samba - Jan 2016 - Samba AD/DC, Single-Sign-On, domain users cannot change password

On January 14, 2016 at 12:16 Rowland Penny wrote:
> Using 'passwd' does work, but pam has to be setup correctly and you
> cannot change the password on the first day unless you change the 
> minimum password age to '0'
You answer piles of questions on this list, so you may not remember, but you
helped me set this
whole domain-member/single logon thing last October. The only thing you had me
change with the
as-installed PAM configuration was to add to /etc/pam.d/common-account:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0002

I also found I needed to change a line in /etc/pam.d/common-password to:

password [success=3 default=ignore] pam_krb5.so minimum_uid=10000

(instead of minimum_uid=1000) in order to have my non-domain local users be able
to change
their passwords using passwd.

If there is a PAM file I can post to verify it's correctness, I'd be
happy to do that.
> OK, I use Mate on debian wheezy and after a bit of testing, I have found 
> that you can change a users AD password with the gdm3 login manager.
I will investigate gmd3 and post back results.  I am using Cinnamon on Ubuntu
15.10, but I
suppose it should work. 

Thanks for your response!

--Mark

-----Original Message-----
> To: samba at lists.samba.org
> From: Rowland penny <rpenny at samba.org>
> Date: Thu, 14 Jan 2016 12:16:22 +0000
> Subject: Re: [Samba] Samba AD/DC, Single-Sign-On,
>
> On 14/01/16 09:36, Rowland penny wrote:
> > On 14/01/16 05:54, Mark Foley wrote:
> >> Hmmm, this message is a week old and nothing?
> >>
> >> I know many of you have domain member hosts in your domain and
surely
> >> are logging in as domain
> >> users authenticating with the Samba4 AD/DC, right?
> >>
> >> How do you change your password without having the domain 
> >> Administrator do it for you?
> >>
> >> --Mark
> >>
> >> -----Original Message-----
> >> From: Mark Foley <mfoley at ohprs.org>
> >> Date: Fri, 08 Jan 2016 12:10:16 -0500
> >> To: samba at lists.samba.org
> >> Subject: [Samba] Samba AD/DC, Single-Sign-On,
> >>     domain users cannot change password
> >>
> >> I have successfully joined my Linux/Ubuntu workstation to the
Samaba
> >> AD/DC domain thanks to
> >> help from Rowland Penny.
> >>
> >> Now I face an interesting problem ... Domain users cannot change 
> >> their password.
> >>
> >> Domain users can successfully login to the Linux workstation using
> >> their domain credentials,
> >> but when the user tries to change the password using
"Passwords and
> >> Keys" from the desktop
> >> utility, it does nothing.
> >>
> >> Trying to change the password from a terminal session using
`passwd`
> >> gives the prompt: "Current
> >> Kerberos password:" but entering the current domain password
is not
> >> accepted and the prompt repeats.
> >>
> >> If the Domain Administrator set the user's account to
"User must
> >> change password at next
> >> login", or if the domain policy expires passwords after
so-many days,
> >> the user cannot log into
> >> the Linux workstations -- the display manager login dialog spins
for
> >> several minutes, then
> >> shows, "Invalid password, please try again."
> >>
> >> This is serious. How does a domain user change his own password?
> >>
> >> HELP!
> >>
> >> --Mark
> >>
> >
> > Using 'passwd' does work, but pam has to be setup correctly
and you
> > cannot change the password on the first day unless you change the 
> > minimum password age to '0'
> >
> > Changing the password at login has nothing to do with Samba (provided 
> > you can change it from the CLI, see above), it is down to your login 
> > manager.
> >
> > Rowland
> >
> >
>
> OK, I use Mate on debian wheezy and after a bit of testing, I have found 
> that you can change a users AD password with the gdm3 login manager.
>
> Rowland
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 15/01/16 05:21, Mark Foley wrote:
> You answer piles of questions on this list, so you may not remember, 
> but you helped me set this whole domain-member/single logon thing last 
> October. The only thing you had me change with the as-installed PAM 
> configuration was to add to /etc/pam.d/common-account: session 
> required pam_mkhomedir.so skel=/etc/skel/ umask=0002 I also found I 
> needed to change a line in /etc/pam.d/common-password to: password 
> [success=3 default=ignore] pam_krb5.so minimum_uid=10000 (instead of 
> minimum_uid=1000) in order to have my non-domain local users be able 
> to change their passwords using passwd. If there is a PAM file I can 
> post to verify it's correctness, I'd be happy to do that. 
You are right, I don't remember :-)

