thr3ads.net - samba - [Samba] Change AD user password from Linux [Jan 2010]

If this information is useful, please help other people find it:
Share via:

Masao Garcia

2010-Jan-20 19:22 UTC

[Samba] Change AD user password from Linux

Has anyone gotten Active Directory user passwords changed from a Linux
(Ubuntu 8.04) client?  I used
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto as a guide, so
I'm using Kerberos and Winbind (all apt-get).  Samba version is 3.0.28a with
a Windows Sever 2008 R2 DC, but running AD 2003 native.  The client box is
an LTSP box, and I'm able to ssh in with AD accounts.  However, when I type
passwd I get the error message "passwd: Authentication token manipulation
error".  In the auth.log file I get "pam_unix(passwd:chauthtok): user
"kmasters" does not exist in /etc/passwd".  Is it possible my
Samba version
is too old?

 

common-auth:

auth    sufficient      pam_krb5.so

auth    required        pam_unix.so nullok_secure use_first_pass

 

common-account:

account sufficient      pam_winbind.so

account required        pam_unix.so

 

common-session:

session required        pam_mkhomedir.so umask=0022 skel=/etc/skel

 

common-password:

password   sufficient   pam_unix.so nullok md5 shadow

password   sufficient   pam_ldap.so use_first_pass

password   required     pam_deny.so

 

smb.conf:

[global]

        workgroup = MYDOMAIN

        realm = MYDOMAIN.COM

        server string = %h server (Samba, Ubuntu)

        security = ADS

        map to guest = Bad User

        obey pam restrictions = Yes

        password server = dc1.mydomain.com

        passdb backend = tdbsam

        pam password change = Yes

        passwd program = /usr/bin/passwd %u

        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

        unix password sync = Yes

        syslog = 0

        log file = /var/log/samba/log.%m

        max log size = 1000

        domain master = No

        dns proxy = No

        usershare allow guests = Yes

        panic action = /usr/share/samba/panic-action %d

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        template homedir = /home/%U

        template shell = /bin/bash

        winbind separator = +

        winbind enum users = Yes

        winbind enum groups = Yes

        winbind use default domain = Yes

        invalid users = root

john

2010-Jan-20 20:16 UTC

head link

[Samba] Change AD user password from Linux

Hi Masao,

I have essentially the same setup as you (ltsp, AD, Winbind). My users
are able to change their passwords with the 'passwd' command.

Here's the contents of

/etc/pam.d/common-password file

password        sufficient      pam_winbind.so
password   required   pam_unix.so nullok obscure min=4 max=8 md5

Hth,

John

On Wed, Jan 20, 2010 at 11:22 AM, Masao Garcia <masaog at fshac.com>
wrote:> Has anyone gotten Active Directory user passwords changed from a Linux
> (Ubuntu 8.04) client? ?I used
> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto as a guide,
so
> I'm using Kerberos and Winbind (all apt-get). ?Samba version is 3.0.28a
with
> a Windows Sever 2008 R2 DC, but running AD 2003 native. ?The client box is
> an LTSP box, and I'm able to ssh in with AD accounts. ?However, when I
type
> passwd I get the error message "passwd: Authentication token
manipulation
> error". ?In the auth.log file I get "pam_unix(passwd:chauthtok):
user
> "kmasters" does not exist in /etc/passwd". ?Is it possible
my Samba version
> is too old?
>
>
>
> common-auth:
>
> auth ? ?sufficient ? ? ?pam_krb5.so
>
> auth ? ?required ? ? ? ?pam_unix.so nullok_secure use_first_pass
>
>
>
> common-account:
>
> account sufficient ? ? ?pam_winbind.so
>
> account required ? ? ? ?pam_unix.so
>
>
>
> common-session:
>
> session required ? ? ? ?pam_mkhomedir.so umask=0022 skel=/etc/skel
>
>
>
> common-password:
>
> password ? sufficient ? pam_unix.so nullok md5 shadow
>
> password ? sufficient ? pam_ldap.so use_first_pass
>
> password ? required ? ? pam_deny.so
>
>
>
> smb.conf:
>
> [global]
>
> ? ? ? ?workgroup = MYDOMAIN
>
> ? ? ? ?realm = MYDOMAIN.COM
>
> ? ? ? ?server string = %h server (Samba, Ubuntu)
>
> ? ? ? ?security = ADS
>
> ? ? ? ?map to guest = Bad User
>
> ? ? ? ?obey pam restrictions = Yes
>
> ? ? ? ?password server = dc1.mydomain.com
>
> ? ? ? ?passdb backend = tdbsam
>
> ? ? ? ?pam password change = Yes
>
> ? ? ? ?passwd program = /usr/bin/passwd %u
>
> ? ? ? ?passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>
> ? ? ? ?unix password sync = Yes
>
> ? ? ? ?syslog = 0
>
> ? ? ? ?log file = /var/log/samba/log.%m
>
> ? ? ? ?max log size = 1000
>
> ? ? ? ?domain master = No
>
> ? ? ? ?dns proxy = No
>
> ? ? ? ?usershare allow guests = Yes
>
> ? ? ? ?panic action = /usr/share/samba/panic-action %d
>
> ? ? ? ?idmap uid = 10000-20000
>
> ? ? ? ?idmap gid = 10000-20000
>
> ? ? ? ?template homedir = /home/%U
>
> ? ? ? ?template shell = /bin/bash
>
> ? ? ? ?winbind separator = +
>
> ? ? ? ?winbind enum users = Yes
>
> ? ? ? ?winbind enum groups = Yes
>
> ? ? ? ?winbind use default domain = Yes
>
> ? ? ? ?invalid users = root
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: ?https://lists.samba.org/mailman/options/samba
>

Reasonably Related Threads

Search for more possibly parallel threads

samba - Jan 2010 - Change AD user password from Linux

[Samba] Change AD user password from Linux

[Samba] Change AD user password from Linux

Reasonably Related Threads