samba - Oct 2014 - samba ssh change password Error was: Wrong password

passwd: Authentication token manipulation error
smbpasswd: machine 127.0.0.1 rejected the password change: Error was :
Wrong Password

best regards



[FACILITY/btombul at samba ~]$ passwd
Changing password for user FACILITY/btombul.
Changing password for FACILITY/btombul
(current) NT password:
New password:
Retype new password:
passwd: Authentication token manipulation error

[FACILITY/btombul at samba ~]$ smbpasswd
added interface ens192 ip=10.0.20.4 bcast=10.0.20.255 netmask=255.255.255.0
added interface lo ip=::1 bcastnetmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
Old SMB password:
New SMB password:
Retype new SMB password:
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
machine 127.0.0.1 rejected the password change: Error was : Wrong Password.
[FACILITY/btombul at samba ~]$

-----------------------------------------------------------
password-auth-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so pam_cracklib.so try_first_pass
local_users_only retry=3 authtok_typepassword    sufficient    pam_unix.so md5
shadow nullok try_first_pass
use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_winbind.so

--------------------------------------------------------------
system-auth-ac


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so pam_cracklib.so try_first_pass
local_users_only retry=3 authtok_typepassword    sufficient    pam_unix.so md5
shadow nullok try_first_pass
use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_winbind.so


------------------------

sshd

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
auth       include      system-auth
auth       sufficient   pam_winbind.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      password-auth
session    include      postlogin


--------------------------------


smb.conf

[global]
   server services = s3fs, winbindd, rpc, nbt, wrepl, cldap, ldap, kdc,
drepl, ntp_signd, kcc, dnsupdate
   dcerpc endpoint servers = +winreg +srvsvc +netlogon +samr +epmapper
+rpcecho +lsarpc +dssetup +unixinfo +browser +eventlog6 +backupkey +remote
   obey pam restrictions = yes
   bind interfaces only = yes
   interfaces = ens192 lo
   max protocol = smb3
   logon path    logon script    logon home    kerberos method = system keytab
   name resolve order = wins bcast hosts
   server string = Samba Server
   security = user
   server role = active directory domain controller
   netbios name = SAMBA
   disable netbios = no
   preferred master = yes
   domain master = yes
   local master = yes
   domain logons = yes
   workgroup = FACILITY
   password server = samba.facility.local
   realm = FACILITY.LOCAL
   client ldap sasl wrapping = sign
   winbind separator = /
   winbind enum users = yes
   winbind enum groups = yes
   winbind expand groups = 1
   winbind nss info = rfc2307
   winbind nested groups = yes
   winbind offline logon = yes
   winbind refresh tickets = yes
   winbind normalize names = yes
   winbind rpc only = yes
   winbind sealed pipes = no
   winbind trusted domains only = no
   winbind cache time = 3600
   winbind reconnect delay = 30
   winbind max clients = 2000
   winbind use default domain = true
   hosts allow = ALL, 127.0.0.1
   encrypt passwords = yes
   machine password timeout = 0
   wins proxy = yes
   wins support = yes
   lanman auth = yes
   ntlm auth = yes
   client lanman auth = yes
   client ntlmv2 auth = yes
   client plaintext auth = yes
   hostname lookups = no
   nt pipe support = yes
   dns forwarder = 127.0.0.1
   allow dns updates = secure
   dns proxy = no
   passdb backend = ldapsam:ldap://127.0.0.1/
   dead time = 0
   nsupdate command = /usr/local/bin/nsupdate -g
   dbwrap_tdb_mutexes:* = yes
   idmap config ALL:backend = ldapsam:ldap://127.0.0.1/
   idmap config ALL:default = yes
   idmap config ALL:readonly = yes
   idmap_ldb:use rfc2307 = yes
   idmap config * : range = 2000000-2999999
   idmap config * : backend = ldapsam:ldap://127.0.0.1/
   idmap config * : schema_mode = rfc2307
   idmap config * : readonly = no
   idmap config * : default = yes
   idmap config * : range = 2000000-2999999
   idmap config * : ldap_url = ldap://127.0.0.1/
   idmap config FACILITY : schema_mode = rfc2307
   idmap config FACILITY : readonly = no
   idmap config FACILITY : backend = ldapsam:ldap://127.0.0.1/
   idmap config FACILITY : default = yes
   idmap config FACILITY : range = 2000000-2999999
   idmap config FACILITY : ldap_url = ldap://127.0.0.1/
   ldap admin dn = CN=Administrator,CN=Users,DC=facility,DC=local
   ldap suffix = DC=facility,DC=local
   ldap group suffix = ou=Groups
   ldap idmap suffix = ou=Idmap
   ldap machine suffix = ou=Hosts
   ldap user suffix = ou=User
   ldap ssl = no
   ldapsam:trusted = yes
   ldapsam:editposix = yes
   ldap delete dn = yes
   ldap passwd sync = yes
   pam password change = yes
   passwd program = /usr/local/samba/bin/smbpasswd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   os level = 255

