Web lists-archives.com

Re: [Samba] samba AD: using passwd on linux to change PW




Well, test done. 

If i disable kerberos im also seeing getting the same error. 

pam_winbind(passwd:chauthtok): getting password (0x0000002a)
pam_winbind(passwd:chauthtok): user 'NTDOM\user' granted access
pam_unix(passwd:chauthtok): user "NTDOM\user" does not exist in /etc/passwd
pam_winbind(passwd:chauthtok): getting password (0x00000012)
pam_unix(passwd:chauthtok): user "NTDOM\user" does not exist in /etc/passwd
pam_winbind(passwd:chauthtok): getting password (0x0000002a)
pam_winbind(passwd:chauthtok): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: When trying to update a password, this return status indicates that the value provided as the current password is not correct.
pam_winbind(passwd:chauthtok): user 'NTDOM\user' denied access (incorrect password or invalid membership) 

And that last line is crazy, 10000% sure i typed the correct password..  

So enable kerberos and your set. 


Greetz, 

Louis
 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> L.P.H. van Belle via samba
> Verzonden: woensdag 3 januari 2018 15:52
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] samba AD: using passwd on linux to change PW
> 
> Your welkom. 
> 
> For the password change i believe it is. 
> But give me a few min, i'll disable it and test again. 
> 
> Greetz, 
> 
> Louis 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Dr. 
> > Peer-Joachim Koch via samba
> > Verzonden: woensdag 3 januari 2018 15:48
> > Aan: samba@xxxxxxxxxxxxxxx
> > Onderwerp: Re: [Samba] samba AD: using passwd on linux to change PW
> > 
> > Thanks a lot. I will check it.
> > We do not use kerberos - is it necessary ?
> > 
> > Bye, Peer
> > 
> > On 03.01.2018 15:15, L.P.H. van Belle via samba wrote:
> > > Hi Peer,
> > >
> > > This is my output, this account testaccount1 was created 2 
> > minutes ago before the tests below.
> > >
> > > passwd testaccount1
> > > Current Kerberos password:
> > > Enter new Kerberos password:
> > > Retype new Kerberos password:
> > > Password change rejected: Password change rejected, 
> > password changes may not be permitted on this account, or the 
> > minimum password age may not have elapsed.
> > > Your password must be at least 5 characters; cannot repeat 
> > any of your previous 5 passwords; Please type a different 
> > password. Type a password which meets these requirements in 
> > both text boxes.
> > > passwd: Authentication token manipulation error
> > > passwd: password unchanged
> > >
> > > If you run : pam-auth-update
> > > You should see something like this.
> > >
> > >
> > >    ?                                                        
> >                                                               
> >                                                               
> >                      ?
> > >    ?  PAM profiles to enable:                               
> >                                                               
> >                                                               
> >                      ?
> > >    ?                                                        
> >                                                               
> >                                                               
> >                      ?
> > >    ?     [ ] Create home directory during login             
> >                                                               
> >                                                               
> >                      ?
> > >    ?     [*] Kerberos authentication                        
> >                                                               
> >                                                               
> >                      ?
> > >    ?     [*] Unix authentication                            
> >                                                               
> >                                                               
> >                      ?
> > >    ?     [*] Winbind NT/Active Directory authentication     
> >                                                               
> >                                                               
> >                      ?
> > >    ?     [*] Register user sessions in the systemd control 
> > group hierarchy                                               
> >                                                               
> >                       ?
> > >    ?     [*] Inheritable Capabilities Management            
> >                                                               
> >                                                               
> >                      ?
> > >    ?                                                        
> >                                                               
> >                                                               
> >                      ?
> > >
> > >
> > > Same server, but now with a user disabled.
> > > passwd someuser ( but disabled in AD )
> > > Current Kerberos password:
> > > Enter new Kerberos password:
> > > Retype new Kerberos password:
> > > Access denied: Not permitted to change password
> > > Access is denied
> > > passwd: Authentication token manipulation error
> > > passwd: password unchanged
> > >
> > > Same user but now enabled in AD.
> > > Current Kerberos password:
> > > passwd: Authentication token manipulation error
> > > passwd: password unchanged
> > > root@rtd-print1:~# passwd xreib
> > > Current Kerberos password:
> > > Enter new Kerberos password:
> > > Retype new Kerberos password:
> > > passwd: password updated successfully
> > >
> > > So this should work fine.
> > >
> > > Debian 9.3
> > > Samba 4.7.3 ( from my own apt )
> > >
> > >
> > >
> > > Best regards,
> > >
> > > Louis
> > >
> > >
> > >> -----Oorspronkelijk bericht-----
> > >> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Dr.
> > >> Peer-Joachim Koch via samba
> > >> Verzonden: woensdag 3 januari 2018 14:50
> > >> Aan: samba@xxxxxxxxxxxxxxx
> > >> Onderwerp: [Samba] samba AD: using passwd on linux to change PW
> > >>
> > >> Hi,
> > >>
> > >> a short question about changing passwords. Our linux login 
> > server is
> > >> using winbind
> > >> for authentication. Everything is working well, but changing the
> > >> password for a user
> > >> does not work. We see the following error:
> > >>
> > >> passwd
> > >> Changing password for USER
> > >> (current) NT password:
> > >> passwd: Authentication token manipulation error
> > >> passwd: password unchanged
> > >>
> > >> /var/log/auth.log
> > >>
> > >> pam_winbind(sshd:auth): getting password (0x00000388)
> > >> Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth):
> > >> pam_get_item returned a password
> > >> Jan  3 14:41:36 HOSTNAME sshd[4355]: 
> > pam_winbind(sshd:auth): request
> > >> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: 
> > PAM_USER_UNKNOWN
> > >> (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was:
> > >> The specified
> > >> account does not exist.
> > >>
> > >> Login is working fine, also the groups are all correct.
> > >>
> > >> Maybe something in the pam-config has to be changed ?
> > >>
> > >> Where can I find some description to setup the system that 
> > every user
> > >> can execute passwd ?
> > >>
> > >> System Debian 9.3 using winbind against Samba AD.
> > >>
> > >>
> > >> -- 
> > >> Bye,
> > >>       Peer
> > >> ________________________________________________________
> > >>
> > >> Max-Planck-Institut für Biogeochemie
> > >> Dr. Peer-Joachim Koch
> > >> Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
> > >> D-07745 Jena                 Telefax: ++49 3641 57-7705
> > >>
> > >>
> > >> -- 
> > >> To unsubscribe from this list go to the following URL 
> and read the
> > >> instructions:  https://lists.samba.org/mailman/options/samba
> > >>
> > >
> > 
> > -- 
> > Mit freundlichen Grüßen,
> >      Peer-Joachim Koch
> > ________________________________________________________
> > 
> > Max-Planck-Institut für Biogeochemie
> > Dr. Peer-Joachim Koch
> > Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
> > D-07745 Jena                 Telefax: ++49 3641 57-7705
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba