL and read the
>>             instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>>     Not really getting anywhere here. I think you need to post your
>>     smb.conf.
>>
>>
>>     Rowland
>>
>>     --     To unsubscribe from this list go to the following URL and read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> Ah, that answers all the questions, it is an AD DC !!!
>
> No, you will not have any users in /etc/passwd (apart from the system
> users), they all need to be in AD and if they are going to login to the DC
> (not recommended) you need to set up winbind, nlscd or sssd.
>
> I think you need to a bit more reading, start here:
>
> https://wiki.samba.org/index.php/Main_Page
>
> The tool to deal with users (and a lot, lot more) is samba-tool, try
> 'samba-tool --help'
>
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list