Also good catch with the pam_krb5 line change, this is something I 
wasn't aware of, it has other repercussions, if you want to create a 
local user and don't specify a uid, it will get a uid in the '10000'
range, not a good idea.
>> OK, I use Mate on debian wheezy and after a bit of testing, I have
found
>> that you can change a users AD password with the gdm3 login manager.
> I will investigate gmd3 and post back results.  I am using Cinnamon on
Ubuntu 15.10, but I
> suppose it should work.
It works on Debian wheezy with Mate, I have these pam packages installed:

libpam-winbind libpam-krb5 libnss-winbind

With these, I have 'passwd' changing AD passwords (I wrote a YAD script 
for this) and using gdm3, when a user tries to login with an expired 
password, they are asked to change it.
I have also set the minimum password age to '0'

Rowland
>
> Thanks for your response!
>
> --Mark
>
> -----Original Message-----
>> To: samba at lists.samba.org
>> From: Rowland penny <rpenny at samba.org>
>> Date: Thu, 14 Jan 2016 12:16:22 +0000
>> Subject: Re: [Samba] Samba AD/DC, Single-Sign-On,
>>
>> On 14/01/16 09:36, Rowland penny wrote:
>>> On 14/01/16 05:54, Mark Foley wrote:
>>>> Hmmm, this message is a week old and nothing?
>>>>
>>>> I know many of you have domain member hosts in your domain and
surely
>>>> are logging in as domain
>>>> users authenticating with the Samba4 AD/DC, right?
>>>>
>>>> How do you change your password without having the domain
>>>> Administrator do it for you?
>>>>
>>>> --Mark
>>>>
>>>> -----Original Message-----
>>>> From: Mark Foley <mfoley at ohprs.org>
>>>> Date: Fri, 08 Jan 2016 12:10:16 -0500
>>>> To: samba at lists.samba.org
>>>> Subject: [Samba] Samba AD/DC, Single-Sign-On,
>>>>      domain users cannot change password
>>>>
>>>> I have successfully joined my Linux/Ubuntu workstation to the
Samaba
>>>> AD/DC domain thanks to
>>>> help from Rowland Penny.
>>>>
>>>> Now I face an interesting problem ... Domain users cannot
change
>>>> their password.
>>>>
>>>> Domain users can successfully login to the Linux workstation
using
>>>> their domain credentials,
>>>> but when the user tries to change the password using
"Passwords and
>>>> Keys" from the desktop
>>>> utility, it does nothing.
>>>>
>>>> Trying to change the password from a terminal session using
`passwd`
>>>> gives the prompt: "Current
>>>> Kerberos password:" but entering the current domain
password is not
>>>> accepted and the prompt repeats.
>>>>
>>>> If the Domain Administrator set the user's account to
"User must
>>>> change password at next
>>>> login", or if the domain policy expires passwords after
so-many days,
>>>> the user cannot log into
>>>> the Linux workstations -- the display manager login dialog
spins for
>>>> several minutes, then
>>>> shows, "Invalid password, please try again."
>>>>
>>>> This is serious. How does a domain user change his own
password?
>>>>
>>>> HELP!
>>>>
>>>> --Mark
>>>>
>>> Using 'passwd' does work, but pam has to be setup correctly
and you
>>> cannot change the password on the first day unless you change the
>>> minimum password age to '0'
>>>
>>> Changing the password at login has nothing to do with Samba
(provided
>>> you can change it from the CLI, see above), it is down to your
login
>>> manager.
>>>
>>> Rowland
>>>
>>>
>> OK, I use Mate on debian wheezy and after a bit of testing, I have
found
>> that you can change a users AD password with the gdm3 login manager.
>>
>> Rowland
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

