[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password

Sketch smblist at rednsx.org
Thu Jan 14 14:14:56 UTC 2016

On Thu, 14 Jan 2016, Mark Foley wrote:

> Hmmm, this message is a week old and nothing?
> I know many of you have domain member hosts in your domain and surely are logging in as domain
> users authenticating with the Samba4 AD/DC, right?
> How do you change your password without having the domain Administrator do it for you?

> Trying to change the password from a terminal session using `passwd` 
> gives the prompt: "Current Kerberos password:" but entering the current 
> domain password is not accepted and the prompt repeats.

I type "passwd" in a shell, and it works as it should. One thing I note is 
that it only asks me for my kerberos password if i fail to enter my 
password correctly.

Current Password:
Password change failed. Server message: Old password not accepted.
Kerberos 5 Password:

Rowland's suggestion that your PAM configuration is incorrect seems like a 
good possibility here.

> Domain users can successfully login to the Linux workstation using their domain credentials,
> but when the user tries to change the password using "Passwords and Keys" from the desktop
> utility, it does nothing.

I don't run Ubuntu, but I did take a look at GNOME's "Passwords and Keys" 
as exist in gnome 3.14 in centos 7, and I don't see any way to change the 
user's system password from it.  I do see "login" under "Passwords", but 
it only seems to change the password used to unlock the keyring itself 
(which is normally the user's login password), not the user's actual login 
password.  I don't think this is the right place to change the login 

More information about the samba mailing list