[Samba] winbind use default domain & Linux passwd

Matthias Leopold matthias.leopold at meduniwien.ac.at
Tue Sep 5 07:58:55 UTC 2023



Am 04.09.23 um 19:52 schrieb Rowland Penny via samba:
> On Mon, 4 Sep 2023 19:28:42 +0200
> Matthias Leopold via samba <samba at lists.samba.org> wrote:
> 
>> Hi,
>>
>> on my Linux domain members (in Samba AD domain) password change in
>> Linux with "passwd" only works when I use "winbind use default domain
>> = yes". When I use recommended default "winbind use default domain =
>> no" entering the current password is asked twice, then fails.
>>
>> SMB\user123 at deepops-login-01:~$ passwd
>> Current Kerberos password:
>> Current Kerberos password:
>> passwd: Authentication token manipulation error
>> passwd: password unchanged
>>
>> /var/log/auth.log says:
>>
>> Sep  4 18:14:41 deepops-login-01 passwd[2165]:
>> pam_unix(passwd:chauthtok): user "SMB\user123" does not exist
>> in /etc/passwd Sep  4 18:14:41 deepops-login-01 passwd[2165]:
>> pam_winbind(passwd:chauthtok): getting password (0x0000002a)
>> Sep  4 18:14:41 deepops-login-01 passwd[2165]:
>> pam_winbind(passwd:chauthtok): pam_get_item returned a password
>> Sep  4 18:14:41 deepops-login-01 passwd[2165]:
>> pam_winbind(passwd:chauthtok): user 'SMB\user123' granted access
>> Sep  4 18:14:45 deepops-login-01 passwd[2165]:
>> pam_unix(passwd:chauthtok): user "SMB\user123" does not exist
>> in /etc/passwd Sep  4 18:14:45 deepops-login-01 passwd[2165]:
>> pam_winbind(passwd:chauthtok): getting password (0x00000012)
>>
>>
>> I'm using Ubuntu 20.04 with Sernet Samba 4.16.11.
>>
>> pam-auth-update enabled
>> [*] Kerberos authentication
>> [*] Unix authentication
>> [*] SerNet Samba Winbind authentication
>>
>> /etc/krb5.conf
>>
>> [libdefaults]
>>           default_realm = SMB.MEDUNIWIEN.AC.AT
>>           dns_lookup_realm = false
>>           dns_lookup_kdc = true
>>
>> /etc/samba/smb.conf
>>           workgroup = SMB
>>           realm = SMB.MEDUNIWIEN.AC.AT
>>           security = ADS
>> ...
>>
>> /etc/pam.d/common-password
>> password	[success=3 default=ignore]	pam_krb5.so
>> minimum_uid=1000 password	[success=2 default=ignore]
>> pam_unix.so obscure use_authtok try_first_pass sha512
>> password	[success=1 default=ignore]    pam_winbind.so
>> use_authtok try_first_pass
>> ...
>>
>> thx 4 advice
>> Matthias
> 
> First, I recommend you remove the libpam-krb5 package and ensure the
> the libpam-winbind & libnss-winbind packages are installed.
> 
> Can you please post the output of 'testparm -s' when run on a domain
> member
> 
> Rowland
> 

I have package sernet-samba-libs which contains

/lib/x86_64-linux-gnu/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
/lib/x86_64-linux-gnu/security/pam_winbind.so

libpam-winbind & libnss-winbind packages depend on Ubuntu samba packages

I installed libpam-krb5 because of this discussion: 
https://lists.samba.org/archive/samba/2018-January/213030.html
when I remove it I get this dialog when trying to change password, with 
or without "winbind use default domain" (this is where I started):

SMB\user123 at deepops-login-01:~$ passwd
Changing password for SMB\mleopo53
(current) NT password:
passwd: Authentication token manipulation error
passwd: password unchanged

/var/log/auth.log

Sep  5 09:51:04 deepops-login-01 passwd[302096]: 
pam_unix(passwd:chauthtok): user "SMB\user123" does not exist in /etc/passwd
Sep  5 09:51:04 deepops-login-01 passwd[302096]: 
pam_winbind(passwd:chauthtok): getting password (0x0000002a)
Sep  5 09:51:07 deepops-login-01 passwd[302096]: 
pam_winbind(passwd:chauthtok): user 'SMB\user123' granted access
Sep  5 09:51:07 deepops-login-01 passwd[302096]: 
pam_unix(passwd:chauthtok): user "SMB\user123" does not exist in /etc/passwd
Sep  5 09:51:07 deepops-login-01 passwd[302096]: 
pam_winbind(passwd:chauthtok): getting password (0x00000012)

testparm -s

Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
	netbios name = DEEPOPS-LOGIN-1
	realm = SMB.MEDUNIWIEN.AC.AT
	security = ADS
	template homedir = /muw/home/%U
	template shell = /bin/bash
	winbind expand groups = 2
	workgroup = SMB
	idmap config smb : range = 10000-999999
	idmap config smb : backend = rid
	idmap config * : range = 3000-7999
	idmap config * : backend = tdb

thx
Matthias



More information about the samba mailing list