On Fri, 15 Jan 2016 10:28:14 Rowland penny <rpenny at samba.org>
wrote"
> It works on Debian wheezy with Mate, I have these pam packages installed:
>
> libpam-winbind libpam-krb5 libnss-winbind
>
> With these, I have 'passwd' changing AD passwords (I wrote a YAD
script
> for this) and using gdm3, when a user tries to login with an expired 
> password, they are asked to change it.
> I have also set the minimum password age to '0'
I'm having no success installing gdm3 on Ubuntu 15.10. I'll continue to
debug that, but I
suspect I could probably do it without gdm3. At worst, I could write a script or
binary to do
this I think (if I have the right information).

I do have all the packages isntalled that you listed (you gave me those in your
original
"October" list). Could you share your YAD script? Or more simply (I
can figure out the GUI bit
later), what do you do to/with `passwd` to get it to change AD password?

After all the work I've done to join Linux workstations to a Samba4 AD/DC,
this is kind of my
show-stopper at the moment.

THX -- Mark

-----Original Message-----
> To: samba at lists.samba.org
> From: Rowland penny <rpenny at samba.org>
> Date: Fri, 15 Jan 2016 10:28:14 +0000
> Subject: Re: [Samba] Samba AD/DC, Single-Sign-On,
>  domain users cannot change password
>
> On 15/01/16 05:21, Mark Foley wrote:
> > You answer piles of questions on this list, so you may not remember, 
> > but you helped me set this whole domain-member/single logon thing last
> > October. The only thing you had me change with the as-installed PAM 
> > configuration was to add to /etc/pam.d/common-account: session 
> > required pam_mkhomedir.so skel=/etc/skel/ umask=0002 I also found I 
> > needed to change a line in /etc/pam.d/common-password to: password 
> > [success=3 default=ignore] pam_krb5.so minimum_uid=10000 (instead of 
> > minimum_uid=1000) in order to have my non-domain local users be able 
> > to change their passwords using passwd. If there is a PAM file I can 
> > post to verify it's correctness, I'd be happy to do that. 
>
> You are right, I don't remember :-)
>
> Also good catch with the pam_krb5 line change, this is something I 
> wasn't aware of, it has other repercussions, if you want to create a 
> local user and don't specify a uid, it will get a uid in the
'10000'
> range, not a good idea.
>
> >> OK, I use Mate on debian wheezy and after a bit of testing, I have
found
> >> that you can change a users AD password with the gdm3 login
manager.
> > I will investigate gmd3 and post back results.  I am using Cinnamon on
Ubuntu 15.10, but I
> > suppose it should work.
>
> It works on Debian wheezy with Mate, I have these pam packages installed:
>
> libpam-winbind libpam-krb5 libnss-winbind
>
> With these, I have 'passwd' changing AD passwords (I wrote a YAD
script
> for this) and using gdm3, when a user tries to login with an expired 
> password, they are asked to change it.
> I have also set the minimum password age to '0'
>
> Rowland
>
> >
> > Thanks for your response!
> >
> > --Mark
> >
> > -----Original Message-----
> >> To: samba at lists.samba.org
> >> From: Rowland penny <rpenny at samba.org>
> >> Date: Thu, 14 Jan 2016 12:16:22 +0000
> >> Subject: Re: [Samba] Samba AD/DC, Single-Sign-On,
> >>
> >> On 14/01/16 09:36, Rowland penny wrote:
> >>> On 14/01/16 05:54, Mark Foley wrote:
> >>>> Hmmm, this message is a week old and nothing?
> >>>>
> >>>> I know many of you have domain member hosts in your domain
and surely
> >>>> are logging in as domain
> >>>> users authenticating with the Samba4 AD/DC, right?
> >>>>
> >>>> How do you change your password without having the domain
> >>>> Administrator do it for you?
> >>>>
> >>>> --Mark
> >>>>
> >>>> -----Original Message-----
> >>>> From: Mark Foley <mfoley at ohprs.org>
> >>>> Date: Fri, 08 Jan 2016 12:10:16 -0500
> >>>> To: samba at lists.samba.org
> >>>> Subject: [Samba] Samba AD/DC, Single-Sign-On,
> >>>>      domain users cannot change password
> >>>>
> >>>> I have successfully joined my Linux/Ubuntu workstation to
the Samaba
> >>>> AD/DC domain thanks to
> >>>> help from Rowland Penny.
> >>>>
> >>>> Now I face an interesting problem ... Domain users cannot
change
> >>>> their password.
> >>>>
> >>>> Domain users can successfully login to the Linux
workstation using
> >>>> their domain credentials,
> >>>> but when the user tries to change the password using
"Passwords and
> >>>> Keys" from the desktop
> >>>> utility, it does nothing.
> >>>>
> >>>> Trying to change the password from a terminal session
using `passwd`
> >>>> gives the prompt: "Current
> >>>> Kerberos password:" but entering the current domain
password is not
> >>>> accepted and the prompt repeats.
> >>>>
> >>>> If the Domain Administrator set the user's account to
"User must
> >>>> change password at next
> >>>> login", or if the domain policy expires passwords
after so-many days,
> >>>> the user cannot log into
> >>>> the Linux workstations -- the display manager login dialog
spins for
> >>>> several minutes, then
> >>>> shows, "Invalid password, please try again."
> >>>>
> >>>> This is serious. How does a domain user change his own
password?
> >>>>
> >>>> HELP!
> >>>>
> >>>> --Mark
> >>>>
> >>> Using 'passwd' does work, but pam has to be setup
correctly and you
> >>> cannot change the password on the first day unless you change
the
> >>> minimum password age to '0'
> >>>
> >>> Changing the password at login has nothing to do with Samba
(provided
> >>> you can change it from the CLI, see above), it is down to your
login
> >>> manager.
> >>>
> >>> Rowland
> >>>
> >>>
> >> OK, I use Mate on debian wheezy and after a bit of testing, I have
found
> >> that you can change a users AD password with the gdm3 login
manager.
> >>
> >> Rowland
> >>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, 19 Jan 2016 15:15:15 Rowland penny <rpenny at samba.org> wrote:
> I have attached a new version of change_AD_pass, would you like to test it
?
Yes, I will give it a shot!
> I am also wondering if there is a need for a script that would change a 
> users password and at the same time set the unixUserPassword ?
My domain users do not have a local Unix entry in /etc/passwd, so I don't
think that is needed,
at least not for me. If you went that route, I think you would want to avoid the
condition
that Guilherme Boing wrote about where the UnixUserPassword got changed, but the
AD password
was not and the user could log on using BOTH. I don't know, but if I'm
looking at this from the
Windows side and thinking about what the unixUserPassword was intended for, my
guess would be
that it assumed a non-AD Unix user.

