[Samba] Password changes and syncing passwords with Linux accounts
L.P.H. van Belle
belle at bazuin.nl
Tue Feb 16 08:16:40 UTC 2016
I suggest you read also :
Thread : AD Group lost from Winbind
Looks to me the same problem, and imo a bug.
But not identified yet.
For now, im same affected as you, but as far i tested its only on the DC's.
A quick fix can be :
server services = -dns -winbindd +winbind
# server services = -dns
Now wbinfo -u gives back only the users and you should be able to login again if you have pam_winbind setup also.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Chris Hastie
> Verzonden: dinsdag 16 februari 2016 8:48
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Password changes and syncing passwords with Linux
> accounts
>
> Hi
>
> I'm experiencing some odd behaviour when trying to change passwords. I
> have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 14.04LTS. When
> I change a password (either from a Win10 Pro client, or using smbpasswd
> on the machine itself) it all reports that things have worked. I can
> then login to Samba using the new password.
>
> However, when I now try to login to Linux using the new password I get
> this error on the terminal:
>
> Failed to add entry for user MYDOMAIN\someuser.
>
> In /var/log/auth.log I see
>
> Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=cranesbill.thegrove.oak-wood.co.uk user=someuser
> Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): getting
> password (0x00000388)
> Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): pam_get_item
> returned a password
> Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): user 'someuser'
> granted access
> Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:account): could not
> identify user (from getpwnam(MYDOMAIN\someuser))
> Feb 16 07:18:20 oak sshd[12723]: Failed password for someuser from
> 192.168.37.119 port 53822 ssh2
> Feb 16 07:18:20 oak sshd[12723]: fatal: Access denied for user someuser
> by PAM account configuration [preauth]
>
> Now when I try the old password for a Linux login it works. BUT, in
> doing so it seems to reset the Samba password back to the old one.
>
> What it looks to me is happening, though I know little about PAM and
> auth mechanisms, is
>
> * the samba password is successfully changed
> * no attempt is made, or if it is it isn't successful, to change the
> password in /etc/passwd or /etc/shadow
> * PAM, having checked /etc/shadow and not found a match, checks winbind
> * winbind approves the login, but somewhere along the line prepends
> MYDOMAIN\ to the user name
> * there is no user MYDOMAIN\someuser in /etc/passwd, so the login fails
> * a subsequent successful Linux login causes something to update Samba,
> perhaps this line in /etc/pam.d/common-auth:
>
> auth optional pam_smbpass.so migrate
>
> I have tried various combinations of 'unix password sync', 'passwd
> program', 'passwd chat' and 'pam password change' in smb.conf in an
> attempt to get /etc/passwd and /etc/shadow updated when a password is
> changed. I've also experimented with 'winbind use default domain = yes'
> to see if this stopped the prepending of MYDOMAIN\. All to no avail, and
> I'm not clear that any of these options has an effect when running as an
> AD-DC.
>
> I should add that as this installation was migrated from an NT PDC all
> users have unix accounts on the Linux machine. I would ideally like to
> keep the passwords in sync, and to be able to do so using Windows tools
> such as Ctl+Alt+Del. It does seem as if changing passwords on the Linux
> box using passwd will change both Linux and Samba passwords.
>
> Can anybody point me in the right direction?
>
> Cheers
>
> Chris
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list