[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
Rowland penny
rpenny at samba.org
Tue Jan 19 16:01:50 UTC 2016
On 19/01/16 15:42, Mark Foley wrote:
> On Tue, 19 Jan 2016 15:15:15 Rowland penny <rpenny at samba.org> wrote:
>
>> I have attached a new version of change_AD_pass, would you like to test it ?
> Yes, I will give it a shot!
Thanks, let me know how you go on.
>
>> I am also wondering if there is a need for a script that would change a
>> users password and at the same time set the unixUserPassword ?
> My domain users do not have a local Unix entry in /etc/passwd, so I don't think that is needed,
> at least not for me. If you went that route, I think you would want to avoid the condition
> that Guilherme Boing wrote about where the UnixUserPassword got changed, but the AD password
> was not and the user could log on using BOTH. I don't know, but if I'm looking at this from the
> Windows side and thinking about what the unixUserPassword was intended for, my guess would be
> that it assumed a non-AD Unix user.
You shouldn't have domain users in /etc/passwd (actually, I don't think
you can).
I was actually wondering if having a Unix password available in AD for
things that use ldap authentication was a good idea.
>
> In the meantime (before having tried your new script), I did some experimentation and have some
> observations that may or may not be useful. I can't help thinking that pam has something to do
> with this. My common-passwords is below which, except for the "minimum_uid=1000" bit, is as-installed:
>
> password [success=3 default=ignore] pam_krb5.so minimum_uid=10000
> password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
> password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
> password requisite pam_deny.so
> password required pam_permit.so
> password optional pam_gnome_keyring.so
>
> and /etc/nsswitch.conf has:
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> hosts: files dns
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
>
> With common-passwords as shown, if I try changing a domain user's password using `passwd` I get:
>
> mark at labrat:~$ passwd
> Current Kerberos password: (correct domain pw)
> Current Kerberos password: (correct domain pw)
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> I get this if I type the correct domain password each time at the "Current Kerberos password"
> prompt. However, if I type an incorrect password I get:
>
> mark at labrat:~$ passwd
> Current Kerberos password: (incorrect pw)
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> Notice that I am only prompted once if the domain password is incorrect, but I am prompted
> twice if it is correct. So, somewhere down there, it must know that the password I type is the
> correct domain pw ... somehow.
>
> If I comment out the pam_krb5.so line altogether I can still log in as the domain user (mark),
> but when when I try to `passwd` I get:
>
> mark at labrat:~$ passwd
> Changing password for mark
> (current) NT password:
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> Still no go, but an intersting change of prompts.
>
> Any clues here?
No, not really, as I said I could get 'passwd' to change the
unixuserpassword, but I use the default '1000' in common-password.
Rowland
More information about the samba
mailing list