samba - Oct 2015 - Changing User password from ssh member server

Hi Rowland,

This is a CentOS 6.7 server.
I was able to make some progress. I have edited /etc/pam.d/system-auth, and
now it looks like:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 typepassword   
sufficient    pam_unix.so sha512 shadow nullok try_first_pass
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     optional      pam_ldap.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022
session     required      pam_unix.so

Now passwd works, but not really:
[Guilherme at server ~]$ passwd
Changing password for user Guilherme.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information changed for Guilherme
passwd: all authentication tokens updated successfully.

After that, I have logged out and logged in with the same old password. The
password didn't seem to update.


On Thu, Oct 8, 2015 at 2:47 PM, Rowland Penny <rowlandpenny241155 at
gmail.com>
wrote:
> On 08/10/15 18:38, Guilherme Boing wrote:
>
>> Hi,
>>
>> I am authenticating users on our linux servers using nslcd/pam_ldap.
>> Authentication is fine, however, it is not possible for the user to
change
>> the password from the server.
>>
>> Is there a way to make it work ?
>>
>> [Guilherme at server ~]$ passwd
>> Changing password for user Guilherme.
>> passwd: Authentication token manipulation error
>>
>> Oct  8 14:37:53 server passwd: pam_unix(passwd:chauthtok): user
>> "Guilherme"
>> does not exist in /etc/passwd
>>
>
> What sort of Linux server?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 08/10/15 18:59, Guilherme Boing wrote:
> Hi Rowland,
>
> This is a CentOS 6.7 server.
> I was able to make some progress. I have edited 
> /etc/pam.d/system-auth, and now it looks like:
>
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3 type>
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
> password    sufficient    pam_ldap.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in 
> crond quiet use_uid
> session     optional      pam_ldap.so
> session     required      pam_mkhomedir.so skel=/etc/skel umask=0022
> session     required      pam_unix.so
>
> Now passwd works, but not really:
> [Guilherme at server ~]$ passwd
> Changing password for user Guilherme.
> Enter login(LDAP) password:
> New password:
> Retype new password:
> LDAP password information changed for Guilherme
> passwd: all authentication tokens updated successfully.
>
> After that, I have logged out and logged in with the same old 
> password. The password didn't seem to update.
>
>
> On Thu, Oct 8, 2015 at 2:47 PM, Rowland Penny 
> <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at
gmail.com>>
> wrote:
>
>     On 08/10/15 18:38, Guilherme Boing wrote:
>
>         Hi,
>
>         I am authenticating users on our linux servers using
>         nslcd/pam_ldap.
>         Authentication is fine, however, it is not possible for the
>         user to change
>         the password from the server.
>
>         Is there a way to make it work ?
>
>         [Guilherme at server ~]$ passwd
>         Changing password for user Guilherme.
>         passwd: Authentication token manipulation error
>
>         Oct  8 14:37:53 server passwd: pam_unix(passwd:chauthtok):
>         user "Guilherme"
>         does not exist in /etc/passwd
>
>
>     What sort of Linux server?
>
>     Rowland
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
Not really getting anywhere here. I think you need to post your smb.conf.

Rowland

I have removed use_auhtok from /etc/pam.d/system-auth and now passwd is
"kind of" working...
I am still able to login with my old password and the new one also. But
only on the linux servers that are authenticating through LDAP.

On my workstation only the old password (the one I was trying to change
through passwd(ssh)) works.

I have noticed that my user now has a userPassword attribute set, where the
other users that have never tried to change the password from passwd (ssh)
do not have.
It seems that my windows workstation does not rely on userPassword, however
the linux servers that are authenticating through LDAP are considering both
userPassword and the AD password also... ?!

smb.conf is pretty much the one that comes with the tarball.
smb.conf and pam configurations: http://pastebin.ca/3185721


On Thu, Oct 8, 2015 at 3:03 PM, Rowland Penny <rowlandpenny241155 at
gmail.com>
wrote:
> On 08/10/15 18:59, Guilherme Boing wrote:
>
>> Hi Rowland,
>>
>> This is a CentOS 6.7 server.
>> I was able to make some progress. I have edited /etc/pam.d/system-auth,
>> and now it looks like:
>>
>> auth        required      pam_env.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>> auth        sufficient    pam_ldap.so use_first_pass
>> auth        required      pam_deny.so
>>
>> account     required      pam_unix.so
>> account     sufficient    pam_localuser.so
>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>> account     required      pam_permit.so
>>
>> password    requisite     pam_cracklib.so try_first_pass retry=3
type>> password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass
>> password    sufficient    pam_ldap.so use_authtok
>> password    required      pam_deny.so
>>
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> session     [success=1 default=ignore] pam_succeed_if.so service in
crond
>> quiet use_uid
>> session     optional      pam_ldap.so
>> session     required      pam_mkhomedir.so skel=/etc/skel umask=0022
>> session     required      pam_unix.so
>>
>> Now passwd works, but not really:
>> [Guilherme at server ~]$ passwd
>> Changing password for user Guilherme.
>> Enter login(LDAP) password:
>> New password:
>> Retype new password:
>> LDAP password information changed for Guilherme
>> passwd: all authentication tokens updated successfully.
>>
>> After that, I have logged out and logged in with the same old password.
>> The password didn't seem to update.
>>
>>
>> On Thu, Oct 8, 2015 at 2:47 PM, Rowland Penny <
>> rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at
gmail.com>>
>> wrote:
>>
>>     On 08/10/15 18:38, Guilherme Boing wrote:
>>
>>         Hi,
>>
>>         I am authenticating users on our linux servers using
>>         nslcd/pam_ldap.
>>         Authentication is fine, however, it is not possible for the
>>         user to change
>>         the password from the server.
>>
>>         Is there a way to make it work ?
>>
>>         [Guilherme at server ~]$ passwd
>>         Changing password for user Guilherme.
>>         passwd: Authentication token manipulation error
>>
>>         Oct  8 14:37:53 server passwd: pam_unix(passwd:chauthtok):
>>         user "Guilherme"
>>         does not exist in /etc/passwd
>>
>>
>>     What sort of Linux server?
>>
>>     Rowland
>>
>>     --     To unsubscribe from this list go to the following URL and
read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> Not really getting anywhere here. I think you need to post your smb.conf.
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>