[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password

Mark Foley mfoley at ohprs.org
Fri Jan 15 05:31:14 UTC 2016 

On Thu, January 14, 2016 Sketch wrote:

> I type "passwd" in a shell, and it works as it should. One thing I note is 
> that it only asks me for my kerberos password if i fail to enter my 
> password correctly.

Not for me. I *always* get the kerberos password prompt. I have the minimum_uid=10000 in
/etc/pam.d/common-password above which are my domain users. Anyway, would passwd know how to
change a domain user not in the /etc/passwd file?

> Rowland's suggestion that your PAM configuration is incorrect seems like a 
> good possibility here.

Rowland helped me set PAM up in the first place and I've asked him for advice on what might be
wrong.

I agree with you about the "Password and Keys" function, it doesn't let you actually change
your user login password. In fact, I don't really see the use for this utility at all. 

I wonder how normal at-home Cinnamon desktop users change their actual login password? Surely
there must be a way. I'm too new with all this GUI desktop stuff to know the answer.

Thanks for your feedback. I'm going to research Rowland's suggested gdm3 and post back results.

--Mark

-----Original Message-----
> Date: Thu, 14 Jan 2016 08:14:56 -0600 (CST)
> From: Sketch <smblist at rednsx.org>
> To: Mark Foley <mfoley at ohprs.org>
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba AD/DC, Single-Sign-On,
>  domain users cannot change password
>
> On Thu, 14 Jan 2016, Mark Foley wrote:
>
> > Hmmm, this message is a week old and nothing?
> >
> > I know many of you have domain member hosts in your domain and surely are logging in as domain
> > users authenticating with the Samba4 AD/DC, right?
> >
> > How do you change your password without having the domain Administrator do it for you?
>
> > Trying to change the password from a terminal session using `passwd` 
> > gives the prompt: "Current Kerberos password:" but entering the current 
> > domain password is not accepted and the prompt repeats.
>
> I type "passwd" in a shell, and it works as it should. One thing I note is 
> that it only asks me for my kerberos password if i fail to enter my 
> password correctly.
>
> Current Password:
> Password change failed. Server message: Old password not accepted.
> Kerberos 5 Password:
>
> Rowland's suggestion that your PAM configuration is incorrect seems like a 
> good possibility here.
>
> > Domain users can successfully login to the Linux workstation using their domain credentials,
> > but when the user tries to change the password using "Passwords and Keys" from the desktop
> > utility, it does nothing.
>
> I don't run Ubuntu, but I did take a look at GNOME's "Passwords and Keys" 
> as exist in gnome 3.14 in centos 7, and I don't see any way to change the 
> user's system password from it.  I do see "login" under "Passwords", but 
> it only seems to change the password used to unlock the keyring itself 
> (which is normally the user's login password), not the user's actual login 
> password.  I don't think this is the right place to change the login 
> password.
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list