[Samba] Password changes and syncing passwords with Linux accounts
rpenny at samba.org
Tue Feb 16 20:51:33 UTC 2016
On 16/02/16 19:55, Chris Hastie wrote:
> On 16/02/16 18:13, Rowland penny wrote:
>>> >I don't have any such lines. Could it be this in the PAM config that
>>> >is causing the problem:
>>> >auth optional pam_smbpass.so migrate
>> Could well be, I do not seem to have this line in pam, which file is
>> it in ?
>> Also, what does 'pam-auth-update' show ?
> It's in /etc/pam.d/common-auth.
> pam-auth-update shows:
> [*] Unix authentication
> [*] Winbind NT/Active Directory authentication
> [*] Register user sessions in the systemd control group hierarchy
> [*] SMB password synchronization
> [*] Inheritable Capabilities Management
> Unchecking 'SMB password synchronization' removes the line from
> common-auth and seems to have solved the problem. So progress—I just
> need to sort out my groups now.
You might want to install the libpam-krb5 package, this will get you this:
[*] Kerberos authentication
> A related question. I see there is user 'root' known to winbind, and
> also in /etc/passwd. Does Samba have any need for this user (given the
> existance of 'Administrator')? I'm inclined to delete it from Samba
> and keep it in /etc/passwd. Would this be a sensible plan?
This is one user that you definitely want in /etc/passwd and not in AD.
On a Samba AD DC, the 'Administrator' user is mapped to the Unix user
'root', this allows you to set ACLs etc on the DC from windows.
More information about the samba