Chris Hastie
2016-Feb-16 07:47 UTC
[Samba] Password changes and syncing passwords with Linux accounts
Hi I'm experiencing some odd behaviour when trying to change passwords. I have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 14.04LTS. When I change a password (either from a Win10 Pro client, or using smbpasswd on the machine itself) it all reports that things have worked. I can then login to Samba using the new password. However, when I now try to login to Linux using the new password I get this error on the terminal: Failed to add entry for user MYDOMAIN\someuser. In /var/log/auth.log I see Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cranesbill.thegrove.oak-wood.co.uk user=someuser Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): getting password (0x00000388) Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): pam_get_item returned a password Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): user 'someuser' granted access Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:account): could not identify user (from getpwnam(MYDOMAIN\someuser)) Feb 16 07:18:20 oak sshd[12723]: Failed password for someuser from 192.168.37.119 port 53822 ssh2 Feb 16 07:18:20 oak sshd[12723]: fatal: Access denied for user someuser by PAM account configuration [preauth] Now when I try the old password for a Linux login it works. BUT, in doing so it seems to reset the Samba password back to the old one. What it looks to me is happening, though I know little about PAM and auth mechanisms, is * the samba password is successfully changed * no attempt is made, or if it is it isn't successful, to change the password in /etc/passwd or /etc/shadow * PAM, having checked /etc/shadow and not found a match, checks winbind * winbind approves the login, but somewhere along the line prepends MYDOMAIN\ to the user name * there is no user MYDOMAIN\someuser in /etc/passwd, so the login fails * a subsequent successful Linux login causes something to update Samba, perhaps this line in /etc/pam.d/common-auth: auth optional pam_smbpass.so migrate I have tried various combinations of 'unix password sync', 'passwd program', 'passwd chat' and 'pam password change' in smb.conf in an attempt to get /etc/passwd and /etc/shadow updated when a password is changed. I've also experimented with 'winbind use default domain = yes' to see if this stopped the prepending of MYDOMAIN\. All to no avail, and I'm not clear that any of these options has an effect when running as an AD-DC. I should add that as this installation was migrated from an NT PDC all users have unix accounts on the Linux machine. I would ideally like to keep the passwords in sync, and to be able to do so using Windows tools such as Ctl+Alt+Del. It does seem as if changing passwords on the Linux box using passwd will change both Linux and Samba passwords. Can anybody point me in the right direction? Cheers Chris
L.P.H. van Belle
2016-Feb-16 08:16 UTC
[Samba] Password changes and syncing passwords with Linux accounts
I suggest you read also : Thread : AD Group lost from Winbind Looks to me the same problem, and imo a bug. But not identified yet. For now, im same affected as you, but as far i tested its only on the DC's. A quick fix can be : server services = -dns -winbindd +winbind # server services = -dns Now wbinfo -u gives back only the users and you should be able to login again if you have pam_winbind setup also. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Chris Hastie > Verzonden: dinsdag 16 februari 2016 8:48 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Password changes and syncing passwords with Linux > accounts > > Hi > > I'm experiencing some odd behaviour when trying to change passwords. I > have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 14.04LTS. When > I change a password (either from a Win10 Pro client, or using smbpasswd > on the machine itself) it all reports that things have worked. I can > then login to Samba using the new password. > > However, when I now try to login to Linux using the new password I get > this error on the terminal: > > Failed to add entry for user MYDOMAIN\someuser. > > In /var/log/auth.log I see > > Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser> rhost=cranesbill.thegrove.oak-wood.co.uk user=someuser > Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): getting > password (0x00000388) > Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): pam_get_item > returned a password > Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): user 'someuser' > granted access > Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:account): could not > identify user (from getpwnam(MYDOMAIN\someuser)) > Feb 16 07:18:20 oak sshd[12723]: Failed password for someuser from > 192.168.37.119 port 53822 ssh2 > Feb 16 07:18:20 oak sshd[12723]: fatal: Access denied for user someuser > by PAM account configuration [preauth] > > Now when I try the old password for a Linux login it works. BUT, in > doing so it seems to reset the Samba password back to the old one. > > What it looks to me is happening, though I know little about PAM and > auth mechanisms, is > > * the samba password is successfully changed > * no attempt is made, or if it is it isn't successful, to change the > password in /etc/passwd or /etc/shadow > * PAM, having checked /etc/shadow and not found a match, checks winbind > * winbind approves the login, but somewhere along the line prepends > MYDOMAIN\ to the user name > * there is no user MYDOMAIN\someuser in /etc/passwd, so the login fails > * a subsequent successful Linux login causes something to update Samba, > perhaps this line in /etc/pam.d/common-auth: > > auth optional pam_smbpass.so migrate > > I have tried various combinations of 'unix password sync', 'passwd > program', 'passwd chat' and 'pam password change' in smb.conf in an > attempt to get /etc/passwd and /etc/shadow updated when a password is > changed. I've also experimented with 'winbind use default domain = yes' > to see if this stopped the prepending of MYDOMAIN\. All to no avail, and > I'm not clear that any of these options has an effect when running as an > AD-DC. > > I should add that as this installation was migrated from an NT PDC all > users have unix accounts on the Linux machine. I would ideally like to > keep the passwords in sync, and to be able to do so using Windows tools > such as Ctl+Alt+Del. It does seem as if changing passwords on the Linux > box using passwd will change both Linux and Samba passwords. > > Can anybody point me in the right direction? > > Cheers > > Chris > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2016-Feb-16 08:38 UTC
