Guilherme Boing
2015-Oct-08 18:16 UTC
[Samba] Changing User password from ssh member server
I have removed use_auhtok from /etc/pam.d/system-auth and now passwd is "kind of" working... I am still able to login with my old password and the new one also. But only on the linux servers that are authenticating through LDAP. On my workstation only the old password (the one I was trying to change through passwd(ssh)) works. I have noticed that my user now has a userPassword attribute set, where the other users that have never tried to change the password from passwd (ssh) do not have. It seems that my windows workstation does not rely on userPassword, however the linux servers that are authenticating through LDAP are considering both userPassword and the AD password also... ?! smb.conf is pretty much the one that comes with the tarball. smb.conf and pam configurations: http://pastebin.ca/3185721 On Thu, Oct 8, 2015 at 3:03 PM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 08/10/15 18:59, Guilherme Boing wrote: > >> Hi Rowland, >> >> This is a CentOS 6.7 server. >> I was able to make some progress. I have edited /etc/pam.d/system-auth, >> and now it looks like: >> >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < 500 quiet >> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >> account required pam_permit.so >> >> password requisite pam_cracklib.so try_first_pass retry=3 type>> password sufficient pam_unix.so sha512 shadow nullok try_first_pass >> password sufficient pam_ldap.so use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session [success=1 default=ignore] pam_succeed_if.so service in crond >> quiet use_uid >> session optional pam_ldap.so >> session required pam_mkhomedir.so skel=/etc/skel umask=0022 >> session required pam_unix.so >> >> Now passwd works, but not really: >> [Guilherme at server ~]$ passwd >> Changing password for user Guilherme. >> Enter login(LDAP) password: >> New password: >> Retype new password: >> LDAP password information changed for Guilherme >> passwd: all authentication tokens updated successfully. >> >> After that, I have logged out and logged in with the same old password. >> The password didn't seem to update. >> >> >> On Thu, Oct 8, 2015 at 2:47 PM, Rowland Penny < >> rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>> >> wrote: >> >> On 08/10/15 18:38, Guilherme Boing wrote: >> >> Hi, >> >> I am authenticating users on our linux servers using >> nslcd/pam_ldap. >> Authentication is fine, however, it is not possible for the >> user to change >> the password from the server. >> >> Is there a way to make it work ? >> >> [Guilherme at server ~]$ passwd >> Changing password for user Guilherme. >> passwd: Authentication token manipulation error >> >> Oct 8 14:37:53 server passwd: pam_unix(passwd:chauthtok): >> user "Guilherme" >> does not exist in /etc/passwd >> >> >> What sort of Linux server? >> >> Rowland >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > Not really getting anywhere here. I think you need to post your smb.conf. > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 08/10/15 19:16, Guilherme Boing wrote:> I have removed use_auhtok from /etc/pam.d/system-auth and now passwd > is "kind of" working... > I am still able to login with my old password and the new one also. > But only on the linux servers that are authenticating through LDAP. > > On my workstation only the old password (the one I was trying to > change through passwd(ssh)) works. > > I have noticed that my user now has a userPassword attribute set, > where the other users that have never tried to change the password > from passwd (ssh) do not have. > It seems that my windows workstation does not rely on userPassword, > however the linux servers that are authenticating through LDAP are > considering both userPassword and the AD password also... ?! > > smb.conf is pretty much the one that comes with the tarball. > smb.conf and pam configurations: http://pastebin.ca/3185721 > > > On Thu, Oct 8, 2015 at 3:03 PM, Rowland Penny > <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>> > wrote: > > On 08/10/15 18:59, Guilherme Boing wrote: > > Hi Rowland, > > This is a CentOS 6.7 server. > I was able to make some progress. I have edited > /etc/pam.d/system-auth, and now it looks like: > > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] > pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass > retry=3 type> password sufficient pam_unix.so sha512 shadow nullok > try_first_pass > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so > service in crond quiet use_uid > session optional pam_ldap.so > session required pam_mkhomedir.so skel=/etc/skel > umask=0022 > session required pam_unix.so > > Now passwd works, but not really: > [Guilherme at server ~]$ passwd > Changing password for user Guilherme. > Enter login(LDAP) password: > New password: > Retype new password: > LDAP password information changed for Guilherme > passwd: all authentication tokens updated successfully. > > After that, I have logged out and logged in with the same old > password. The password didn't seem to update. > > > On Thu, Oct 8, 2015 at 2:47 PM, Rowland Penny > <rowlandpenny241155 at gmail.com > <mailto:rowlandpenny241155 at gmail.com> > <mailto:rowlandpenny241155 at gmail.com > <mailto:rowlandpenny241155 at gmail.com>>> wrote: > > On 08/10/15 18:38, Guilherme Boing wrote: > > Hi, > > I am authenticating users on our linux servers using > nslcd/pam_ldap. > Authentication is fine, however, it is not possible > for the > user to change > the password from the server. > > Is there a way to make it work ? > > [Guilherme at server ~]$ passwd > Changing password for user Guilherme. > passwd: Authentication token manipulation error > > Oct 8 14:37:53 server passwd: pam_unix(passwd:chauthtok): > user "Guilherme" > does not exist in /etc/passwd > > > What sort of Linux server? > > Rowland > > -- To unsubscribe from this list go to the following > URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > Not really getting anywhere here. I think you need to post your > smb.conf. > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >Ah, that answers all the questions, it is an AD DC !!! No, you will not have any users in /etc/passwd (apart from the system users), they all need to be in AD and if they are going to login to the DC (not recommended) you need to set up winbind, nlscd or sssd. I think you need to a bit more reading, start here: https://wiki.samba.org/index.php/Main_Page The tool to deal with users (and a lot, lot more) is samba-tool, try 'samba-tool --help' Rowland
Guilherme Boing
2015-Oct-08 18:34 UTC
[Samba] Changing User password from ssh member server
Yes, it is an AD DC. The thing is, the only way I know to change the user password is from a Windows workstation (CTRL+ALT+DEL and go to Change password). I was trying to achieve the same thing through another Linux server that is not the AD DC. So I thought that it would be possible for them to change their AD passwords through "passwd", but it didn't seem to work properly, because it is only updating the userPassword attribute. On Thu, Oct 8, 2015 at 3:29 PM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 08/10/15 19:16, Guilherme Boing wrote: > >> I have removed use_auhtok from /etc/pam.d/system-auth and now passwd is >> "kind of" working... >> I am still able to login with my old password and the new one also. But >> only on the linux servers that are authenticating through LDAP. >> >> On my workstation only the old password (the one I was trying to change >> through passwd(ssh)) works. >> >> I have noticed that my user now has a userPassword attribute set, where >> the other users that have never tried to change the password from passwd >> (ssh) do not have. >> It seems that my windows workstation does not rely on userPassword, >> however the linux servers that are authenticating through LDAP are >> considering both userPassword and the AD password also... ?! >> >> smb.conf is pretty much the one that comes with the tarball. >> smb.conf and pam configurations: http://pastebin.ca/3185721 >> >> >> On Thu, Oct 8, 2015 at 3:03 PM, Rowland Penny < >> rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>> >> wrote: >> >> On 08/10/15 18:59, Guilherme Boing wrote: >> >> Hi Rowland, >> >> This is a CentOS 6.7 server. >> I was able to make some progress. I have edited >> /etc/pam.d/system-auth, and now it looks like: >> >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < 500 quiet >> account [default=bad success=ok user_unknown=ignore] >> pam_ldap.so >> account required pam_permit.so >> >> password requisite pam_cracklib.so try_first_pass >> retry=3 type>> password sufficient pam_unix.so sha512 shadow nullok >> try_first_pass >> password sufficient pam_ldap.so use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session [success=1 default=ignore] pam_succeed_if.so >> service in crond quiet use_uid >> session optional pam_ldap.so >> session required pam_mkhomedir.so skel=/etc/skel >> umask=0022 >> session required pam_unix.so >> >> Now passwd works, but not really: >> [Guilherme at server ~]$ passwd >> Changing password for user Guilherme. >> Enter login(LDAP) password: >> New password: >> Retype new password: >> LDAP password information changed for Guilherme >> passwd: all authentication tokens updated successfully. >> >> After that, I have logged out and logged in with the same old >> password. The password didn't seem to update. >> >> >> On Thu, Oct 8, 2015 at 2:47 PM, Rowland Penny >> <rowlandpenny241155 at gmail.com >> <mailto:rowlandpenny241155 at gmail.com> >> <mailto:rowlandpenny241155 at gmail.com >> >> <mailto:rowlandpenny241155 at gmail.com>>> wrote: >> >> On 08/10/15 18:38, Guilherme Boing wrote: >> >> Hi, >> >> I am authenticating users on our linux servers using >> nslcd/pam_ldap. >> Authentication is fine, however, it is not possible >> for the >> user to change >> the password from the server. >> >> Is there a way to make it work ? >> >> [Guilherme at server ~]$ passwd >> Changing password for user Guilherme. >> passwd: Authentication token manipulation error >> >> Oct 8 14:37:53 server passwd: pam_unix(passwd:chauthtok): >> user "Guilherme" >> does not exist in /etc/passwd >> >> >> What sort of Linux server? >> >> Rowland >> >> -- To unsubscribe from this list go to the following >> URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> Not really getting anywhere here. I think you need to post your >> smb.conf. >> >> >> Rowland >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > Ah, that answers all the questions, it is an AD DC !!! > > No, you will not have any users in /etc/passwd (apart from the system > users), they all need to be in AD and if they are going to login to the DC > (not recommended) you need to set up winbind, nlscd or sssd. > > I think you need to a bit more reading, start here: > > https://wiki.samba.org/index.php/Main_Page > > The tool to deal with users (and a lot, lot more) is samba-tool, try > 'samba-tool --help' > > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >