[Samba] samba AD: using passwd on linux to change PW

L.P.H. van Belle belle at bazuin.nl
Wed Jan 3 14:51:51 UTC 2018


Your welkom. 

For the password change i believe it is. 
But give me a few min, i'll disable it and test again. 

Greetz, 

Louis 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dr. 
> Peer-Joachim Koch via samba
> Verzonden: woensdag 3 januari 2018 15:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba AD: using passwd on linux to change PW
> 
> Thanks a lot. I will check it.
> We do not use kerberos - is it necessary ?
> 
> Bye, Peer
> 
> On 03.01.2018 15:15, L.P.H. van Belle via samba wrote:
> > Hi Peer,
> >
> > This is my output, this account testaccount1 was created 2 
> minutes ago before the tests below.
> >
> > passwd testaccount1
> > Current Kerberos password:
> > Enter new Kerberos password:
> > Retype new Kerberos password:
> > Password change rejected: Password change rejected, 
> password changes may not be permitted on this account, or the 
> minimum password age may not have elapsed.
> > Your password must be at least 5 characters; cannot repeat 
> any of your previous 5 passwords; Please type a different 
> password. Type a password which meets these requirements in 
> both text boxes.
> > passwd: Authentication token manipulation error
> > passwd: password unchanged
> >
> > If you run : pam-auth-update
> > You should see something like this.
> >
> >
> >    ?                                                        
>                                                               
>                                                               
>                      ?
> >    ?  PAM profiles to enable:                               
>                                                               
>                                                               
>                      ?
> >    ?                                                        
>                                                               
>                                                               
>                      ?
> >    ?     [ ] Create home directory during login             
>                                                               
>                                                               
>                      ?
> >    ?     [*] Kerberos authentication                        
>                                                               
>                                                               
>                      ?
> >    ?     [*] Unix authentication                            
>                                                               
>                                                               
>                      ?
> >    ?     [*] Winbind NT/Active Directory authentication     
>                                                               
>                                                               
>                      ?
> >    ?     [*] Register user sessions in the systemd control 
> group hierarchy                                               
>                                                               
>                       ?
> >    ?     [*] Inheritable Capabilities Management            
>                                                               
>                                                               
>                      ?
> >    ?                                                        
>                                                               
>                                                               
>                      ?
> >
> >
> > Same server, but now with a user disabled.
> > passwd someuser ( but disabled in AD )
> > Current Kerberos password:
> > Enter new Kerberos password:
> > Retype new Kerberos password:
> > Access denied: Not permitted to change password
> > Access is denied
> > passwd: Authentication token manipulation error
> > passwd: password unchanged
> >
> > Same user but now enabled in AD.
> > Current Kerberos password:
> > passwd: Authentication token manipulation error
> > passwd: password unchanged
> > root at rtd-print1:~# passwd xreib
> > Current Kerberos password:
> > Enter new Kerberos password:
> > Retype new Kerberos password:
> > passwd: password updated successfully
> >
> > So this should work fine.
> >
> > Debian 9.3
> > Samba 4.7.3 ( from my own apt )
> >
> >
> >
> > Best regards,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dr.
> >> Peer-Joachim Koch via samba
> >> Verzonden: woensdag 3 januari 2018 14:50
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] samba AD: using passwd on linux to change PW
> >>
> >> Hi,
> >>
> >> a short question about changing passwords. Our linux login 
> server is
> >> using winbind
> >> for authentication. Everything is working well, but changing the
> >> password for a user
> >> does not work. We see the following error:
> >>
> >> passwd
> >> Changing password for USER
> >> (current) NT password:
> >> passwd: Authentication token manipulation error
> >> passwd: password unchanged
> >>
> >> /var/log/auth.log
> >>
> >> pam_winbind(sshd:auth): getting password (0x00000388)
> >> Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth):
> >> pam_get_item returned a password
> >> Jan  3 14:41:36 HOSTNAME sshd[4355]: 
> pam_winbind(sshd:auth): request
> >> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: 
> PAM_USER_UNKNOWN
> >> (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was:
> >> The specified
> >> account does not exist.
> >>
> >> Login is working fine, also the groups are all correct.
> >>
> >> Maybe something in the pam-config has to be changed ?
> >>
> >> Where can I find some description to setup the system that 
> every user
> >> can execute passwd ?
> >>
> >> System Debian 9.3 using winbind against Samba AD.
> >>
> >>
> >> -- 
> >> Bye,
> >>       Peer
> >> ________________________________________________________
> >>
> >> Max-Planck-Institut für Biogeochemie
> >> Dr. Peer-Joachim Koch
> >> Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
> >> D-07745 Jena                 Telefax: ++49 3641 57-7705
> >>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >
> 
> -- 
> Mit freundlichen Grüßen,
>      Peer-Joachim Koch
> ________________________________________________________
> 
> Max-Planck-Institut für Biogeochemie
> Dr. Peer-Joachim Koch
> Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
> D-07745 Jena                 Telefax: ++49 3641 57-7705
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list