[Samba] Password changes and syncing passwords with Linux accounts
lists at oak-wood.co.uk
Tue Feb 16 07:47:38 UTC 2016
I'm experiencing some odd behaviour when trying to change passwords. I
have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 14.04LTS. When
I change a password (either from a Win10 Pro client, or using smbpasswd
on the machine itself) it all reports that things have worked. I can
then login to Samba using the new password.
However, when I now try to login to Linux using the new password I get
this error on the terminal:
Failed to add entry for user MYDOMAIN\someuser.
In /var/log/auth.log I see
Feb 16 07:18:20 oak sshd: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
Feb 16 07:18:20 oak sshd: pam_winbind(sshd:auth): getting
Feb 16 07:18:20 oak sshd: pam_winbind(sshd:auth): pam_get_item
returned a password
Feb 16 07:18:20 oak sshd: pam_winbind(sshd:auth): user 'someuser'
Feb 16 07:18:20 oak sshd: pam_unix(sshd:account): could not
identify user (from getpwnam(MYDOMAIN\someuser))
Feb 16 07:18:20 oak sshd: Failed password for someuser from
192.168.37.119 port 53822 ssh2
Feb 16 07:18:20 oak sshd: fatal: Access denied for user someuser
by PAM account configuration [preauth]
Now when I try the old password for a Linux login it works. BUT, in
doing so it seems to reset the Samba password back to the old one.
What it looks to me is happening, though I know little about PAM and
auth mechanisms, is
* the samba password is successfully changed
* no attempt is made, or if it is it isn't successful, to change the
password in /etc/passwd or /etc/shadow
* PAM, having checked /etc/shadow and not found a match, checks winbind
* winbind approves the login, but somewhere along the line prepends
MYDOMAIN\ to the user name
* there is no user MYDOMAIN\someuser in /etc/passwd, so the login fails
* a subsequent successful Linux login causes something to update Samba,
perhaps this line in /etc/pam.d/common-auth:
auth optional pam_smbpass.so migrate
I have tried various combinations of 'unix password sync', 'passwd
program', 'passwd chat' and 'pam password change' in smb.conf in an
attempt to get /etc/passwd and /etc/shadow updated when a password is
changed. I've also experimented with 'winbind use default domain = yes'
to see if this stopped the prepending of MYDOMAIN\. All to no avail, and
I'm not clear that any of these options has an effect when running as an
I should add that as this installation was migrated from an NT PDC all
users have unix accounts on the Linux machine. I would ideally like to
keep the passwords in sync, and to be able to do so using Windows tools
such as Ctl+Alt+Del. It does seem as if changing passwords on the Linux
box using passwd will change both Linux and Samba passwords.
Can anybody point me in the right direction?
More information about the samba