[Samba] samba AD: using passwd on linux to change PW
L.P.H. van Belle
belle at bazuin.nl
Wed Jan 3 14:56:51 UTC 2018
Well, test done.
If i disable kerberos im also seeing getting the same error.
pam_winbind(passwd:chauthtok): getting password (0x0000002a)
pam_winbind(passwd:chauthtok): user 'NTDOM\user' granted access
pam_unix(passwd:chauthtok): user "NTDOM\user" does not exist in /etc/passwd
pam_winbind(passwd:chauthtok): getting password (0x00000012)
pam_unix(passwd:chauthtok): user "NTDOM\user" does not exist in /etc/passwd
pam_winbind(passwd:chauthtok): getting password (0x0000002a)
pam_winbind(passwd:chauthtok): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: When trying to update a password, this return status indicates that the value provided as the current password is not correct.
pam_winbind(passwd:chauthtok): user 'NTDOM\user' denied access (incorrect password or invalid membership)
And that last line is crazy, 10000% sure i typed the correct password..
So enable kerberos and your set.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: woensdag 3 januari 2018 15:52
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba AD: using passwd on linux to change PW
>
> Your welkom.
>
> For the password change i believe it is.
> But give me a few min, i'll disable it and test again.
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dr.
> > Peer-Joachim Koch via samba
> > Verzonden: woensdag 3 januari 2018 15:48
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] samba AD: using passwd on linux to change PW
> >
> > Thanks a lot. I will check it.
> > We do not use kerberos - is it necessary ?
> >
> > Bye, Peer
> >
> > On 03.01.2018 15:15, L.P.H. van Belle via samba wrote:
> > > Hi Peer,
> > >
> > > This is my output, this account testaccount1 was created 2
> > minutes ago before the tests below.
> > >
> > > passwd testaccount1
> > > Current Kerberos password:
> > > Enter new Kerberos password:
> > > Retype new Kerberos password:
> > > Password change rejected: Password change rejected,
> > password changes may not be permitted on this account, or the
> > minimum password age may not have elapsed.
> > > Your password must be at least 5 characters; cannot repeat
> > any of your previous 5 passwords; Please type a different
> > password. Type a password which meets these requirements in
> > both text boxes.
> > > passwd: Authentication token manipulation error
> > > passwd: password unchanged
> > >
> > > If you run : pam-auth-update
> > > You should see something like this.
> > >
> > >
> > > ?
> >
> >
> > ?
> > > ? PAM profiles to enable:
> >
> >
> > ?
> > > ?
> >
> >
> > ?
> > > ? [ ] Create home directory during login
> >
> >
> > ?
> > > ? [*] Kerberos authentication
> >
> >
> > ?
> > > ? [*] Unix authentication
> >
> >
> > ?
> > > ? [*] Winbind NT/Active Directory authentication
> >
> >
> > ?
> > > ? [*] Register user sessions in the systemd control
> > group hierarchy
> >
> > ?
> > > ? [*] Inheritable Capabilities Management
> >
> >
> > ?
> > > ?
> >
> >
> > ?
> > >
> > >
> > > Same server, but now with a user disabled.
> > > passwd someuser ( but disabled in AD )
> > > Current Kerberos password:
> > > Enter new Kerberos password:
> > > Retype new Kerberos password:
> > > Access denied: Not permitted to change password
> > > Access is denied
> > > passwd: Authentication token manipulation error
> > > passwd: password unchanged
> > >
> > > Same user but now enabled in AD.
> > > Current Kerberos password:
> > > passwd: Authentication token manipulation error
> > > passwd: password unchanged
> > > root at rtd-print1:~# passwd xreib
> > > Current Kerberos password:
> > > Enter new Kerberos password:
> > > Retype new Kerberos password:
> > > passwd: password updated successfully
> > >
> > > So this should work fine.
> > >
> > > Debian 9.3
> > > Samba 4.7.3 ( from my own apt )
> > >
> > >
> > >
> > > Best regards,
> > >
> > > Louis
> > >
> > >
> > >> -----Oorspronkelijk bericht-----
> > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dr.
> > >> Peer-Joachim Koch via samba
> > >> Verzonden: woensdag 3 januari 2018 14:50
> > >> Aan: samba at lists.samba.org
> > >> Onderwerp: [Samba] samba AD: using passwd on linux to change PW
> > >>
> > >> Hi,
> > >>
> > >> a short question about changing passwords. Our linux login
> > server is
> > >> using winbind
> > >> for authentication. Everything is working well, but changing the
> > >> password for a user
> > >> does not work. We see the following error:
> > >>
> > >> passwd
> > >> Changing password for USER
> > >> (current) NT password:
> > >> passwd: Authentication token manipulation error
> > >> passwd: password unchanged
> > >>
> > >> /var/log/auth.log
> > >>
> > >> pam_winbind(sshd:auth): getting password (0x00000388)
> > >> Jan 3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth):
> > >> pam_get_item returned a password
> > >> Jan 3 14:41:36 HOSTNAME sshd[4355]:
> > pam_winbind(sshd:auth): request
> > >> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error:
> > PAM_USER_UNKNOWN
> > >> (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was:
> > >> The specified
> > >> account does not exist.
> > >>
> > >> Login is working fine, also the groups are all correct.
> > >>
> > >> Maybe something in the pam-config has to be changed ?
> > >>
> > >> Where can I find some description to setup the system that
> > every user
> > >> can execute passwd ?
> > >>
> > >> System Debian 9.3 using winbind against Samba AD.
> > >>
> > >>
> > >> --
> > >> Bye,
> > >> Peer
> > >> ________________________________________________________
> > >>
> > >> Max-Planck-Institut für Biogeochemie
> > >> Dr. Peer-Joachim Koch
> > >> Hans-Knöll Str.10 Telefon: ++49 3641 57-6705
> > >> D-07745 Jena Telefax: ++49 3641 57-7705
> > >>
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL
> and read the
> > >> instructions: https://lists.samba.org/mailman/options/samba
> > >>
> > >
> >
> > --
> > Mit freundlichen Grüßen,
> > Peer-Joachim Koch
> > ________________________________________________________
> >
> > Max-Planck-Institut für Biogeochemie
> > Dr. Peer-Joachim Koch
> > Hans-Knöll Str.10 Telefon: ++49 3641 57-6705
> > D-07745 Jena Telefax: ++49 3641 57-7705
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list