thr3ads.net - samba - [Samba] winbind use default domain & Linux passwd [Sep 2023]

If this information is useful, please help other people find it:
Share via:

Matthias Leopold

2023-Sep-04 17:28 UTC

[Samba] winbind use default domain & Linux passwd

Hi,

on my Linux domain members (in Samba AD domain) password change in Linux 
with "passwd" only works when I use "winbind use default domain =
yes".
When I use recommended default "winbind use default domain = no" 
entering the current password is asked twice, then fails.

SMB\user123 at deepops-login-01:~$ passwd
Current Kerberos password:
Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged

/var/log/auth.log says:

Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
pam_unix(passwd:chauthtok): user "SMB\user123" does not exist in
/etc/passwd
Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
pam_winbind(passwd:chauthtok): getting password (0x0000002a)
Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
pam_winbind(passwd:chauthtok): pam_get_item returned a password
Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
pam_winbind(passwd:chauthtok): user 'SMB\user123' granted access
Sep  4 18:14:45 deepops-login-01 passwd[2165]: 
pam_unix(passwd:chauthtok): user "SMB\user123" does not exist in
/etc/passwd
Sep  4 18:14:45 deepops-login-01 passwd[2165]: 
pam_winbind(passwd:chauthtok): getting password (0x00000012)


I'm using Ubuntu 20.04 with Sernet Samba 4.16.11.

pam-auth-update enabled
[*] Kerberos authentication
[*] Unix authentication
[*] SerNet Samba Winbind authentication

/etc/krb5.conf

[libdefaults]
         default_realm = SMB.MEDUNIWIEN.AC.AT
         dns_lookup_realm = false
         dns_lookup_kdc = true

/etc/samba/smb.conf
         workgroup = SMB
         realm = SMB.MEDUNIWIEN.AC.AT
         security = ADS
...

/etc/pam.d/common-password
password	[success=3 default=ignore]	pam_krb5.so minimum_uid=1000
password	[success=2 default=ignore]	pam_unix.so obscure use_authtok 
try_first_pass sha512
password	[success=1 default=ignore]    pam_winbind.so use_authtok 
try_first_pass
...

thx 4 advice
Matthias

Rowland Penny

2023-Sep-04 17:52 UTC

head link

[Samba] winbind use default domain & Linux passwd

On Mon, 4 Sep 2023 19:28:42 +0200
Matthias Leopold via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> on my Linux domain members (in Samba AD domain) password change in
> Linux with "passwd" only works when I use "winbind use
default domain
> = yes". When I use recommended default "winbind use default
domain > no" entering the current password is asked twice, then fails.
> 
> SMB\user123 at deepops-login-01:~$ passwd
> Current Kerberos password:
> Current Kerberos password:
> passwd: Authentication token manipulation error
> passwd: password unchanged
> 
> /var/log/auth.log says:
> 
> Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
> pam_unix(passwd:chauthtok): user "SMB\user123" does not exist
> in /etc/passwd Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
> pam_winbind(passwd:chauthtok): getting password (0x0000002a)
> Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
> pam_winbind(passwd:chauthtok): pam_get_item returned a password
> Sep  4 18:14:41 deepops-login-01 passwd[2165]: 
> pam_winbind(passwd:chauthtok): user 'SMB\user123' granted access
> Sep  4 18:14:45 deepops-login-01 passwd[2165]: 
> pam_unix(passwd:chauthtok): user "SMB\user123" does not exist
> in /etc/passwd Sep  4 18:14:45 deepops-login-01 passwd[2165]: 
> pam_winbind(passwd:chauthtok): getting password (0x00000012)
> 
> 
> I'm using Ubuntu 20.04 with Sernet Samba 4.16.11.
> 
> pam-auth-update enabled
> [*] Kerberos authentication
> [*] Unix authentication
> [*] SerNet Samba Winbind authentication
> 
> /etc/krb5.conf
> 
> [libdefaults]
>          default_realm = SMB.MEDUNIWIEN.AC.AT
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
> 
> /etc/samba/smb.conf
>          workgroup = SMB
>          realm = SMB.MEDUNIWIEN.AC.AT
>          security = ADS
> ...
> 
> /etc/pam.d/common-password
> password	[success=3 default=ignore]	pam_krb5.so
> minimum_uid=1000 password	[success=2 default=ignore]
> pam_unix.so obscure use_authtok try_first_pass sha512
> password	[success=1 default=ignore]    pam_winbind.so
> use_authtok try_first_pass
> ...
> 
> thx 4 advice
> Matthias
First, I recommend you remove the libpam-krb5 package and ensure the
the libpam-winbind & libnss-winbind packages are installed.

Can you please post the output of 'testparm -s' when run on a domain
member

Rowland

samba - Sep 2023 - winbind use default domain & Linux passwd

[Samba] winbind use default domain & Linux passwd

[Samba] winbind use default domain & Linux passwd