Mark Foley
2016-Jan-15 05:21 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
On January 14, 2016 at 12:16 Rowland Penny wrote:> Using 'passwd' does work, but pam has to be setup correctly and you > cannot change the password on the first day unless you change the > minimum password age to '0'You answer piles of questions on this list, so you may not remember, but you helped me set this whole domain-member/single logon thing last October. The only thing you had me change with the as-installed PAM configuration was to add to /etc/pam.d/common-account: session required pam_mkhomedir.so skel=/etc/skel/ umask=0002 I also found I needed to change a line in /etc/pam.d/common-password to: password [success=3 default=ignore] pam_krb5.so minimum_uid=10000 (instead of minimum_uid=1000) in order to have my non-domain local users be able to change their passwords using passwd. If there is a PAM file I can post to verify it's correctness, I'd be happy to do that.> OK, I use Mate on debian wheezy and after a bit of testing, I have found > that you can change a users AD password with the gdm3 login manager.I will investigate gmd3 and post back results. I am using Cinnamon on Ubuntu 15.10, but I suppose it should work. Thanks for your response! --Mark -----Original Message-----> To: samba at lists.samba.org > From: Rowland penny <rpenny at samba.org> > Date: Thu, 14 Jan 2016 12:16:22 +0000 > Subject: Re: [Samba] Samba AD/DC, Single-Sign-On, > > On 14/01/16 09:36, Rowland penny wrote: > > On 14/01/16 05:54, Mark Foley wrote: > >> Hmmm, this message is a week old and nothing? > >> > >> I know many of you have domain member hosts in your domain and surely > >> are logging in as domain > >> users authenticating with the Samba4 AD/DC, right? > >> > >> How do you change your password without having the domain > >> Administrator do it for you? > >> > >> --Mark > >> > >> -----Original Message----- > >> From: Mark Foley <mfoley at ohprs.org> > >> Date: Fri, 08 Jan 2016 12:10:16 -0500 > >> To: samba at lists.samba.org > >> Subject: [Samba] Samba AD/DC, Single-Sign-On, > >> domain users cannot change password > >> > >> I have successfully joined my Linux/Ubuntu workstation to the Samaba > >> AD/DC domain thanks to > >> help from Rowland Penny. > >> > >> Now I face an interesting problem ... Domain users cannot change > >> their password. > >> > >> Domain users can successfully login to the Linux workstation using > >> their domain credentials, > >> but when the user tries to change the password using "Passwords and > >> Keys" from the desktop > >> utility, it does nothing. > >> > >> Trying to change the password from a terminal session using `passwd` > >> gives the prompt: "Current > >> Kerberos password:" but entering the current domain password is not > >> accepted and the prompt repeats. > >> > >> If the Domain Administrator set the user's account to "User must > >> change password at next > >> login", or if the domain policy expires passwords after so-many days, > >> the user cannot log into > >> the Linux workstations -- the display manager login dialog spins for > >> several minutes, then > >> shows, "Invalid password, please try again." > >> > >> This is serious. How does a domain user change his own password? > >> > >> HELP! > >> > >> --Mark > >> > > > > Using 'passwd' does work, but pam has to be setup correctly and you > > cannot change the password on the first day unless you change the > > minimum password age to '0' > > > > Changing the password at login has nothing to do with Samba (provided > > you can change it from the CLI, see above), it is down to your login > > manager. > > > > Rowland > > > > > > OK, I use Mate on debian wheezy and after a bit of testing, I have found > that you can change a users AD password with the gdm3 login manager. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2016-Jan-15 10:28 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
