samba - Feb 2016 - Password changes and syncing passwords with Linux accounts

Hi

I'm experiencing some odd behaviour when trying to change passwords. I 
have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 14.04LTS. When 
I change a password (either from a Win10 Pro client, or using smbpasswd 
on the machine itself) it all reports that things have worked. I can 
then login to Samba using the new password.

However, when I now try to login to Linux using the new password I get 
this error on the terminal:

Failed to add entry for user MYDOMAIN\someuser.

In /var/log/auth.log I see

Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=cranesbill.thegrove.oak-wood.co.uk  user=someuser
Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): getting 
password (0x00000388)
Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): pam_get_item 
returned a password
Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): user 'someuser'
granted access
Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:account): could not 
identify user (from getpwnam(MYDOMAIN\someuser))
Feb 16 07:18:20 oak sshd[12723]: Failed password for someuser from 
192.168.37.119 port 53822 ssh2
Feb 16 07:18:20 oak sshd[12723]: fatal: Access denied for user someuser 
by PAM account configuration [preauth]

Now when I try the old password for a Linux login it works. BUT, in 
doing so it seems to reset the Samba password back to the old one.

What it looks to me is happening, though I know little about PAM and 
auth mechanisms, is

* the samba password is successfully changed
* no attempt is made, or if it is it isn't successful, to change the 
password in /etc/passwd or /etc/shadow
* PAM, having checked /etc/shadow and not found a match, checks winbind
* winbind approves the login, but somewhere along the line prepends 
MYDOMAIN\ to the user name
* there is no user MYDOMAIN\someuser in /etc/passwd, so the login fails
* a subsequent successful Linux login causes something to update Samba, 
perhaps this line in /etc/pam.d/common-auth:

auth    optional            pam_smbpass.so migrate

I have tried various combinations of 'unix password sync', 'passwd 
program', 'passwd chat' and 'pam password change' in
smb.conf in an
attempt to get /etc/passwd and /etc/shadow updated when a password is 
changed. I've also experimented with 'winbind use default domain =
yes'
to see if this stopped the prepending of MYDOMAIN\. All to no avail, and 
I'm not clear that any of these options has an effect when running as an 
AD-DC.

I should add that as this installation was migrated from an NT PDC all 
users have unix accounts on the Linux machine. I would ideally like to 
keep the passwords in sync, and to be able to do so using Windows tools 
such as Ctl+Alt+Del. It does seem as if changing passwords on the Linux 
box using passwd will change both Linux and Samba passwords.

Can anybody point me in the right direction?

Cheers

Chris

I suggest you read also : 

Thread : AD Group lost from Winbind 
Looks to me the same problem, and imo a bug. 
But not identified yet. 

For now, im same affected as you, but as far i tested its only on the DC's. 
A quick fix can be : 

        server services = -dns -winbindd +winbind
#       server services = -dns

Now wbinfo -u gives back only the users and you should be able to login again if
you have pam_winbind setup also.



Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Chris Hastie
> Verzonden: dinsdag 16 februari 2016 8:48
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Password changes and syncing passwords with Linux
> accounts
> 
> Hi
> 
> I'm experiencing some odd behaviour when trying to change passwords. I
> have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 14.04LTS. When
> I change a password (either from a Win10 Pro client, or using smbpasswd
> on the machine itself) it all reports that things have worked. I can
> then login to Samba using the new password.
> 
> However, when I now try to login to Linux using the new password I get
> this error on the terminal:
> 
> Failed to add entry for user MYDOMAIN\someuser.
> 
> In /var/log/auth.log I see
> 
> Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser>
rhost=cranesbill.thegrove.oak-wood.co.uk  user=someuser
> Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): getting
> password (0x00000388)
> Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): pam_get_item
> returned a password
> Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): user
'someuser'
> granted access
> Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:account): could not
> identify user (from getpwnam(MYDOMAIN\someuser))
> Feb 16 07:18:20 oak sshd[12723]: Failed password for someuser from
> 192.168.37.119 port 53822 ssh2
> Feb 16 07:18:20 oak sshd[12723]: fatal: Access denied for user someuser
> by PAM account configuration [preauth]
> 
> Now when I try the old password for a Linux login it works. BUT, in
> doing so it seems to reset the Samba password back to the old one.
> 
> What it looks to me is happening, though I know little about PAM and
> auth mechanisms, is
> 
> * the samba password is successfully changed
> * no attempt is made, or if it is it isn't successful, to change the
> password in /etc/passwd or /etc/shadow
> * PAM, having checked /etc/shadow and not found a match, checks winbind
> * winbind approves the login, but somewhere along the line prepends
> MYDOMAIN\ to the user name
> * there is no user MYDOMAIN\someuser in /etc/passwd, so the login fails
> * a subsequent successful Linux login causes something to update Samba,
> perhaps this line in /etc/pam.d/common-auth:
> 
> auth    optional            pam_smbpass.so migrate
> 
> I have tried various combinations of 'unix password sync',
'passwd
> program', 'passwd chat' and 'pam password change' in
smb.conf in an
> attempt to get /etc/passwd and /etc/shadow updated when a password is
> changed. I've also experimented with 'winbind use default domain =
yes'
> to see if this stopped the prepending of MYDOMAIN\. All to no avail, and
> I'm not clear that any of these options has an effect when running as
an
> AD-DC.
> 
> I should add that as this installation was migrated from an NT PDC all
> users have unix accounts on the Linux machine. I would ideally like to
> keep the passwords in sync, and to be able to do so using Windows tools
> such as Ctl+Alt+Del. It does seem as if changing passwords on the Linux
> box using passwd will change both Linux and Samba passwords.
> 
> Can anybody point me in the right direction?
> 
> Cheers
> 
> Chris
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 16/02/16 07:47, Chris Hastie wrote:
> Hi  > > I'm experiencing some odd behaviour when trying to change
passwords. > I have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 
14.04LTS. > When I change a password (either from a Win10 Pro client, or 
using > smbpasswd on the machine itself) it all reports that things have 
 > worked. I can then login to Samba using the new password. > > 
However, when I now try to login to Linux using the new password I > get 
this error on the terminal: > > Failed to add entry for user 
MYDOMAIN\someuser. > > In /var/log/auth.log I see > > Feb 16
07:18:20
oak sshd[12723]: pam_unix(sshd:auth): authentication > failure; logname= 
uid=0 euid=0 tty=ssh ruser= > rhost=cranesbill.thegrove.oak-wood.co.uk  
user=someuser Feb 16 > 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): 
getting password > (0x00000388) Feb 16 07:18:20 oak sshd[12723]: 
pam_winbind(sshd:auth): > pam_get_item returned a password Feb 16 
07:18:20 oak sshd[12723]: > pam_winbind(sshd:auth): user 'someuser' 
granted access Feb 16 > 07:18:20 oak sshd[12723]: 
pam_unix(sshd:account): could not identify > user (from 
getpwnam(MYDOMAIN\someuser)) Feb 16 07:18:20 oak > sshd[12723]: Failed 
password for someuser from 192.168.37.119 port > 53822 ssh2 Feb 16 
07:18:20 oak sshd[12723]: fatal: Access denied for > user someuser by 
PAM account configuration [preauth] > > Now when I try the old password 
for a Linux login it works. BUT, in > doing so it seems to reset the 
Samba password back to the old one. > > What it looks to me is 
happening, though I know little about PAM and > auth mechanisms, is > >
* the samba password is successfully changed * no attempt is made, or > 
if it is it isn't successful, to change the password in /etc/passwd > or 
/etc/shadow * PAM, having checked /etc/shadow and not found a > match, 
checks winbind * winbind approves the login, but somewhere > along the 
line prepends MYDOMAIN\ to the user name * there is no user > 
MYDOMAIN\someuser in /etc/passwd, so the login fails * a subsequent > 
successful Linux login causes something to update Samba, perhaps this > 
line in /etc/pam.d/common-auth: > > auth    optional            
pam_smbpass.so migrate > > I have tried various combinations of 'unix 
password sync', 'passwd > program', 'passwd chat' and
'pam password
change' in smb.conf in an > attempt to get /etc/passwd and /etc/shadow 
updated when a password is > changed. I've also experimented with 
'winbind use default domain = > yes' to see if this stopped the 
prepending of MYDOMAIN\. All to no > avail, and I'm not clear that any 
of these options has an effect when > running as an AD-DC. > > I should
add that as this installation was migrated from an NT PDC > all users 
have unix accounts on the Linux machine. I would ideally > like to keep 
the passwords in sync, and to be able to do so using > Windows tools 
such as Ctl+Alt+Del. It does seem as if changing > passwords on the 
Linux box using passwd will change both Linux and > Samba passwords. >
>
Can anybody point me in the right direction? > > Cheers > > Chris
>

OK, you say this:

I have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 14.04LTS.

Then you say this:

I should add that as this installation was migrated from an NT PDC

Finally you say this:

all users have unix accounts on the Linux machine.

You are not going to like this, but I am going to say it anyway:

*Remove* any users that are in AD from /etc/passwd (the same goes for 
groups)

All your users & groups should now only exist in AD, you do not need or 
can have, users & groups in AD *and* /etc/passwd & /etc/group.

Your users will only have one password and this will be stored in AD in 
a hidden attribute.

Rowland

On 16/02/16 08:38, Rowland penny wrote:
> You are not going to like this, but I am going to say it anyway:
>
> *Remove* any users that are in AD from /etc/passwd (the same goes for
> groups)
>
> All your users & groups should now only exist in AD, you do not need
> or can have, users & groups in AD *and* /etc/passwd & /etc/group.
>
> Your users will only have one password and this will be stored in AD
> in a hidden attribute.
You're right. I don't like it. I don't like it because it leaves
things
even more broken than before. Specifically, I can no longer log into the 
linux at all. And some, but not all Samba based functionality is lost, 
though I didn't leave it like that long enough to work out exactly what. 
wbinfo -a someuser%somepassword succeeded, I could browse from a Linux 
machine with cifs, but some ownCloud external storage using smb failed.

Presumably if I remove users from /etc/passwd then there is something 
else I need to do to get linux logins to work again?

Cheers

Chris