[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password

Rowland penny rpenny at samba.org
Fri Jan 15 10:28:14 UTC 2016

On 15/01/16 05:21, Mark Foley wrote:
> You answer piles of questions on this list, so you may not remember, 
> but you helped me set this whole domain-member/single logon thing last 
> October. The only thing you had me change with the as-installed PAM 
> configuration was to add to /etc/pam.d/common-account: session 
> required pam_mkhomedir.so skel=/etc/skel/ umask=0002 I also found I 
> needed to change a line in /etc/pam.d/common-password to: password 
> [success=3 default=ignore] pam_krb5.so minimum_uid=10000 (instead of 
> minimum_uid=1000) in order to have my non-domain local users be able 
> to change their passwords using passwd. If there is a PAM file I can 
> post to verify it's correctness, I'd be happy to do that. 

You are right, I don't remember :-)

Also good catch with the pam_krb5 line change, this is something I 
wasn't aware of, it has other repercussions, if you want to create a 
local user and don't specify a uid, it will get a uid in the '10000' 
range, not a good idea.

>> OK, I use Mate on debian wheezy and after a bit of testing, I have found
>> that you can change a users AD password with the gdm3 login manager.
> I will investigate gmd3 and post back results.  I am using Cinnamon on Ubuntu 15.10, but I
> suppose it should work.

It works on Debian wheezy with Mate, I have these pam packages installed:

libpam-winbind libpam-krb5 libnss-winbind

With these, I have 'passwd' changing AD passwords (I wrote a YAD script 
for this) and using gdm3, when a user tries to login with an expired 
password, they are asked to change it.
I have also set the minimum password age to '0'


> Thanks for your response!
> --Mark
> -----Original Message-----
>> To: samba at lists.samba.org
>> From: Rowland penny <rpenny at samba.org>
>> Date: Thu, 14 Jan 2016 12:16:22 +0000
>> Subject: Re: [Samba] Samba AD/DC, Single-Sign-On,
>> On 14/01/16 09:36, Rowland penny wrote:
>>> On 14/01/16 05:54, Mark Foley wrote:
>>>> Hmmm, this message is a week old and nothing?
>>>> I know many of you have domain member hosts in your domain and surely
>>>> are logging in as domain
>>>> users authenticating with the Samba4 AD/DC, right?
>>>> How do you change your password without having the domain
>>>> Administrator do it for you?
>>>> --Mark
>>>> -----Original Message-----
>>>> From: Mark Foley <mfoley at ohprs.org>
>>>> Date: Fri, 08 Jan 2016 12:10:16 -0500
>>>> To: samba at lists.samba.org
>>>> Subject: [Samba] Samba AD/DC, Single-Sign-On,
>>>>      domain users cannot change password
>>>> I have successfully joined my Linux/Ubuntu workstation to the Samaba
>>>> AD/DC domain thanks to
>>>> help from Rowland Penny.
>>>> Now I face an interesting problem ... Domain users cannot change
>>>> their password.
>>>> Domain users can successfully login to the Linux workstation using
>>>> their domain credentials,
>>>> but when the user tries to change the password using "Passwords and
>>>> Keys" from the desktop
>>>> utility, it does nothing.
>>>> Trying to change the password from a terminal session using `passwd`
>>>> gives the prompt: "Current
>>>> Kerberos password:" but entering the current domain password is not
>>>> accepted and the prompt repeats.
>>>> If the Domain Administrator set the user's account to "User must
>>>> change password at next
>>>> login", or if the domain policy expires passwords after so-many days,
>>>> the user cannot log into
>>>> the Linux workstations -- the display manager login dialog spins for
>>>> several minutes, then
>>>> shows, "Invalid password, please try again."
>>>> This is serious. How does a domain user change his own password?
>>>> HELP!
>>>> --Mark
>>> Using 'passwd' does work, but pam has to be setup correctly and you
>>> cannot change the password on the first day unless you change the
>>> minimum password age to '0'
>>> Changing the password at login has nothing to do with Samba (provided
>>> you can change it from the CLI, see above), it is down to your login
>>> manager.
>>> Rowland
>> OK, I use Mate on debian wheezy and after a bit of testing, I have found
>> that you can change a users AD password with the gdm3 login manager.
>> Rowland
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list