Hello list, I'll give a detailed explanation below. The quick question is: How can I configure a workstation (running Linux) so it can change user password on the PDC? Details: At work we are migrating from Windows to Linux and we decided to have user's /home exported with NFS4 (no kerberos yet). User database is in LDAP. Some users have shared directories. Since NFS doesn't allow to force groups permission (or I've been unable to find a way) we export shared resources via Samba. The problem is, we also have a 180-day password policy. We have no problems with LDAP, but we're unable to change the samba password on the PDC from the workstations. The test workstation is configured like this: smb.conf: [global] security = domain workgroup = OURDOMAIN password server = * local master = no (note: I tried password server = PDCNETBIOSNAME, but I get the same results) /etc/pam.d/common-password: password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass password sufficient pam_winbind.so use_authtok nullok try_first_pass password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so (note: the file was configured by ubuntu's pam-auth-update; I added the pam_winbind.so line) Now, when I try passwd I get: $ LC_ALL=C passwd Enter login(LDAP) password: passwd: Authentication token manipulation error passwd: password unchanged When I use smbpasswd: $ LC_ALL=C smbpasswd Old SMB password: New SMB password: Retype new SMB password: Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE But if I add -r: $ LC_ALL=C smbpasswd -r PDCNETBIOSNAME Old SMB password: New SMB password: Retype new SMB password: Password changed for user nbensa Note that changing passwords from a Windows workstation works. Yes, the Linux workstations were joined to the domain (net rpc join...) I don't know if this is the better way to do this. Maybe there's a better way using only LDAP. We're not considering deploying kerberos for now but I think it will be a much better solution if we could integrate our kerberos database with LDAP. Many thanks in advance for any suggestion, Norberto