[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password

Rowland penny rpenny at samba.org
Thu Jan 14 12:16:22 UTC 2016

On 14/01/16 09:36, Rowland penny wrote:
> On 14/01/16 05:54, Mark Foley wrote:
>> Hmmm, this message is a week old and nothing?
>> I know many of you have domain member hosts in your domain and surely 
>> are logging in as domain
>> users authenticating with the Samba4 AD/DC, right?
>> How do you change your password without having the domain 
>> Administrator do it for you?
>> --Mark
>> -----Original Message-----
>> From: Mark Foley <mfoley at ohprs.org>
>> Date: Fri, 08 Jan 2016 12:10:16 -0500
>> To: samba at lists.samba.org
>> Subject: [Samba] Samba AD/DC, Single-Sign-On,
>>     domain users cannot change password
>> I have successfully joined my Linux/Ubuntu workstation to the Samaba 
>> AD/DC domain thanks to
>> help from Rowland Penny.
>> Now I face an interesting problem ... Domain users cannot change 
>> their password.
>> Domain users can successfully login to the Linux workstation using 
>> their domain credentials,
>> but when the user tries to change the password using "Passwords and 
>> Keys" from the desktop
>> utility, it does nothing.
>> Trying to change the password from a terminal session using `passwd` 
>> gives the prompt: "Current
>> Kerberos password:" but entering the current domain password is not 
>> accepted and the prompt repeats.
>> If the Domain Administrator set the user's account to "User must 
>> change password at next
>> login", or if the domain policy expires passwords after so-many days, 
>> the user cannot log into
>> the Linux workstations -- the display manager login dialog spins for 
>> several minutes, then
>> shows, "Invalid password, please try again."
>> This is serious. How does a domain user change his own password?
>> HELP!
>> --Mark
> Using 'passwd' does work, but pam has to be setup correctly and you 
> cannot change the password on the first day unless you change the 
> minimum password age to '0'
> Changing the password at login has nothing to do with Samba (provided 
> you can change it from the CLI, see above), it is down to your login 
> manager.
> Rowland

OK, I use Mate on debian wheezy and after a bit of testing, I have found 
that you can change a users AD password with the gdm3 login manager.


More information about the samba mailing list