Web lists-archives.com

Re: [Samba] samba AD: using passwd on linux to change PW




Hi Peer, 

This is my output, this account testaccount1 was created 2 minutes ago before the tests below. 

passwd testaccount1
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
Password change rejected: Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed.
Your password must be at least 5 characters; cannot repeat any of your previous 5 passwords; Please type a different password. Type a password which meets these requirements in both text boxes.
passwd: Authentication token manipulation error
passwd: password unchanged

If you run : pam-auth-update 
You should see something like this. 


  „                                                                                                                                                                                                         „ 
  „  PAM profiles to enable:                                                                                                                                                                                „ 
  „                                                                                                                                                                                                         „ 
  „     [ ] Create home directory during login                                                                                                                                                              „ 
  „     [*] Kerberos authentication                                                                                                                                                                         „ 
  „     [*] Unix authentication                                                                                                                                                                             „ 
  „     [*] Winbind NT/Active Directory authentication                                                                                                                                                      „ 
  „     [*] Register user sessions in the systemd control group hierarchy                                                                                                                                   „ 
  „     [*] Inheritable Capabilities Management                                                                                                                                                             „ 
  „                                                                                                                                                                                                         „ 


Same server, but now with a user disabled. 
passwd someuser ( but disabled in AD ) 
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
Access denied: Not permitted to change password
Access is denied
passwd: Authentication token manipulation error
passwd: password unchanged

Same user but now enabled in AD. 
Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged
root@rtd-print1:~# passwd xreib
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
passwd: password updated successfully

So this should work fine. 

Debian 9.3 
Samba 4.7.3 ( from my own apt ) 



Best regards, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Dr. 
> Peer-Joachim Koch via samba
> Verzonden: woensdag 3 januari 2018 14:50
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] samba AD: using passwd on linux to change PW
> 
> Hi,
> 
> a short question about changing passwords. Our linux login server is 
> using winbind
> for authentication. Everything is working well, but changing the 
> password for a user
> does not work. We see the following error:
> 
> passwd
> Changing password for USER
> (current) NT password:
> passwd: Authentication token manipulation error
> passwd: password unchanged
> 
> /var/log/auth.log
> 
> pam_winbind(sshd:auth): getting password (0x00000388)
> Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth): 
> pam_get_item returned a password
> Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth): request 
> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN 
> (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: 
> The specified 
> account does not exist.
> 
> Login is working fine, also the groups are all correct.
> 
> Maybe something in the pam-config has to be changed ?
> 
> Where can I find some description to setup the system that every user 
> can execute passwd ?
> 
> System Debian 9.3 using winbind against Samba AD.
> 
> 
> -- 
> Bye,
>      Peer
> ________________________________________________________
> 
> Max-Planck-Institut für Biogeochemie
> Dr. Peer-Joachim Koch
> Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
> D-07745 Jena                 Telefax: ++49 3641 57-7705
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba