Dirbaio Minikiwi
2013-Apr-28 01:50 UTC
[Samba] [samba4] Users can't change password from the server
Hello everyone, I've installed Samba 4.0.4 from source on an Ubuntu Server 12.04 machine. I've configured it as an AD DC following the instructions here: http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO Then I configured Winbind following the instructions here: http://wiki.samba.org/index.php/Samba4/Winbind Users can now login through SSH to the server and access their files and it's all working fine. But users can't change their password. At first it didn't work at all. Some googling pointed out that I have to modify /etc/pam.d/common-password. (Is it missing in the wiki article?) It now contains the following: ===========# here are the per-package modules (the "Primary" block) password sufficient pam_winbind.so debug password requisite pam_unix.so obscure sha512 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config =========== With these changes, it gets further but still fails: Running passwd gives this output: ===========VGASMB\dirbaio at samba:~$ passwd Changing password for VGASMB\dirbaio (current) NT password: Enter new NT password: Retype new NT password: passwd: User not known to the underlying authentication module passwd: password unchanged =========== And the following gets printed to /var/log/auth.log:<http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO> ===========Apr 28 03:27:33 samba passwd[3394]: pam_winbind(passwd:chauthtok): [pamh: 0x2547c60] ENTER: pam_sm_chauthtok (flags: 0x4000) Apr 28 03:27:33 samba passwd[3394]: pam_winbind(passwd:chauthtok): username [VGASMB\dirbaio] obtained Apr 28 03:27:33 samba passwd[3394]: pam_winbind(passwd:chauthtok): getting password (0x00000021) Apr 28 03:27:36 samba passwd[3394]: pam_winbind(passwd:chauthtok): request wbcLogonUser succeeded Apr 28 03:27:36 samba passwd[3394]: pam_winbind(passwd:chauthtok): user 'VGASMB\dirbaio' granted access Apr 28 03:27:36 samba passwd[3394]: pam_winbind(passwd:chauthtok): [pamh: 0x2547c60] LEAVE: pam_sm_chauthtok returning 0 (PAM_SUCCESS) Apr 28 03:27:36 samba passwd[3394]: pam_winbind(passwd:chauthtok): [pamh: 0x2547c60] ENTER: pam_sm_chauthtok (flags: 0x2000) Apr 28 03:27:36 samba passwd[3394]: pam_winbind(passwd:chauthtok): username [VGASMB\dirbaio] obtained Apr 28 03:27:36 samba passwd[3394]: pam_winbind(passwd:chauthtok): getting password (0x00000001) Apr 28 03:27:40 samba passwd[3394]: pam_winbind(passwd:chauthtok): user 'VGASMB\dirbaio' denied access (incorrect password or invalid membership) Apr 28 03:27:40 samba passwd[3394]: pam_winbind(passwd:chauthtok): [pamh: 0x2547c60] LEAVE: pam_sm_chauthtok returning 7 (PAM_AUTH_ERR) Apr 28 03:27:40 samba passwd[3394]: pam_unix(passwd:chauthtok): user "VGASMB\dirbaio" does not exist in /etc/passwd =========== Running smbpasswd fails too: ===========VGASMB\dirbaio at samba:~$ /usr/local/samba/bin/smbpasswd added interface eth0 ip=fe80::5054:ff:fe8f:d68f%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: added interface eth0 ip=192.168.1.12 bcast=192.168.1.255 netmask=255.255.255.0 Old SMB password: New SMB password: Retype new SMB password: Connecting to 127.0.0.1 at port 445 Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Got challenge flags: Got NTLMSSP neg_flags=0x60898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088235 machine 127.0.0.1 rejected the password change: Error was : Wrong Password. =========== Running "smbpasswd dirbaio" as root works. Running "passwd dirbaio" as root asks me for the old password (why?) and fails the same way as running "passwd" as dirbaio. (By the way, the wiki says getent passwd should print entries like this: Administrator:x:0:100::/home/MATWS/Administrator:/bin/false But I'm getting every entry prefixed with "VGASMB\", like this: VGASMB\Administrator:*:0:100::/home/VGASMB/Administrator:/bin/bash Could this be the issue?) This is my smb.conf: ===========# Global parameters [global] workgroup = VGASMB realm = VGASMB.VGAFIB.COM netbios name = SAMBA server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate template shell = /bin/bash log level = 3 [homes] comment = Home Directories browseable = yes writable = yes read only = no create mask = 0700 directory mask = 0700 valid users = %S # force user = VGASMB\%S force group = domainadmins root preexec = /usr/local/samba/scripts/mksambahomedirs.sh %S [netlogon] path = /usr/local/samba/var/locks/sysvol/vgasmb.vgafib.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [public] path = /home/public writable = yes public = yes read only = no browseable = yes create mask = 0640 directory mask = 2770 force directory mode = 2770 force user = VGASMB\public force group = users =========== I'm clueless at how to fix this. I've tried modifying /etc/pam.d/common-password in other ways, but it still doesn't work. I've googled more, and nothing. Any help is greatly appreciated. Thanks in advance!
Andrew Bartlett
2013-Apr-28 09:34 UTC
[Samba] [samba4] Users can't change password from the server
On Sun, 2013-04-28 at 03:50 +0200, Dirbaio Minikiwi wrote:> Hello everyone, > > I've installed Samba 4.0.4 from source on an Ubuntu Server 12.04 machine. > I've configured it as an AD DC following the instructions here: > http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO > Then I configured Winbind following the instructions here: > http://wiki.samba.org/index.php/Samba4/Winbind > > Users can now login through SSH to the server and access their files and > it's all working fine. > But users can't change their password.That codepath is just not implemented in the winbind we use in the AD DC. (One of the many reasons it needs to be replaced). Instead, have your users connect to a member server, rather than the DC (which shouldn't really have user interactive logins anyway, as a matter of network hygiene). Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org