[Samba] Change local password on a domain-member

[Rowland Penny]

On Wed, 2022-06-29 at 21:28 +0200, Kees van Vloten via samba wrote:
> Hi All,
> 
> I order to have access to my server when Samba AD is broken for some 
> reason, I have some accounts defined locally and in AD with the same 
> UID/GID (not an issue with RFC2307 id-mapping).
> 
> Now the passwords are about to expire so I want to change them. The 
> domain password is simple, my desktop is also domain-member and a
> simple 
> 'passwd' does the trick.
> 
> Then when I ssh to the server and type:
> 
> passwd -r files
> Current Kerberos password:
> 
> it seems to ignore the "-r files" and still tries to change the
> domain 
> password. Even from the root user 'passwd -r files user1' changes
> the 
> Kerberos password.
> 
> cat /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> passwd:         files systemd winbind
> group:          files systemd winbind
> shadow:         files
> gshadow:        files
> hosts:          files dns mymachines
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
> 
> I am running Debian Bullseye with Samba 4.13.13 on the members and 
> 4.16.2 on AD-DCs.
> 
> What can I do to force passwd to change the local password?
> 
> - Kees

It sounds like you have a user called 'user1' in /etc/passwd' and AD
with the same UID, this isn't allowed. I know it sounds like a good
idea, but you have just run into one of the problems.

Why not just create a user (or multiple users) that are not in AD, if
AD does go down on a Unix domain member, that is the user you will
need, especially if you make the user a 'sudo' user.
You will also need to change the 'common-* files in /etc/pam.d/ to use
the low domain range you set in smb.conf instead of '1000', if you have
libpam-krb5 installed.

Rowland