In the meantime (before having tried your new script), I did some
experimentation and have some
observations that may or may not be useful. I can't help thinking that pam
has something to do
with this. My common-passwords is below which, except for the
"minimum_uid=1000" bit, is as-installed:

password        [success=3 default=ignore]      pam_krb5.so minimum_uid=10000
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok
try_first_pass sha512
password        [success=1 default=ignore]      pam_winbind.so use_authtok
try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so
password        optional        pam_gnome_keyring.so

and /etc/nsswitch.conf has:

passwd:         compat winbind
group:          compat winbind
shadow:         compat
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

With common-passwords as shown, if I try changing a domain user's password
using `passwd` I get:

mark at labrat:~$ passwd
Current Kerberos password: (correct domain pw)
Current Kerberos password: (correct domain pw)
passwd: Authentication token manipulation error
passwd: password unchanged

I get this if I type the correct domain password each time at the "Current
Kerberos password"
prompt. However, if I type an incorrect password I get:

mark at labrat:~$ passwd
Current Kerberos password: (incorrect pw)
passwd: Authentication token manipulation error
passwd: password unchanged

Notice that I am only prompted once if the domain password is incorrect, but I
am prompted
twice if it is correct. So, somewhere down there, it must know that the password
I type is the
correct domain pw ... somehow.

If I comment out the pam_krb5.so line altogether I can still log in as the
domain user (mark),
but when when I try to `passwd` I get:

mark at labrat:~$ passwd
Changing password for mark
(current) NT password:
passwd: Authentication token manipulation error
passwd: password unchanged

Still no go, but an intersting change of prompts.

Any clues here?

THX --Mark

-----Original Message-----
> Subject: Re: [Samba] Samba AD/DC, Single-Sign-On, domain users cannot
change
>  password
> To: Mark Foley <mfoley at ohprs.org>
> From: Rowland penny <rpenny at samba.org>
> Date: Tue, 19 Jan 2016 15:15:15 +0000
>
[deleted]
>
> OK, bin the earlier tarball I sent you, somebody pointed out that 
> 'passwd' changes unixUserPassword and not unicodePwd, even though
from
> my testing, a user could login using the new password.
>
> I have re-written the bash script to use samba-tool instead of passwd, 
> though this also entails altering user.py (a part of Samba) as well, I 
> will be proposing the alteration as a patch to Samba-technical.
>
> I have attached a new version of change_AD_pass, would you like to test it
?
>
> I am also wondering if there is a need for a script that would change a 
> users password and at the same time set the unixUserPassword ?
>
> Rowland

On 19/01/16 15:42, Mark Foley wrote:
> On Tue, 19 Jan 2016 15:15:15 Rowland penny <rpenny at samba.org>
wrote:
>
>> I have attached a new version of change_AD_pass, would you like to test
it ?
> Yes, I will give it a shot!
Thanks, let me know how you go on.
>
>> I am also wondering if there is a need for a script that would change a
>> users password and at the same time set the unixUserPassword ?
> My domain users do not have a local Unix entry in /etc/passwd, so I
don't think that is needed,
> at least not for me. If you went that route, I think you would want to
avoid the condition
> that Guilherme Boing wrote about where the UnixUserPassword got changed,
but the AD password
> was not and the user could log on using BOTH. I don't know, but if
I'm looking at this from the
> Windows side and thinking about what the unixUserPassword was intended for,
my guess would be
> that it assumed a non-AD Unix user.
You shouldn't have domain users in /etc/passwd (actually, I don't think 
you can).
I was actually wondering if having a Unix password available in AD for 
things that use ldap authentication was a good idea.
>
> In the meantime (before having tried your new script), I did some
experimentation and have some
> observations that may or may not be useful. I can't help thinking that
pam has something to do
> with this. My common-passwords is below which, except for the
"minimum_uid=1000" bit, is as-installed:
>
> password        [success=3 default=ignore]      pam_krb5.so
minimum_uid=10000
> password        [success=2 default=ignore]      pam_unix.so obscure
use_authtok try_first_pass sha512
> password        [success=1 default=ignore]      pam_winbind.so use_authtok
try_first_pass
> password        requisite                       pam_deny.so
> password        required                        pam_permit.so
> password        optional        pam_gnome_keyring.so
>
> and /etc/nsswitch.conf has:
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> hosts:          files dns
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
>
> With common-passwords as shown, if I try changing a domain user's
password using `passwd` I get:
>
> mark at labrat:~$ passwd
> Current Kerberos password: (correct domain pw)
> Current Kerberos password: (correct domain pw)
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> I get this if I type the correct domain password each time at the
"Current Kerberos password"
> prompt. However, if I type an incorrect password I get:
>
> mark at labrat:~$ passwd
> Current Kerberos password: (incorrect pw)
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> Notice that I am only prompted once if the domain password is incorrect,
but I am prompted
> twice if it is correct. So, somewhere down there, it must know that the
password I type is the
> correct domain pw ... somehow.
>
> If I comment out the pam_krb5.so line altogether I can still log in as the
domain user (mark),
> but when when I try to `passwd` I get:
>
> mark at labrat:~$ passwd
> Changing password for mark
> (current) NT password:
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> Still no go, but an intersting change of prompts.
>
> Any clues here?
No, not really, as I said I could get 'passwd' to change the 
unixuserpassword, but I use the default '1000' in common-password.


Rowland