On 15/01/16 05:21, Mark Foley wrote:> You answer piles of questions on this list, so you may not remember, > but you helped me set this whole domain-member/single logon thing last > October. The only thing you had me change with the as-installed PAM > configuration was to add to /etc/pam.d/common-account: session > required pam_mkhomedir.so skel=/etc/skel/ umask=0002 I also found I > needed to change a line in /etc/pam.d/common-password to: password > [success=3 default=ignore] pam_krb5.so minimum_uid=10000 (instead of > minimum_uid=1000) in order to have my non-domain local users be able > to change their passwords using passwd. If there is a PAM file I can > post to verify it's correctness, I'd be happy to do that.You are right, I don't remember :-) Also good catch with the pam_krb5 line change, this is something I wasn't aware of, it has other repercussions, if you want to create a local user and don't specify a uid, it will get a uid in the '10000' range, not a good idea.>> OK, I use Mate on debian wheezy and after a bit of testing, I have found >> that you can change a users AD password with the gdm3 login manager. > I will investigate gmd3 and post back results. I am using Cinnamon on Ubuntu 15.10, but I > suppose it should work.It works on Debian wheezy with Mate, I have these pam packages installed: libpam-winbind libpam-krb5 libnss-winbind With these, I have 'passwd' changing AD passwords (I wrote a YAD script for this) and using gdm3, when a user tries to login with an expired password, they are asked to change it. I have also set the minimum password age to '0' Rowland> > Thanks for your response! > > --Mark > > -----Original Message----- >> To: samba at lists.samba.org >> From: Rowland penny <rpenny at samba.org> >> Date: Thu, 14 Jan 2016 12:16:22 +0000 >> Subject: Re: [Samba] Samba AD/DC, Single-Sign-On, >> >> On 14/01/16 09:36, Rowland penny wrote: >>> On 14/01/16 05:54, Mark Foley wrote: >>>> Hmmm, this message is a week old and nothing? >>>> >>>> I know many of you have domain member hosts in your domain and surely >>>> are logging in as domain >>>> users authenticating with the Samba4 AD/DC, right? >>>> >>>> How do you change your password without having the domain >>>> Administrator do it for you? >>>> >>>> --Mark >>>> >>>> -----Original Message----- >>>> From: Mark Foley <mfoley at ohprs.org> >>>> Date: Fri, 08 Jan 2016 12:10:16 -0500 >>>> To: samba at lists.samba.org >>>> Subject: [Samba] Samba AD/DC, Single-Sign-On, >>>> domain users cannot change password >>>> >>>> I have successfully joined my Linux/Ubuntu workstation to the Samaba >>>> AD/DC domain thanks to >>>> help from Rowland Penny. >>>> >>>> Now I face an interesting problem ... Domain users cannot change >>>> their password. >>>> >>>> Domain users can successfully login to the Linux workstation using >>>> their domain credentials, >>>> but when the user tries to change the password using "Passwords and >>>> Keys" from the desktop >>>> utility, it does nothing. >>>> >>>> Trying to change the password from a terminal session using `passwd` >>>> gives the prompt: "Current >>>> Kerberos password:" but entering the current domain password is not >>>> accepted and the prompt repeats. >>>> >>>> If the Domain Administrator set the user's account to "User must >>>> change password at next >>>> login", or if the domain policy expires passwords after so-many days, >>>> the user cannot log into >>>> the Linux workstations -- the display manager login dialog spins for >>>> several minutes, then >>>> shows, "Invalid password, please try again." >>>> >>>> This is serious. How does a domain user change his own password? >>>> >>>> HELP! >>>> >>>> --Mark >>>> >>> Using 'passwd' does work, but pam has to be setup correctly and you >>> cannot change the password on the first day unless you change the >>> minimum password age to '0' >>> >>> Changing the password at login has nothing to do with Samba (provided >>> you can change it from the CLI, see above), it is down to your login >>> manager. >>> >>> Rowland >>> >>> >> OK, I use Mate on debian wheezy and after a bit of testing, I have found >> that you can change a users AD password with the gdm3 login manager. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Mark Foley
2016-Jan-19 05:26 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
