[Samba] Password changes and syncing passwords with Linux accounts

L.P.H. van Belle belle at bazuin.nl
Tue Feb 16 08:16:40 UTC 2016

I suggest you read also : 

Thread : AD Group lost from Winbind 
Looks to me the same problem, and imo a bug. 
But not identified yet. 

For now, im same affected as you, but as far i tested its only on the DC's. 
A quick fix can be : 

        server services = -dns -winbindd +winbind
#       server services = -dns

Now wbinfo -u gives back only the users and you should be able to login again if you have pam_winbind setup also. 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Chris Hastie
> Verzonden: dinsdag 16 februari 2016 8:48
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Password changes and syncing passwords with Linux
> accounts
> Hi
> I'm experiencing some odd behaviour when trying to change passwords. I
> have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 14.04LTS. When
> I change a password (either from a Win10 Pro client, or using smbpasswd
> on the machine itself) it all reports that things have worked. I can
> then login to Samba using the new password.
> However, when I now try to login to Linux using the new password I get
> this error on the terminal:
> Failed to add entry for user MYDOMAIN\someuser.
> In /var/log/auth.log I see
> Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=cranesbill.thegrove.oak-wood.co.uk  user=someuser
> Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): getting
> password (0x00000388)
> Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): pam_get_item
> returned a password
> Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): user 'someuser'
> granted access
> Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:account): could not
> identify user (from getpwnam(MYDOMAIN\someuser))
> Feb 16 07:18:20 oak sshd[12723]: Failed password for someuser from
> port 53822 ssh2
> Feb 16 07:18:20 oak sshd[12723]: fatal: Access denied for user someuser
> by PAM account configuration [preauth]
> Now when I try the old password for a Linux login it works. BUT, in
> doing so it seems to reset the Samba password back to the old one.
> What it looks to me is happening, though I know little about PAM and
> auth mechanisms, is
> * the samba password is successfully changed
> * no attempt is made, or if it is it isn't successful, to change the
> password in /etc/passwd or /etc/shadow
> * PAM, having checked /etc/shadow and not found a match, checks winbind
> * winbind approves the login, but somewhere along the line prepends
> MYDOMAIN\ to the user name
> * there is no user MYDOMAIN\someuser in /etc/passwd, so the login fails
> * a subsequent successful Linux login causes something to update Samba,
> perhaps this line in /etc/pam.d/common-auth:
> auth    optional            pam_smbpass.so migrate
> I have tried various combinations of 'unix password sync', 'passwd
> program', 'passwd chat' and 'pam password change' in smb.conf in an
> attempt to get /etc/passwd and /etc/shadow updated when a password is
> changed. I've also experimented with 'winbind use default domain = yes'
> to see if this stopped the prepending of MYDOMAIN\. All to no avail, and
> I'm not clear that any of these options has an effect when running as an
> AD-DC.
> I should add that as this installation was migrated from an NT PDC all
> users have unix accounts on the Linux machine. I would ideally like to
> keep the passwords in sync, and to be able to do so using Windows tools
> such as Ctl+Alt+Del. It does seem as if changing passwords on the Linux
> box using passwd will change both Linux and Samba passwords.
> Can anybody point me in the right direction?
> Cheers
> Chris
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list