[Samba] winbind use default domain & Linux passwd
Matthias Leopold
matthias.leopold at meduniwien.ac.at
Tue Sep 5 07:58:55 UTC 2023
Am 04.09.23 um 19:52 schrieb Rowland Penny via samba:
> On Mon, 4 Sep 2023 19:28:42 +0200
> Matthias Leopold via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> on my Linux domain members (in Samba AD domain) password change in
>> Linux with "passwd" only works when I use "winbind use default domain
>> = yes". When I use recommended default "winbind use default domain =
>> no" entering the current password is asked twice, then fails.
>>
>> SMB\user123 at deepops-login-01:~$ passwd
>> Current Kerberos password:
>> Current Kerberos password:
>> passwd: Authentication token manipulation error
>> passwd: password unchanged
>>
>> /var/log/auth.log says:
>>
>> Sep 4 18:14:41 deepops-login-01 passwd[2165]:
>> pam_unix(passwd:chauthtok): user "SMB\user123" does not exist
>> in /etc/passwd Sep 4 18:14:41 deepops-login-01 passwd[2165]:
>> pam_winbind(passwd:chauthtok): getting password (0x0000002a)
>> Sep 4 18:14:41 deepops-login-01 passwd[2165]:
>> pam_winbind(passwd:chauthtok): pam_get_item returned a password
>> Sep 4 18:14:41 deepops-login-01 passwd[2165]:
>> pam_winbind(passwd:chauthtok): user 'SMB\user123' granted access
>> Sep 4 18:14:45 deepops-login-01 passwd[2165]:
>> pam_unix(passwd:chauthtok): user "SMB\user123" does not exist
>> in /etc/passwd Sep 4 18:14:45 deepops-login-01 passwd[2165]:
>> pam_winbind(passwd:chauthtok): getting password (0x00000012)
>>
>>
>> I'm using Ubuntu 20.04 with Sernet Samba 4.16.11.
>>
>> pam-auth-update enabled
>> [*] Kerberos authentication
>> [*] Unix authentication
>> [*] SerNet Samba Winbind authentication
>>
>> /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = SMB.MEDUNIWIEN.AC.AT
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> /etc/samba/smb.conf
>> workgroup = SMB
>> realm = SMB.MEDUNIWIEN.AC.AT
>> security = ADS
>> ...
>>
>> /etc/pam.d/common-password
>> password [success=3 default=ignore] pam_krb5.so
>> minimum_uid=1000 password [success=2 default=ignore]
>> pam_unix.so obscure use_authtok try_first_pass sha512
>> password [success=1 default=ignore] pam_winbind.so
>> use_authtok try_first_pass
>> ...
>>
>> thx 4 advice
>> Matthias
>
> First, I recommend you remove the libpam-krb5 package and ensure the
> the libpam-winbind & libnss-winbind packages are installed.
>
> Can you please post the output of 'testparm -s' when run on a domain
> member
>
> Rowland
>
I have package sernet-samba-libs which contains
/lib/x86_64-linux-gnu/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
/lib/x86_64-linux-gnu/security/pam_winbind.so
libpam-winbind & libnss-winbind packages depend on Ubuntu samba packages
I installed libpam-krb5 because of this discussion:
https://lists.samba.org/archive/samba/2018-January/213030.html
when I remove it I get this dialog when trying to change password, with
or without "winbind use default domain" (this is where I started):
SMB\user123 at deepops-login-01:~$ passwd
Changing password for SMB\mleopo53
(current) NT password:
passwd: Authentication token manipulation error
passwd: password unchanged
/var/log/auth.log
Sep 5 09:51:04 deepops-login-01 passwd[302096]:
pam_unix(passwd:chauthtok): user "SMB\user123" does not exist in /etc/passwd
Sep 5 09:51:04 deepops-login-01 passwd[302096]:
pam_winbind(passwd:chauthtok): getting password (0x0000002a)
Sep 5 09:51:07 deepops-login-01 passwd[302096]:
pam_winbind(passwd:chauthtok): user 'SMB\user123' granted access
Sep 5 09:51:07 deepops-login-01 passwd[302096]:
pam_unix(passwd:chauthtok): user "SMB\user123" does not exist in /etc/passwd
Sep 5 09:51:07 deepops-login-01 passwd[302096]:
pam_winbind(passwd:chauthtok): getting password (0x00000012)
testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
netbios name = DEEPOPS-LOGIN-1
realm = SMB.MEDUNIWIEN.AC.AT
security = ADS
template homedir = /muw/home/%U
template shell = /bin/bash
winbind expand groups = 2
workgroup = SMB
idmap config smb : range = 10000-999999
idmap config smb : backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
thx
Matthias
More information about the samba
mailing list