> On Mon, 13 May 2024 17:10:20 -0700 > Gregory Sloop via samba <samba at lists.samba.org> wrote:>> I feel like this should be super easy, and that I must be doing >> something dumb, but I need to create another sudo user for the VM's >> the DC's are running on.>> I've created a "domain admin" equivalent user in AD - and perhaps >> this account can be used. I also attempted to create a local user and >> add them to the local sudo group, but that didn't seem to work.? >> But I don't *need* an AD account. I can simply create a local user on >> each DC for sudo use, but I'll need a way that works. (When I attempt >> to create the local user, it prompts for the password, and then an NT >> password. And when I try to SSH/login to that local account, it >> fails.)?> It shouldn't ask you for an NT password, how are you creating the > 'local' user ?As root I use; adduser ? I tried it again as a test. In the add-user process, I get a prompt for the "Current Kerberos password:" (I didn't pay a lot of attention the first time, when it asked for an NT password - so I'm not sure where that came up.) ? If I give it null passwords (just hit enter), I get passwd: Authentication token manipulation error passwd: password unchanged ? So, I'm a little puzzled. ? -Greg ?
On Tue, 14 May 2024 06:11:01 -0700 Gregory Sloop via samba <samba at lists.samba.org> wrote:> > > > On Mon, 13 May 2024 17:10:20 -0700 > > Gregory Sloop via samba <samba at lists.samba.org> wrote: > > >> I feel like this should be super easy, and that I must be doing > >> something dumb, but I need to create another sudo user for the VM's > >> the DC's are running on. > > >> I've created a "domain admin" equivalent user in AD - and perhaps > >> this account can be used. I also attempted to create a local user > >> and add them to the local sudo group, but that didn't seem to > >> work. But I don't *need* an AD account. I can simply create a > >> local user on each DC for sudo use, but I'll need a way that > >> works. (When I attempt to create the local user, it prompts for > >> the password, and then an NT password. And when I try to SSH/login > >> to that local account, it fails.)? > > > It shouldn't ask you for an NT password, how are you creating the > > 'local' user ? > > As root I use; > adduser > > ? > I tried it again as a test. > In the add-user process, I get a prompt for the "Current Kerberos > password:" (I didn't pay a lot of attention the first time, when it > asked for an NT password - so I'm not sure where that came up.) If I > give it null passwords (just hit enter), I get passwd: Authentication > token manipulation error passwd: password unchanged > ? > So, I'm a little puzzled. > ? > -Greg > ?I asked because before I replied to your post, I tried to create a user and got this: adminuser at tmpdc1:~ $ sudo adduser testadmin Adding user `testadmin' ... Adding new group `testadmin' (1001) ... Adding new user `testadmin' (1001) with group `testadmin (1001)' ... Creating home directory `/home/testadmin' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully Changing the user information for testadmin Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y Adding new user `testadmin' to supplemental / extra groups `users' ... Adding user `testadmin' to group `users' ... Now I was doing this on one of my DCs, which runs Raspberry pi OS, but that is really just Debian 12 tweaked. Can I ask if you have libpam-krb5 installed ? Rowland
On 14-05-2024 15:11, Gregory Sloop via samba wrote:> >> On Mon, 13 May 2024 17:10:20 -0700 >> Gregory Sloop via samba <samba at lists.samba.org> wrote: >>> I feel like this should be super easy, and that I must be doing >>> something dumb, but I need to create another sudo user for the VM's >>> the DC's are running on. >>> I've created a "domain admin" equivalent user in AD - and perhaps >>> this account can be used. I also attempted to create a local user and >>> add them to the local sudo group, but that didn't seem to work. >>> But I don't *need* an AD account. I can simply create a local user on >>> each DC for sudo use, but I'll need a way that works. (When I attempt >>> to create the local user, it prompts for the password, and then an NT >>> password. And when I try to SSH/login to that local account, it >>> fails.) >> It shouldn't ask you for an NT password, how are you creating the >> 'local' user ? > As root I use; > adduser > > > I tried it again as a test. > In the add-user process, I get a prompt for the "Current Kerberos password:" (I didn't pay a lot of attention the first time, when it asked for an NT password - so I'm not sure where that came up.) > > If I give it null passwords (just hit enter), I get > passwd: Authentication token manipulation error > passwd: password unchangedI would suspect you pam is configured to use winbind as well...> > So, I'm a little puzzled.if you install libuser (apt-get install libuser) you get a set of tools that will always and only operate on local accounts, e.g. commands like this: lchsh, lchfn, lid, lnewusers, lgroupadd, luseradd, lgroupdel, luserdel, lusermod, lgroupmod, lchage, lpasswd - Kees.> > -Greg >