[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password

Rowland penny rpenny at samba.org
Tue Jan 19 16:01:50 UTC 2016 

On 19/01/16 15:42, Mark Foley wrote:
> On Tue, 19 Jan 2016 15:15:15 Rowland penny <rpenny at samba.org> wrote:
>
>> I have attached a new version of change_AD_pass, would you like to test it ?
> Yes, I will give it a shot!

Thanks, let me know how you go on.

>
>> I am also wondering if there is a need for a script that would change a
>> users password and at the same time set the unixUserPassword ?
> My domain users do not have a local Unix entry in /etc/passwd, so I don't think that is needed,
> at least not for me. If you went that route, I think you would want to avoid the condition
> that Guilherme Boing wrote about where the UnixUserPassword got changed, but the AD password
> was not and the user could log on using BOTH. I don't know, but if I'm looking at this from the
> Windows side and thinking about what the unixUserPassword was intended for, my guess would be
> that it assumed a non-AD Unix user.

You shouldn't have domain users in /etc/passwd (actually, I don't think 
you can).
I was actually wondering if having a Unix password available in AD for 
things that use ldap authentication was a good idea.

>
> In the meantime (before having tried your new script), I did some experimentation and have some
> observations that may or may not be useful. I can't help thinking that pam has something to do
> with this. My common-passwords is below which, except for the "minimum_uid=1000" bit, is as-installed:
>
> password        [success=3 default=ignore]      pam_krb5.so minimum_uid=10000
> password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
> password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass
> password        requisite                       pam_deny.so
> password        required                        pam_permit.so
> password        optional        pam_gnome_keyring.so
>
> and /etc/nsswitch.conf has:
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> hosts:          files dns
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
>
> With common-passwords as shown, if I try changing a domain user's password using `passwd` I get:
>
> mark at labrat:~$ passwd
> Current Kerberos password: (correct domain pw)
> Current Kerberos password: (correct domain pw)
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> I get this if I type the correct domain password each time at the "Current Kerberos password"
> prompt. However, if I type an incorrect password I get:
>
> mark at labrat:~$ passwd
> Current Kerberos password: (incorrect pw)
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> Notice that I am only prompted once if the domain password is incorrect, but I am prompted
> twice if it is correct. So, somewhere down there, it must know that the password I type is the
> correct domain pw ... somehow.
>
> If I comment out the pam_krb5.so line altogether I can still log in as the domain user (mark),
> but when when I try to `passwd` I get:
>
> mark at labrat:~$ passwd
> Changing password for mark
> (current) NT password:
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> Still no go, but an intersting change of prompts.
>
> Any clues here?

No, not really, as I said I could get 'passwd' to change the 
unixuserpassword, but I use the default '1000' in common-password.


Rowland

More information about the samba mailing list