[Samba] Password changes and syncing passwords with Linux accounts
On 16/02/16 07:47, Chris Hastie wrote:> Hi > > I'm experiencing some odd behaviour when trying to changepasswords. > I have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 14.04LTS. > When I change a password (either from a Win10 Pro client, or using > smbpasswd on the machine itself) it all reports that things have > worked. I can then login to Samba using the new password. > > However, when I now try to login to Linux using the new password I > get this error on the terminal: > > Failed to add entry for user MYDOMAIN\someuser. > > In /var/log/auth.log I see > > Feb 16 07:18:20 oak sshd[12723]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=cranesbill.thegrove.oak-wood.co.uk user=someuser Feb 16 > 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): getting password > (0x00000388) Feb 16 07:18:20 oak sshd[12723]: pam_winbind(sshd:auth): > pam_get_item returned a password Feb 16 07:18:20 oak sshd[12723]: > pam_winbind(sshd:auth): user 'someuser' granted access Feb 16 > 07:18:20 oak sshd[12723]: pam_unix(sshd:account): could not identify > user (from getpwnam(MYDOMAIN\someuser)) Feb 16 07:18:20 oak > sshd[12723]: Failed password for someuser from 192.168.37.119 port > 53822 ssh2 Feb 16 07:18:20 oak sshd[12723]: fatal: Access denied for > user someuser by PAM account configuration [preauth] > > Now when I try the old password for a Linux login it works. BUT, in > doing so it seems to reset the Samba password back to the old one. > > What it looks to me is happening, though I know little about PAM and > auth mechanisms, is > > * the samba password is successfully changed * no attempt is made, or > if it is it isn't successful, to change the password in /etc/passwd > or /etc/shadow * PAM, having checked /etc/shadow and not found a > match, checks winbind * winbind approves the login, but somewhere > along the line prepends MYDOMAIN\ to the user name * there is no user > MYDOMAIN\someuser in /etc/passwd, so the login fails * a subsequent > successful Linux login causes something to update Samba, perhaps this > line in /etc/pam.d/common-auth: > > auth optional pam_smbpass.so migrate > > I have tried various combinations of 'unix password sync', 'passwd > program', 'passwd chat' and 'pam password change' in smb.conf in an > attempt to get /etc/passwd and /etc/shadow updated when a password is > changed. I've also experimented with 'winbind use default domain = > yes' to see if this stopped the prepending of MYDOMAIN\. All to no > avail, and I'm not clear that any of these options has an effect when > running as an AD-DC. > > I should add that as this installation was migrated from an NT PDC > all users have unix accounts on the Linux machine. I would ideally > like to keep the passwords in sync, and to be able to do so using > Windows tools such as Ctl+Alt+Del. It does seem as if changing > passwords on the Linux box using passwd will change both Linux and > Samba passwords. > > Can anybody point me in the right direction? > > Cheers > > Chris > OK, you say this: I have Samba 4.1.6-Ubuntu configured as an AD-DC on Ubuntu 14.04LTS. Then you say this: I should add that as this installation was migrated from an NT PDC Finally you say this: all users have unix accounts on the Linux machine. You are not going to like this, but I am going to say it anyway: *Remove* any users that are in AD from /etc/passwd (the same goes for groups) All your users & groups should now only exist in AD, you do not need or can have, users & groups in AD *and* /etc/passwd & /etc/group. Your users will only have one password and this will be stored in AD in a hidden attribute. Rowland
Chris Hastie
2016-Feb-16 09:21 UTC
[Samba] Password changes and syncing passwords with Linux accounts
On 16/02/16 08:38, Rowland penny wrote:> You are not going to like this, but I am going to say it anyway: > > *Remove* any users that are in AD from /etc/passwd (the same goes for > groups) > > All your users & groups should now only exist in AD, you do not need > or can have, users & groups in AD *and* /etc/passwd & /etc/group. > > Your users will only have one password and this will be stored in AD > in a hidden attribute.You're right. I don't like it. I don't like it because it leaves things even more broken than before. Specifically, I can no longer log into the linux at all. And some, but not all Samba based functionality is lost, though I didn't leave it like that long enough to work out exactly what. wbinfo -a someuser%somepassword succeeded, I could browse from a Linux machine with cifs, but some ownCloud external storage using smb failed. Presumably if I remove users from /etc/passwd then there is something else I need to do to get linux logins to work again? Cheers Chris
Possibly Parallel Threads
- Password changes and syncing passwords with Linux accounts
- Password changes and syncing passwords with Linux accounts
- Password changes and syncing passwords with Linux accounts
- Password changes and syncing passwords with Linux accounts
- Password changes and syncing passwords with Linux accounts