[Samba] Change local password on a domain-member
rpenny at samba.org
Wed Jun 29 19:51:31 UTC 2022
On Wed, 2022-06-29 at 21:28 +0200, Kees van Vloten via samba wrote:
> Hi All,
> I order to have access to my server when Samba AD is broken for some
> reason, I have some accounts defined locally and in AD with the same
> UID/GID (not an issue with RFC2307 id-mapping).
> Now the passwords are about to expire so I want to change them. The
> domain password is simple, my desktop is also domain-member and a
> 'passwd' does the trick.
> Then when I ssh to the server and type:
> passwd -r files
> Current Kerberos password:
> it seems to ignore the "-r files" and still tries to change the
> password. Even from the root user 'passwd -r files user1' changes
> Kerberos password.
> cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> passwd: files systemd winbind
> group: files systemd winbind
> shadow: files
> gshadow: files
> hosts: files dns mymachines
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
> I am running Debian Bullseye with Samba 4.13.13 on the members and
> 4.16.2 on AD-DCs.
> What can I do to force passwd to change the local password?
> - Kees
It sounds like you have a user called 'user1' in /etc/passwd' and AD
with the same UID, this isn't allowed. I know it sounds like a good
idea, but you have just run into one of the problems.
Why not just create a user (or multiple users) that are not in AD, if
AD does go down on a Unix domain member, that is the user you will
need, especially if you make the user a 'sudo' user.
You will also need to change the 'common-* files in /etc/pam.d/ to use
the low domain range you set in smb.conf instead of '1000', if you have
More information about the samba