On Wed, 2022-06-29 at 21:28 +0200, Kees van Vloten via samba
wrote:> Hi All,
>
> I order to have access to my server when Samba AD is broken for some
> reason, I have some accounts defined locally and in AD with the same
> UID/GID (not an issue with RFC2307 id-mapping).
>
> Now the passwords are about to expire so I want to change them. The
> domain password is simple, my desktop is also domain-member and a
> simple
> 'passwd' does the trick.
>
> Then when I ssh to the server and type:
>
> passwd -r files
> Current Kerberos password:
>
> it seems to ignore the "-r files" and still tries to change the
> domain
> password. Even from the root user 'passwd -r files user1' changes
> the
> Kerberos password.
>
> cat /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> passwd: files systemd winbind
> group: files systemd winbind
> shadow: files
> gshadow: files
> hosts: files dns mymachines
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
>
> I am running Debian Bullseye with Samba 4.13.13 on the members and
> 4.16.2 on AD-DCs.
>
> What can I do to force passwd to change the local password?
>
> - Kees
It sounds like you have a user called 'user1' in /etc/passwd' and AD
with the same UID, this isn't allowed. I know it sounds like a good
idea, but you have just run into one of the problems.
Why not just create a user (or multiple users) that are not in AD, if
AD does go down on a Unix domain member, that is the user you will
need, especially if you make the user a 'sudo' user.
You will also need to change the 'common-* files in /etc/pam.d/ to use
the low domain range you set in smb.conf instead of '1000', if you have
libpam-krb5 installed.
Rowland