[Samba] Changing User password from ssh member server
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Oct 8 18:57:02 UTC 2015
On 08/10/15 19:34, Guilherme Boing wrote:
> Yes, it is an AD DC.
>
> The thing is, the only way I know to change the user password is from
> a Windows workstation (CTRL+ALT+DEL and go to Change password).
> I was trying to achieve the same thing through another Linux server
> that is not the AD DC. So I thought that it would be possible for them
> to change their AD passwords through "passwd", but it didn't seem to
> work properly, because it is only updating the userPassword attribute.
You either need to write your own script, use samba-tool or find
something else to do it for you i.e. search the internet
Rowland
>
> On Thu, Oct 8, 2015 at 3:29 PM, Rowland Penny
> <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>
> wrote:
>
> On 08/10/15 19:16, Guilherme Boing wrote:
>
> I have removed use_auhtok from /etc/pam.d/system-auth and now
> passwd is "kind of" working...
> I am still able to login with my old password and the new one
> also. But only on the linux servers that are authenticating
> through LDAP.
>
> On my workstation only the old password (the one I was trying
> to change through passwd(ssh)) works.
>
> I have noticed that my user now has a userPassword attribute
> set, where the other users that have never tried to change the
> password from passwd (ssh) do not have.
> It seems that my windows workstation does not rely on
> userPassword, however the linux servers that are
> authenticating through LDAP are considering both userPassword
> and the AD password also... ?!
>
> smb.conf is pretty much the one that comes with the tarball.
> smb.conf and pam configurations: http://pastebin.ca/3185721
>
>
> On Thu, Oct 8, 2015 at 3:03 PM, Rowland Penny
> <rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>
> <mailto:rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>>> wrote:
>
> On 08/10/15 18:59, Guilherme Boing wrote:
>
> Hi Rowland,
>
> This is a CentOS 6.7 server.
> I was able to make some progress. I have edited
> /etc/pam.d/system-auth, and now it looks like:
>
> auth required pam_env.so
> auth sufficient pam_unix.so nullok
> try_first_pass
> auth requisite pam_succeed_if.so uid >= 500
> quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500
> quiet
> account [default=bad success=ok user_unknown=ignore]
> pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass
> retry=3 type=
> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so
> service in crond quiet use_uid
> session optional pam_ldap.so
> session required pam_mkhomedir.so skel=/etc/skel
> umask=0022
> session required pam_unix.so
>
> Now passwd works, but not really:
> [Guilherme at server ~]$ passwd
> Changing password for user Guilherme.
> Enter login(LDAP) password:
> New password:
> Retype new password:
> LDAP password information changed for Guilherme
> passwd: all authentication tokens updated successfully.
>
> After that, I have logged out and logged in with the
> same old
> password. The password didn't seem to update.
>
>
> On Thu, Oct 8, 2015 at 2:47 PM, Rowland Penny
> <rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>
> <mailto:rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>>
> <mailto:rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>
>
> <mailto:rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>>>> wrote:
>
> On 08/10/15 18:38, Guilherme Boing wrote:
>
> Hi,
>
> I am authenticating users on our linux servers
> using
> nslcd/pam_ldap.
> Authentication is fine, however, it is not
> possible
> for the
> user to change
> the password from the server.
>
> Is there a way to make it work ?
>
> [Guilherme at server ~]$ passwd
> Changing password for user Guilherme.
> passwd: Authentication token manipulation error
>
> Oct 8 14:37:53 server passwd:
> pam_unix(passwd:chauthtok):
> user "Guilherme"
> does not exist in /etc/passwd
>
>
> What sort of Linux server?
>
> Rowland
>
> -- To unsubscribe from this list go to the
> following
> URL and read the
> instructions:
> https://lists.samba.org/mailman/options/samba
>
>
>
> Not really getting anywhere here. I think you need to post
> your
> smb.conf.
>
>
> Rowland
>
> -- To unsubscribe from this list go to the following
> URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> Ah, that answers all the questions, it is an AD DC !!!
>
> No, you will not have any users in /etc/passwd (apart from the
> system users), they all need to be in AD and if they are going to
> login to the DC (not recommended) you need to set up winbind,
> nlscd or sssd.
>
> I think you need to a bit more reading, start here:
>
> https://wiki.samba.org/index.php/Main_Page
>
> The tool to deal with users (and a lot, lot more) is samba-tool,
> try 'samba-tool --help'
>
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list