[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
Mark Foley
mfoley at ohprs.org
Tue Jan 19 15:42:02 UTC 2016
On Tue, 19 Jan 2016 15:15:15 Rowland penny <rpenny at samba.org> wrote:
> I have attached a new version of change_AD_pass, would you like to test it ?
Yes, I will give it a shot!
> I am also wondering if there is a need for a script that would change a
> users password and at the same time set the unixUserPassword ?
My domain users do not have a local Unix entry in /etc/passwd, so I don't think that is needed,
at least not for me. If you went that route, I think you would want to avoid the condition
that Guilherme Boing wrote about where the UnixUserPassword got changed, but the AD password
was not and the user could log on using BOTH. I don't know, but if I'm looking at this from the
Windows side and thinking about what the unixUserPassword was intended for, my guess would be
that it assumed a non-AD Unix user.
In the meantime (before having tried your new script), I did some experimentation and have some
observations that may or may not be useful. I can't help thinking that pam has something to do
with this. My common-passwords is below which, except for the "minimum_uid=1000" bit, is as-installed:
password [success=3 default=ignore] pam_krb5.so minimum_uid=10000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
and /etc/nsswitch.conf has:
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
With common-passwords as shown, if I try changing a domain user's password using `passwd` I get:
mark at labrat:~$ passwd
Current Kerberos password: (correct domain pw)
Current Kerberos password: (correct domain pw)
passwd: Authentication token manipulation error
passwd: password unchanged
I get this if I type the correct domain password each time at the "Current Kerberos password"
prompt. However, if I type an incorrect password I get:
mark at labrat:~$ passwd
Current Kerberos password: (incorrect pw)
passwd: Authentication token manipulation error
passwd: password unchanged
Notice that I am only prompted once if the domain password is incorrect, but I am prompted
twice if it is correct. So, somewhere down there, it must know that the password I type is the
correct domain pw ... somehow.
If I comment out the pam_krb5.so line altogether I can still log in as the domain user (mark),
but when when I try to `passwd` I get:
mark at labrat:~$ passwd
Changing password for mark
(current) NT password:
passwd: Authentication token manipulation error
passwd: password unchanged
Still no go, but an intersting change of prompts.
Any clues here?
THX --Mark
-----Original Message-----
> Subject: Re: [Samba] Samba AD/DC, Single-Sign-On, domain users cannot change
> password
> To: Mark Foley <mfoley at ohprs.org>
> From: Rowland penny <rpenny at samba.org>
> Date: Tue, 19 Jan 2016 15:15:15 +0000
>
[deleted]
>
> OK, bin the earlier tarball I sent you, somebody pointed out that
> 'passwd' changes unixUserPassword and not unicodePwd, even though from
> my testing, a user could login using the new password.
>
> I have re-written the bash script to use samba-tool instead of passwd,
> though this also entails altering user.py (a part of Samba) as well, I
> will be proposing the alteration as a patch to Samba-technical.
>
> I have attached a new version of change_AD_pass, would you like to test it ?
>
> I am also wondering if there is a need for a script that would change a
> users password and at the same time set the unixUserPassword ?
>
> Rowland
More information about the samba
mailing list