On 29/10/14 11:46, bar?? tombul wrote:
> passwd: Authentication token manipulation error
> smbpasswd: machine 127.0.0.1 rejected the password change: Error was :
> Wrong Password
>
> best regards
>
>
>
> [FACILITY/btombul at samba ~]$ passwd
> Changing password for user FACILITY/btombul.
> Changing password for FACILITY/btombul
> (current) NT password:
> New password:
> Retype new password:
> passwd: Authentication token manipulation error
>
> [FACILITY/btombul at samba ~]$ smbpasswd
> added interface ens192 ip=10.0.20.4 bcast=10.0.20.255 netmask=255.255.255.0
> added interface lo ip=::1 bcast>
netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Connecting to 127.0.0.1 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'sasl-DIGEST-MD5' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088235
> machine 127.0.0.1 rejected the password change: Error was : Wrong Password.
> [FACILITY/btombul at samba ~]$
>
> -----------------------------------------------------------
> password-auth-ac
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        sufficient    pam_winbind.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
> account     required      pam_permit.so
>
> password    requisite     pam_pwquality.so pam_cracklib.so try_first_pass
> local_users_only retry=3 authtok_type> password    sufficient   
pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_winbind.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0077
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_winbind.so
>
> --------------------------------------------------------------
> system-auth-ac
>
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        sufficient    pam_winbind.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
> account     required      pam_permit.so
>
> password    requisite     pam_pwquality.so pam_cracklib.so try_first_pass
> local_users_only retry=3 authtok_type> password    sufficient   
pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_winbind.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0077
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_winbind.so
>
>
> ------------------------
>
> sshd
>
> #%PAM-1.0
> auth       required     pam_sepermit.so
> auth       substack     password-auth
> auth       include      postlogin
> auth       include      system-auth
> auth       sufficient   pam_winbind.so
> account    required     pam_nologin.so
> account    include      password-auth
> password   include      password-auth
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
> session    required     pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be executed in
> the user context
> session    required     pam_selinux.so open env_params
> session    optional     pam_keyinit.so force revoke
> session    include      system-auth
> session    include      password-auth
> session    include      postlogin
>
>
> --------------------------------
>
>
> smb.conf
>
> [global]
>     server services = s3fs, winbindd, rpc, nbt, wrepl, cldap, ldap, kdc,
> drepl, ntp_signd, kcc, dnsupdate
>     dcerpc endpoint servers = +winreg +srvsvc +netlogon +samr +epmapper
> +rpcecho +lsarpc +dssetup +unixinfo +browser +eventlog6 +backupkey +remote
>     obey pam restrictions = yes
>     bind interfaces only = yes
>     interfaces = ens192 lo
>     max protocol = smb3
>     logon path >     logon script >     logon home >     kerberos
method = system keytab
>     name resolve order = wins bcast hosts
>     server string = Samba Server
>     security = user
>     server role = active directory domain controller
>     netbios name = SAMBA
>     disable netbios = no
>     preferred master = yes
>     domain master = yes
>     local master = yes
>     domain logons = yes
>     workgroup = FACILITY
>     password server = samba.facility.local
>     realm = FACILITY.LOCAL
>     client ldap sasl wrapping = sign
>     winbind separator = /
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind expand groups = 1
>     winbind nss info = rfc2307
>     winbind nested groups = yes
>     winbind offline logon = yes
>     winbind refresh tickets = yes
>     winbind normalize names = yes
>     winbind rpc only = yes
>     winbind sealed pipes = no
>     winbind trusted domains only = no
>     winbind cache time = 3600
>     winbind reconnect delay = 30
>     winbind max clients = 2000
>     winbind use default domain = true
>     hosts allow = ALL, 127.0.0.1
>     encrypt passwords = yes
>     machine password timeout = 0
>     wins proxy = yes
>     wins support = yes
>     lanman auth = yes
>     ntlm auth = yes
>     client lanman auth = yes
>     client ntlmv2 auth = yes
>     client plaintext auth = yes
>     hostname lookups = no
>     nt pipe support = yes
>     dns forwarder = 127.0.0.1
>     allow dns updates = secure
>     dns proxy = no
>     passdb backend = ldapsam:ldap://127.0.0.1/
>     dead time = 0
>     nsupdate command = /usr/local/bin/nsupdate -g
>     dbwrap_tdb_mutexes:* = yes
>     idmap config ALL:backend = ldapsam:ldap://127.0.0.1/
>     idmap config ALL:default = yes
>     idmap config ALL:readonly = yes
>     idmap_ldb:use rfc2307 = yes
>     idmap config * : range = 2000000-2999999
>     idmap config * : backend = ldapsam:ldap://127.0.0.1/
>     idmap config * : schema_mode = rfc2307
>     idmap config * : readonly = no
>     idmap config * : default = yes
>     idmap config * : range = 2000000-2999999
>     idmap config * : ldap_url = ldap://127.0.0.1/
>     idmap config FACILITY : schema_mode = rfc2307
>     idmap config FACILITY : readonly = no
>     idmap config FACILITY : backend = ldapsam:ldap://127.0.0.1/
>     idmap config FACILITY : default = yes
>     idmap config FACILITY : range = 2000000-2999999
>     idmap config FACILITY : ldap_url = ldap://127.0.0.1/
>     ldap admin dn = CN=Administrator,CN=Users,DC=facility,DC=local
>     ldap suffix = DC=facility,DC=local
>     ldap group suffix = ou=Groups
>     ldap idmap suffix = ou=Idmap
>     ldap machine suffix = ou=Hosts
>     ldap user suffix = ou=User
>     ldap ssl = no
>     ldapsam:trusted = yes
>     ldapsam:editposix = yes
>     ldap delete dn = yes
>     ldap passwd sync = yes
>     pam password change = yes
>     passwd program = /usr/local/samba/bin/smbpasswd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     os level = 255
I am a bit lost here, you have this line in smb.conf:

server role = active directory domain controller

This says that you are running samba as an AD DC and presumably 
provisioned samba, **BUT** the rest of your smb.conf says NT4 style PDC 
using ldap =-O

Rowland