[Samba] samba AD: using passwd on linux to change PW

Dr. Peer-Joachim Koch pkoch at bgc-jena.mpg.de
Wed Jan 3 14:48:01 UTC 2018 

Thanks a lot. I will check it.
We do not use kerberos - is it necessary ?

Bye, Peer

On 03.01.2018 15:15, L.P.H. van Belle via samba wrote:
> Hi Peer,
>
> This is my output, this account testaccount1 was created 2 minutes ago before the tests below.
>
> passwd testaccount1
> Current Kerberos password:
> Enter new Kerberos password:
> Retype new Kerberos password:
> Password change rejected: Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed.
> Your password must be at least 5 characters; cannot repeat any of your previous 5 passwords; Please type a different password. Type a password which meets these requirements in both text boxes.
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> If you run : pam-auth-update
> You should see something like this.
>
>
>    „                                                                                                                                                                                                         „
>    „  PAM profiles to enable:                                                                                                                                                                                „
>    „                                                                                                                                                                                                         „
>    „     [ ] Create home directory during login                                                                                                                                                              „
>    „     [*] Kerberos authentication                                                                                                                                                                         „
>    „     [*] Unix authentication                                                                                                                                                                             „
>    „     [*] Winbind NT/Active Directory authentication                                                                                                                                                      „
>    „     [*] Register user sessions in the systemd control group hierarchy                                                                                                                                   „
>    „     [*] Inheritable Capabilities Management                                                                                                                                                             „
>    „                                                                                                                                                                                                         „
>
>
> Same server, but now with a user disabled.
> passwd someuser ( but disabled in AD )
> Current Kerberos password:
> Enter new Kerberos password:
> Retype new Kerberos password:
> Access denied: Not permitted to change password
> Access is denied
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> Same user but now enabled in AD.
> Current Kerberos password:
> passwd: Authentication token manipulation error
> passwd: password unchanged
> root at rtd-print1:~# passwd xreib
> Current Kerberos password:
> Enter new Kerberos password:
> Retype new Kerberos password:
> passwd: password updated successfully
>
> So this should work fine.
>
> Debian 9.3
> Samba 4.7.3 ( from my own apt )
>
>
>
> Best regards,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dr.
>> Peer-Joachim Koch via samba
>> Verzonden: woensdag 3 januari 2018 14:50
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] samba AD: using passwd on linux to change PW
>>
>> Hi,
>>
>> a short question about changing passwords. Our linux login server is
>> using winbind
>> for authentication. Everything is working well, but changing the
>> password for a user
>> does not work. We see the following error:
>>
>> passwd
>> Changing password for USER
>> (current) NT password:
>> passwd: Authentication token manipulation error
>> passwd: password unchanged
>>
>> /var/log/auth.log
>>
>> pam_winbind(sshd:auth): getting password (0x00000388)
>> Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth):
>> pam_get_item returned a password
>> Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth): request
>> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN
>> (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was:
>> The specified
>> account does not exist.
>>
>> Login is working fine, also the groups are all correct.
>>
>> Maybe something in the pam-config has to be changed ?
>>
>> Where can I find some description to setup the system that every user
>> can execute passwd ?
>>
>> System Debian 9.3 using winbind against Samba AD.
>>
>>
>> -- 
>> Bye,
>>       Peer
>> ________________________________________________________
>>
>> Max-Planck-Institut für Biogeochemie
>> Dr. Peer-Joachim Koch
>> Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
>> D-07745 Jena                 Telefax: ++49 3641 57-7705
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

-- 
Mit freundlichen Grüßen,
     Peer-Joachim Koch
________________________________________________________

Max-Planck-Institut für Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
D-07745 Jena                 Telefax: ++49 3641 57-7705

More information about the samba mailing list