[Samba] Password changes and syncing passwords with Linux accounts

Rowland penny rpenny at samba.org
Tue Feb 16 08:38:25 UTC 2016 

On 16/02/16 07:47, Chris Hastie wrote:
> Hi  > > I'm experiencing some odd behaviour when trying to change 
passwords. > I have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 
14.04LTS. > When I change a password (either from a Win10 Pro client, or 
using > smbpasswd on the machine itself) it all reports that things have 
 > worked. I can then login to Samba using the new password. > > 
However, when I now try to login to Linux using the new password I > get 
this error on the terminal: > > Failed to add entry for user 
MYDOMAIN\someuser. > > In /var/log/auth.log I see > > Feb 16 07:18:20 
oak sshd[12723]: pam_unix(sshd:auth): authentication > failure; logname= 
uid=0 euid=0 tty=ssh ruser= > rhost=cranesbill.thegrove.oak-wood.co.uk  
user=someuser Feb 16 > 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): 
getting password > (0x00000388) Feb 16 07:18:20 oak sshd[12723]: 
pam_winbind(sshd:auth): > pam_get_item returned a password Feb 16 
07:18:20 oak sshd[12723]: > pam_winbind(sshd:auth): user 'someuser' 
granted access Feb 16 > 07:18:20 oak sshd[12723]: 
pam_unix(sshd:account): could not identify > user (from 
getpwnam(MYDOMAIN\someuser)) Feb 16 07:18:20 oak > sshd[12723]: Failed 
password for someuser from 192.168.37.119 port > 53822 ssh2 Feb 16 
07:18:20 oak sshd[12723]: fatal: Access denied for > user someuser by 
PAM account configuration [preauth] > > Now when I try the old password 
for a Linux login it works. BUT, in > doing so it seems to reset the 
Samba password back to the old one. > > What it looks to me is 
happening, though I know little about PAM and > auth mechanisms, is > > 
* the samba password is successfully changed * no attempt is made, or > 
if it is it isn't successful, to change the password in /etc/passwd > or 
/etc/shadow * PAM, having checked /etc/shadow and not found a > match, 
checks winbind * winbind approves the login, but somewhere > along the 
line prepends MYDOMAIN\ to the user name * there is no user > 
MYDOMAIN\someuser in /etc/passwd, so the login fails * a subsequent > 
successful Linux login causes something to update Samba, perhaps this > 
line in /etc/pam.d/common-auth: > > auth    optional            
pam_smbpass.so migrate > > I have tried various combinations of 'unix 
password sync', 'passwd > program', 'passwd chat' and 'pam password 
change' in smb.conf in an > attempt to get /etc/passwd and /etc/shadow 
updated when a password is > changed. I've also experimented with 
'winbind use default domain = > yes' to see if this stopped the 
prepending of MYDOMAIN\. All to no > avail, and I'm not clear that any 
of these options has an effect when > running as an AD-DC. > > I should 
add that as this installation was migrated from an NT PDC > all users 
have unix accounts on the Linux machine. I would ideally > like to keep 
the passwords in sync, and to be able to do so using > Windows tools 
such as Ctl+Alt+Del. It does seem as if changing > passwords on the 
Linux box using passwd will change both Linux and > Samba passwords. > > 
Can anybody point me in the right direction? > > Cheers > > Chris >

OK, you say this:

I have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 14.04LTS.

Then you say this:

I should add that as this installation was migrated from an NT PDC

Finally you say this:

all users have unix accounts on the Linux machine.

You are not going to like this, but I am going to say it anyway:

*Remove* any users that are in AD from /etc/passwd (the same goes for 
groups)

All your users & groups should now only exist in AD, you do not need or 
can have, users & groups in AD *and* /etc/passwd & /etc/group.

Your users will only have one password and this will be stored in AD in 
a hidden attribute.

Rowland

More information about the samba mailing list