Dr. Peer-Joachim Koch
2018-Jan-03 13:49 UTC
[Samba] samba AD: using passwd on linux to change PW
Hi,
a short question about changing passwords. Our linux login server is
using winbind
for authentication. Everything is working well, but changing the
password for a user
does not work. We see the following error:
passwd
Changing password for USER
(current) NT password:
passwd: Authentication token manipulation error
passwd: password unchanged
/var/log/auth.log
pam_winbind(sshd:auth): getting password (0x00000388)
Jan 3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth):
pam_get_item returned a password
Jan 3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN
(10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: The specified
account does not exist.
Login is working fine, also the groups are all correct.
Maybe something in the pam-config has to be changed ?
Where can I find some description to setup the system that every user
can execute passwd ?
System Debian 9.3 using winbind against Samba AD.
--
Bye,
Peer
________________________________________________________
Max-Planck-Institut für Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10 Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705
L.P.H. van Belle
2018-Jan-03 14:15 UTC
[Samba] samba AD: using passwd on linux to change PW
Hi Peer, This is my output, this account testaccount1 was created 2 minutes ago before the tests below. passwd testaccount1 Current Kerberos password: Enter new Kerberos password: Retype new Kerberos password: Password change rejected: Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed. Your password must be at least 5 characters; cannot repeat any of your previous 5 passwords; Please type a different password. Type a password which meets these requirements in both text boxes. passwd: Authentication token manipulation error passwd: password unchanged If you run : pam-auth-update You should see something like this. „ „ „ PAM profiles to enable: „ „ „ „ [ ] Create home directory during login „ „ [*] Kerberos authentication „ „ [*] Unix authentication „ „ [*] Winbind NT/Active Directory authentication „ „ [*] Register user sessions in the systemd control group hierarchy „ „ [*] Inheritable Capabilities Management „ „ „ Same server, but now with a user disabled. passwd someuser ( but disabled in AD ) Current Kerberos password: Enter new Kerberos password: Retype new Kerberos password: Access denied: Not permitted to change password Access is denied passwd: Authentication token manipulation error passwd: password unchanged Same user but now enabled in AD. Current Kerberos password: passwd: Authentication token manipulation error passwd: password unchanged root at rtd-print1:~# passwd xreib Current Kerberos password: Enter new Kerberos password: Retype new Kerberos password: passwd: password updated successfully So this should work fine. Debian 9.3 Samba 4.7.3 ( from my own apt ) Best regards, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dr. > Peer-Joachim Koch via samba > Verzonden: woensdag 3 januari 2018 14:50 > Aan: samba at lists.samba.org > Onderwerp: [Samba] samba AD: using passwd on linux to change PW > > Hi, > > a short question about changing passwords. Our linux login server is > using winbind > for authentication. Everything is working well, but changing the > password for a user > does not work. We see the following error: > > passwd > Changing password for USER > (current) NT password: > passwd: Authentication token manipulation error > passwd: password unchanged > > /var/log/auth.log > > pam_winbind(sshd:auth): getting password (0x00000388) > Jan 3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth): > pam_get_item returned a password > Jan 3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth): request > wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN > (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: > The specified > account does not exist. > > Login is working fine, also the groups are all correct. > > Maybe something in the pam-config has to be changed ? > > Where can I find some description to setup the system that every user > can execute passwd ? > > System Debian 9.3 using winbind against Samba AD. > > > -- > Bye, > Peer > ________________________________________________________ > > Max-Planck-Institut für Biogeochemie > Dr. Peer-Joachim Koch > Hans-Knöll Str.10 Telefon: ++49 3641 57-6705 > D-07745 Jena Telefax: ++49 3641 57-7705 > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Dr. Peer-Joachim Koch
2018-Jan-03 14:48 UTC
[Samba] samba AD: using passwd on linux to change PW
Thanks a lot. I will check it. We do not use kerberos - is it necessary ? Bye, Peer On 03.01.2018 15:15, L.P.H. van Belle via samba wrote:> Hi Peer, > > This is my output, this account testaccount1 was created 2 minutes ago before the tests below. > > passwd testaccount1 > Current Kerberos password: > Enter new Kerberos password: > Retype new Kerberos password: > Password change rejected: Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed. > Your password must be at least 5 characters; cannot repeat any of your previous 5 passwords; Please type a different password. Type a password which meets these requirements in both text boxes. > passwd: Authentication token manipulation error > passwd: password unchanged > > If you run : pam-auth-update > You should see something like this. > > > „ „ > „ PAM profiles to enable: „ > „ „ > „ [ ] Create home directory during login „ > „ [*] Kerberos authentication „ > „ [*] Unix authentication „ > „ [*] Winbind NT/Active Directory authentication „ > „ [*] Register user sessions in the systemd control group hierarchy „ > „ [*] Inheritable Capabilities Management „ > „ „ > > > Same server, but now with a user disabled. > passwd someuser ( but disabled in AD ) > Current Kerberos password: > Enter new Kerberos password: > Retype new Kerberos password: > Access denied: Not permitted to change password > Access is denied > passwd: Authentication token manipulation error > passwd: password unchanged > > Same user but now enabled in AD. > Current Kerberos password: > passwd: Authentication token manipulation error > passwd: password unchanged > root at rtd-print1:~# passwd xreib > Current Kerberos password: > Enter new Kerberos password: > Retype new Kerberos password: > passwd: password updated successfully > > So this should work fine. > > Debian 9.3 > Samba 4.7.3 ( from my own apt ) > > > > Best