[Samba] Password changes and syncing passwords with Linux accounts

Chris Hastie lists at oak-wood.co.uk
Tue Feb 16 07:47:38 UTC 2016 

Hi

I'm experiencing some odd behaviour when trying to change passwords. I 
have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 14.04LTS. When 
I change a password (either from a Win10 Pro client, or using smbpasswd 
on the machine itself) it all reports that things have worked. I can 
then login to Samba using the new password.

However, when I now try to login to Linux using the new password I get 
this error on the terminal:

Failed to add entry for user MYDOMAIN\someuser.

In /var/log/auth.log I see

Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=cranesbill.thegrove.oak-wood.co.uk  user=someuser
Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): getting 
password (0x00000388)
Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): pam_get_item 
returned a password
Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): user 'someuser' 
granted access
Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:account): could not 
identify user (from getpwnam(MYDOMAIN\someuser))
Feb 16 07:18:20 oak sshd[12723]: Failed password for someuser from 
192.168.37.119 port 53822 ssh2
Feb 16 07:18:20 oak sshd[12723]: fatal: Access denied for user someuser 
by PAM account configuration [preauth]

Now when I try the old password for a Linux login it works. BUT, in 
doing so it seems to reset the Samba password back to the old one.

What it looks to me is happening, though I know little about PAM and 
auth mechanisms, is

* the samba password is successfully changed
* no attempt is made, or if it is it isn't successful, to change the 
password in /etc/passwd or /etc/shadow
* PAM, having checked /etc/shadow and not found a match, checks winbind
* winbind approves the login, but somewhere along the line prepends 
MYDOMAIN\ to the user name
* there is no user MYDOMAIN\someuser in /etc/passwd, so the login fails
* a subsequent successful Linux login causes something to update Samba, 
perhaps this line in /etc/pam.d/common-auth:

auth    optional            pam_smbpass.so migrate

I have tried various combinations of 'unix password sync', 'passwd 
program', 'passwd chat' and 'pam password change' in smb.conf in an 
attempt to get /etc/passwd and /etc/shadow updated when a password is 
changed. I've also experimented with 'winbind use default domain = yes' 
to see if this stopped the prepending of MYDOMAIN\. All to no avail, and 
I'm not clear that any of these options has an effect when running as an 
AD-DC.

I should add that as this installation was migrated from an NT PDC all 
users have unix accounts on the Linux machine. I would ideally like to 
keep the passwords in sync, and to be able to do so using Windows tools 
such as Ctl+Alt+Del. It does seem as if changing passwords on the Linux 
box using passwd will change both Linux and Samba passwords.

Can anybody point me in the right direction?

Cheers

Chris

More information about the samba mailing list