On Fri, 15 Jan 2016 10:28:14 Rowland penny <rpenny at samba.org> wrote"> It works on Debian wheezy with Mate, I have these pam packages installed: > > libpam-winbind libpam-krb5 libnss-winbind > > With these, I have 'passwd' changing AD passwords (I wrote a YAD script > for this) and using gdm3, when a user tries to login with an expired > password, they are asked to change it. > I have also set the minimum password age to '0'I'm having no success installing gdm3 on Ubuntu 15.10. I'll continue to debug that, but I suspect I could probably do it without gdm3. At worst, I could write a script or binary to do this I think (if I have the right information). I do have all the packages isntalled that you listed (you gave me those in your original "October" list). Could you share your YAD script? Or more simply (I can figure out the GUI bit later), what do you do to/with `passwd` to get it to change AD password? After all the work I've done to join Linux workstations to a Samba4 AD/DC, this is kind of my show-stopper at the moment. THX -- Mark -----Original Message-----> To: samba at lists.samba.org > From: Rowland penny <rpenny at samba.org> > Date: Fri, 15 Jan 2016 10:28:14 +0000 > Subject: Re: [Samba] Samba AD/DC, Single-Sign-On, > domain users cannot change password > > On 15/01/16 05:21, Mark Foley wrote: > > You answer piles of questions on this list, so you may not remember, > > but you helped me set this whole domain-member/single logon thing last > > October. The only thing you had me change with the as-installed PAM > > configuration was to add to /etc/pam.d/common-account: session > > required pam_mkhomedir.so skel=/etc/skel/ umask=0002 I also found I > > needed to change a line in /etc/pam.d/common-password to: password > > [success=3 default=ignore] pam_krb5.so minimum_uid=10000 (instead of > > minimum_uid=1000) in order to have my non-domain local users be able > > to change their passwords using passwd. If there is a PAM file I can > > post to verify it's correctness, I'd be happy to do that. > > You are right, I don't remember :-) > > Also good catch with the pam_krb5 line change, this is something I > wasn't aware of, it has other repercussions, if you want to create a > local user and don't specify a uid, it will get a uid in the '10000' > range, not a good idea. > > >> OK, I use Mate on debian wheezy and after a bit of testing, I have found > >> that you can change a users AD password with the gdm3 login manager. > > I will investigate gmd3 and post back results. I am using Cinnamon on Ubuntu 15.10, but I > > suppose it should work. > > It works on Debian wheezy with Mate, I have these pam packages installed: > > libpam-winbind libpam-krb5 libnss-winbind > > With these, I have 'passwd' changing AD passwords (I wrote a YAD script > for this) and using gdm3, when a user tries to login with an expired > password, they are asked to change it. > I have also set the minimum password age to '0' > > Rowland > > > > > Thanks for your response! > > > > --Mark > > > > -----Original Message----- > >> To: samba at lists.samba.org > >> From: Rowland penny <rpenny at samba.org> > >> Date: Thu, 14 Jan 2016 12:16:22 +0000 > >> Subject: Re: [Samba] Samba AD/DC, Single-Sign-On, > >> > >> On 14/01/16 09:36, Rowland penny wrote: > >>> On 14/01/16 05:54, Mark Foley wrote: > >>>> Hmmm, this message is a week old and nothing? > >>>> > >>>> I know many of you have domain member hosts in your domain and surely > >>>> are logging in as domain > >>>> users authenticating with the Samba4 AD/DC, right? > >>>> > >>>> How do you change your password without having the domain > >>>> Administrator do it for you? > >>>> > >>>> --Mark > >>>> > >>>> -----Original Message----- > >>>> From: Mark Foley <mfoley at ohprs.org> > >>>> Date: Fri, 08 Jan 2016 12:10:16 -0500 > >>>> To: samba at lists.samba.org > >>>> Subject: [Samba] Samba AD/DC, Single-Sign-On, > >>>> domain users cannot change password > >>>> > >>>> I have successfully joined my Linux/Ubuntu workstation to the Samaba > >>>> AD/DC domain thanks to > >>>> help from Rowland Penny. > >>>> > >>>> Now I face an interesting problem ... Domain users cannot change > >>>> their password. > >>>> > >>>> Domain users can successfully login to the Linux workstation using > >>>> their domain credentials, > >>>> but when the user tries to change the password using "Passwords and > >>>> Keys" from the desktop > >>>> utility, it does nothing. > >>>> > >>>> Trying to change the password from a terminal session using `passwd` > >>>> gives the prompt: "Current > >>>> Kerberos password:" but entering the current domain password is not > >>>> accepted and the prompt repeats. > >>>> > >>>> If the Domain Administrator set the user's account to "User must > >>>> change password at next > >>>> login", or if the domain policy expires passwords after so-many days, > >>>> the user cannot log into > >>>> the Linux workstations -- the display manager login dialog spins for > >>>> several minutes, then > >>>> shows, "Invalid password, please try again." > >>>> > >>>> This is serious. How does a domain user change his own password? > >>>> > >>>> HELP! > >>>> > >>>> --Mark > >>>> > >>> Using 'passwd' does work, but pam has to be setup correctly and you > >>> cannot change the password on the first day unless you change the > >>> minimum password age to '0' > >>> > >>> Changing the password at login has nothing to do with Samba (provided > >>> you can change it from the CLI, see above), it is down to your login > >>> manager. > >>> > >>> Rowland > >>> > >>> > >> OK, I use Mate on debian wheezy and after a bit of testing, I have found > >> that you can change a users AD password with the gdm3 login manager. > >> > >> Rowland > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Mark Foley
2016-Jan-19 15:42 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
On Tue, 19 Jan 2016 15:15:15 Rowland penny <rpenny at samba.org> wrote:> I have attached a new version of change_AD_pass, would you like to test it ?Yes, I will give it a shot!> I am also wondering if there is a need for a script that would change a > users password and at the same time set the unixUserPassword ?My domain users do not have a local Unix entry in /etc/passwd, so I don't think that is needed, at least not for me. If you went that route, I think you would want to avoid the condition that Guilherme Boing wrote about where the UnixUserPassword got changed, but the AD password was not and the user could log on using BOTH. I don't know, but if I'm looking at this from the Windows side and thinking about what the unixUserPassword was intended for, my guess would be that it assumed a non-AD Unix user. In the meantime (before having tried your new script), I did some experimentation and have some observations that may or may not be useful. I can't help thinking that pam has something to do with this. My common-passwords is below which, except for the "minimum_uid=1000" bit, is as-installed: password [success=3 default=ignore] pam_krb5.so minimum_uid=10000 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so and /etc/nsswitch.conf has: passwd: compat winbind group: compat winbind shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis With common-passwords as shown, if I try changing a domain user's password using `passwd` I get: mark at labrat:~$ passwd Current Kerberos password: (correct domain pw) Current Kerberos password: (correct domain pw) passwd: Authentication token manipulation error passwd: password unchanged I get this if I type the correct domain password each time at the "Current Kerberos password" prompt. However, if I type an incorrect password I get: mark at labrat:~$ passwd Current Kerberos password: (incorrect pw) passwd: Authentication token manipulation error passwd: password unchanged Notice that I am only prompted once if the domain password is incorrect, but I am prompted twice if it is correct. So, somewhere down there, it must know that the password I type is the correct domain pw ... somehow. If I comment out the pam_krb5.so line altogether I can still log in as the domain user (mark), but when when I try to `passwd` I get: mark at labrat:~$ passwd Changing password for mark (current) NT password: passwd: Authentication token manipulation error passwd: password unchanged Still no go, but an intersting change of prompts. Any clues here? THX --Mark -----Original Message-----> Subject: Re: [Samba] Samba AD/DC, Single-Sign-On, domain users cannot change > password > To: Mark Foley <mfoley at ohprs.org> > From: Rowland penny <rpenny at samba.org> > Date: Tue, 19 Jan 2016 15:15:15 +0000 >[deleted]> > OK, bin the earlier tarball I sent you, somebody pointed out that > 'passwd' changes unixUserPassword and not unicodePwd, even though from > my testing, a user could login using the new password. > > I have re-written the bash script to use samba-tool instead of passwd, > though this also entails altering user.py (a part of Samba) as well, I > will be proposing the alteration as a patch to Samba-technical. > > I have attached a new version of change_AD_pass, would you like to test it ? > > I am also wondering if there is a need for a script that would change a > users password and at the same time set the unixUserPassword ? > > Rowland
Rowland penny
2016-Jan-19 16:01 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
On 19/01/16 15:42, Mark Foley wrote:> On Tue, 19 Jan 2016 15:15:15 Rowland penny <rpenny at samba.org> wrote: > >> I have attached a new version of change_AD_pass, would you like to test it ? > Yes, I will give it a shot!Thanks, let me know how you go on.> >> I am also wondering if there is a need for a script that would change a >> users password and at the same time set the unixUserPassword ? > My domain users do not have a local Unix entry in /etc/passwd, so I don't think that is needed, > at least not for me. If you went that route, I think you would want to avoid the condition > that Guilherme Boing wrote about where the UnixUserPassword got changed, but the AD password > was not and the user could log on using BOTH. I don't know, but if I'm looking at this from the > Windows side and thinking about what the unixUserPassword was intended for, my guess would be > that it assumed a non-AD Unix user.You shouldn't have domain users in /etc/passwd (actually, I don't think you can). I was actually wondering if having a Unix password available in AD for things that use ldap authentication was a good idea.> > In the meantime (before having tried your new script), I did some experimentation and have some > observations that may or may not be useful. I can't help thinking that pam has something to do > with this. My common-passwords is below which, except for the "minimum_uid=1000" bit, is as-installed: > > password [success=3 default=ignore] pam_krb5.so minimum_uid=10000 > password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 > password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass > password requisite pam_deny.so > password required pam_permit.so > password optional pam_gnome_keyring.so > > and /etc/nsswitch.conf has: > > passwd: compat winbind > group: compat winbind > shadow: compat > hosts: files dns > networks: files > protocols: db files > services: db files > ethers: db files > rpc: db files > netgroup: nis > > With common-passwords as shown, if I try changing a domain user's password using `passwd` I get: > > mark at labrat:~$ passwd > Current Kerberos password: (correct domain pw) > Current Kerberos password: (correct domain pw) > passwd: Authentication token manipulation error > passwd: password unchanged > > I get this if I type the correct domain password each time at the "Current Kerberos password" > prompt. However, if I type an incorrect password I get: > > mark at labrat:~$ passwd > Current Kerberos password: (incorrect pw) > passwd: Authentication token manipulation error > passwd: password unchanged > > Notice that I am only prompted once if the domain password is incorrect, but I am prompted > twice if it is correct. So, somewhere down there, it must know that the password I type is the > correct domain pw ... somehow. > > If I comment out the pam_krb5.so line altogether I can still log in as the domain user (mark), > but when when I try to `passwd` I get: > > mark at labrat:~$ passwd > Changing password for mark > (current) NT password: > passwd: Authentication token manipulation error > passwd: password unchanged > > Still no go, but an intersting change of prompts. > > Any clues here?No, not really, as I said I could get 'passwd' to change the unixuserpassword, but I use the default '1000' in common-password. Rowland
Apparently Analagous Threads
- Samba AD/DC, Single-Sign-On, domain users cannot change password
- Samba AD/DC, Single-Sign-On, domain users cannot change password
- Samba AD/DC, Single-Sign-On, domain users cannot change password
- Samba AD/DC, Single-Sign-On, domain users cannot change password
- Samba AD/DC, Single-Sign-On, domain users cannot change password