regards, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dr. >> Peer-Joachim Koch via samba >> Verzonden: woensdag 3 januari 2018 14:50 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] samba AD: using passwd on linux to change PW >> >> Hi, >> >> a short question about changing passwords. Our linux login server is >> using winbind >> for authentication. Everything is working well, but changing the >> password for a user >> does not work. We see the following error: >> >> passwd >> Changing password for USER >> (current) NT password: >> passwd: Authentication token manipulation error >> passwd: password unchanged >> >> /var/log/auth.log >> >> pam_winbind(sshd:auth): getting password (0x00000388) >> Jan 3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth): >> pam_get_item returned a password >> Jan 3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth): request >> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN >> (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: >> The specified >> account does not exist. >> >> Login is working fine, also the groups are all correct. >> >> Maybe something in the pam-config has to be changed ? >> >> Where can I find some description to setup the system that every user >> can execute passwd ? >> >> System Debian 9.3 using winbind against Samba AD. >> >> >> -- >> Bye, >> Peer >> ________________________________________________________ >> >> Max-Planck-Institut für Biogeochemie >> Dr. Peer-Joachim Koch >> Hans-Knöll Str.10 Telefon: ++49 3641 57-6705 >> D-07745 Jena Telefax: ++49 3641 57-7705 >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >-- Mit freundlichen Grüßen, Peer-Joachim Koch ________________________________________________________ Max-Planck-Institut für Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10 Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705
L.P.H. van Belle
2018-Jan-03 14:51 UTC
[Samba] samba AD: using passwd on linux to change PW
Your welkom. For the password change i believe it is. But give me a few min, i'll disable it and test again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dr. > Peer-Joachim Koch via samba > Verzonden: woensdag 3 januari 2018 15:48 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] samba AD: using passwd on linux to change PW > > Thanks a lot. I will check it. > We do not use kerberos - is it necessary ? > > Bye, Peer > > On 03.01.2018 15:15, L.P.H. van Belle via samba wrote: > > Hi Peer, > > > > This is my output, this account testaccount1 was created 2 > minutes ago before the tests below. > > > > passwd testaccount1 > > Current Kerberos password: > > Enter new Kerberos password: > > Retype new Kerberos password: > > Password change rejected: Password change rejected, > password changes may not be permitted on this account, or the > minimum password age may not have elapsed. > > Your password must be at least 5 characters; cannot repeat > any of your previous 5 passwords; Please type a different > password. Type a password which meets these requirements in > both text boxes. > > passwd: Authentication token manipulation error > > passwd: password unchanged > > > > If you run : pam-auth-update > > You should see something like this. > > > > > > ? > > > ? > > ? PAM profiles to enable: > > > ? > > ? > > > ? > > ? [ ] Create home directory during login > > > ? > > ? [*] Kerberos authentication > > > ? > > ? [*] Unix authentication > > > ? > > ? [*] Winbind NT/Active Directory authentication > > > ? > > ? [*] Register user sessions in the systemd control > group hierarchy > > ? > > ? [*] Inheritable Capabilities Management > > > ? > > ? > > > ? > > > > > > Same server, but now with a user disabled. > > passwd someuser ( but disabled in AD ) > > Current Kerberos password: > > Enter new Kerberos password: > > Retype new Kerberos password: > > Access denied: Not permitted to change password > > Access is denied > > passwd: Authentication token manipulation error > > passwd: password unchanged > > > > Same user but now enabled in AD. > > Current Kerberos password: > > passwd: Authentication token manipulation error > > passwd: password unchanged > > root at rtd-print1:~# passwd xreib > > Current Kerberos password: > > Enter new Kerberos password: > > Retype new Kerberos password: > > passwd: password updated successfully > > > > So this should work fine. > > > > Debian 9.3 > > Samba 4.7.3 ( from my own apt ) > > > > > > > > Best regards, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dr. > >> Peer-Joachim Koch via samba > >> Verzonden: woensdag 3 januari 2018 14:50 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] samba AD: using passwd on linux to change PW > >> > >> Hi, > >> > >> a short question about changing passwords. Our linux login > server is > >> using winbind > >> for authentication. Everything is working well, but changing the > >> password for a user > >> does not work. We see the following error: > >> > >> passwd > >> Changing password for USER > >> (current) NT password: > >> passwd: Authentication token manipulation error > >> passwd: password unchanged > >> > >> /var/log/auth.log > >> > >> pam_winbind(sshd:auth): getting password (0x00000388) > >> Jan 3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth): > >> pam_get_item returned a password > >> Jan 3 14:41:36 HOSTNAME sshd[4355]: > pam_winbind(sshd:auth): request > >> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: > PAM_USER_UNKNOWN > >> (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: > >> The specified > >> account does not exist. > >> > >> Login is working fine, also the groups are all correct. > >> > >> Maybe something in the pam-config has to be changed ? > >> > >> Where can I find some description to setup the system that > every user > >> can execute passwd ? > >> > >> System Debian 9.3 using winbind against Samba AD. > >> > >> > >> -- > >> Bye, > >> Peer > >> ________________________________________________________ > >> > >> Max-Planck-Institut für Biogeochemie > >> Dr. Peer-Joachim Koch > >> Hans-Knöll Str.10 Telefon: ++49 3641 57-6705 > >> D-07745 Jena Telefax: ++49 3641 57-7705 > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > -- > Mit freundlichen Grüßen, > Peer-Joachim Koch > ________________________________________________________ > > Max-Planck-Institut für Biogeochemie > Dr. Peer-Joachim Koch > Hans-Knöll Str.10 Telefon: ++49 3641 57-6705 > D-07745 Jena Telefax: ++49 3641 57-7705 > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >