[Samba] Password changes and syncing passwords with Linux accounts

Rowland penny rpenny at samba.org
Tue Feb 16 20:51:33 UTC 2016

On 16/02/16 19:55, Chris Hastie wrote:
> On 16/02/16 18:13, Rowland penny wrote:
>>> >I don't have any such lines. Could it be this in the PAM config that
>>> >is causing the problem:
>>> >
>>> >auth    optional            pam_smbpass.so migrate
>>> >
>> Could well be, I do not seem to have this line in pam, which file is 
>> it in ?
>> Also, what does 'pam-auth-update' show ?
> It's in /etc/pam.d/common-auth.
> pam-auth-update shows:
> [*] Unix authentication
> [*] Winbind NT/Active Directory authentication
> [*] Register user sessions in the systemd control group hierarchy
> [*] SMB password synchronization
> [*] Inheritable Capabilities Management
> Unchecking 'SMB password synchronization' removes the line from 
> common-auth and seems to have solved the problem. So progress—I just 
> need to sort out my groups now.

You might want to install the libpam-krb5 package, this will get you this:

[*] Kerberos authentication

> A related question. I see there is user 'root' known to winbind, and 
> also in /etc/passwd. Does Samba have any need for this user (given the 
> existance of 'Administrator')? I'm inclined to delete it from Samba 
> and keep it in /etc/passwd. Would this be a sensible plan?

This is one user that you definitely want in /etc/passwd and not in AD. 
On a Samba AD DC, the 'Administrator' user is mapped to the Unix user 
'root', this allows you to set ACLs etc on the DC from windows.


More information about the samba mailing list