samba AD: using passwd on linux to change PW

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

samba AD: using passwd on linux to change PW

Samba - General mailing list
Hi,

a short question about changing passwords. Our linux login server is
using winbind
for authentication. Everything is working well, but changing the
password for a user
does not work. We see the following error:

passwd
Changing password for USER
(current) NT password:
passwd: Authentication token manipulation error
passwd: password unchanged

/var/log/auth.log

pam_winbind(sshd:auth): getting password (0x00000388)
Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth):
pam_get_item returned a password
Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN
(10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: The specified
account does not exist.

Login is working fine, also the groups are all correct.

Maybe something in the pam-config has to be changed ?

Where can I find some description to setup the system that every user
can execute passwd ?

System Debian 9.3 using winbind against Samba AD.


--
Bye,
     Peer
________________________________________________________

Max-Planck-Institut für Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
D-07745 Jena                 Telefax: ++49 3641 57-7705



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba AD: using passwd on linux to change PW

Samba - General mailing list
Hi Peer,

This is my output, this account testaccount1 was created 2 minutes ago before the tests below.

passwd testaccount1
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
Password change rejected: Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed.
Your password must be at least 5 characters; cannot repeat any of your previous 5 passwords; Please type a different password. Type a password which meets these requirements in both text boxes.
passwd: Authentication token manipulation error
passwd: password unchanged

If you run : pam-auth-update
You should see something like this.


  „                                                                                                                                                                                                         „ 
  „  PAM profiles to enable:                                                                                                                                                                                „ 
  „                                                                                                                                                                                                         „ 
  „     [ ] Create home directory during login                                                                                                                                                              „ 
  „     [*] Kerberos authentication                                                                                                                                                                         „ 
  „     [*] Unix authentication                                                                                                                                                                             „ 
  „     [*] Winbind NT/Active Directory authentication                                                                                                                                                      „ 
  „     [*] Register user sessions in the systemd control group hierarchy                                                                                                                                   „ 
  „     [*] Inheritable Capabilities Management                                                                                                                                                             „ 
  „                                                                                                                                                                                                         „ 


Same server, but now with a user disabled.
passwd someuser ( but disabled in AD )
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
Access denied: Not permitted to change password
Access is denied
passwd: Authentication token manipulation error
passwd: password unchanged

Same user but now enabled in AD.
Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged
root@rtd-print1:~# passwd xreib
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
passwd: password updated successfully

So this should work fine.

Debian 9.3
Samba 4.7.3 ( from my own apt )



Best regards,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Dr.
> Peer-Joachim Koch via samba
> Verzonden: woensdag 3 januari 2018 14:50
> Aan: [hidden email]
> Onderwerp: [Samba] samba AD: using passwd on linux to change PW
>
> Hi,
>
> a short question about changing passwords. Our linux login server is
> using winbind
> for authentication. Everything is working well, but changing the
> password for a user
> does not work. We see the following error:
>
> passwd
> Changing password for USER
> (current) NT password:
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> /var/log/auth.log
>
> pam_winbind(sshd:auth): getting password (0x00000388)
> Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth):
> pam_get_item returned a password
> Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth): request
> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN
> (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was:
> The specified
> account does not exist.
>
> Login is working fine, also the groups are all correct.
>
> Maybe something in the pam-config has to be changed ?
>
> Where can I find some description to setup the system that every user
> can execute passwd ?
>
> System Debian 9.3 using winbind against Samba AD.
>
>
> --
> Bye,
>      Peer
> ________________________________________________________
>
> Max-Planck-Institut für Biogeochemie
> Dr. Peer-Joachim Koch
> Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
> D-07745 Jena                 Telefax: ++49 3641 57-7705
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba AD: using passwd on linux to change PW

Samba - General mailing list
Thanks a lot. I will check it.
We do not use kerberos - is it necessary ?

Bye, Peer

On 03.01.2018 15:15, L.P.H. van Belle via samba wrote:

> Hi Peer,
>
> This is my output, this account testaccount1 was created 2 minutes ago before the tests below.
>
> passwd testaccount1
> Current Kerberos password:
> Enter new Kerberos password:
> Retype new Kerberos password:
> Password change rejected: Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed.
> Your password must be at least 5 characters; cannot repeat any of your previous 5 passwords; Please type a different password. Type a password which meets these requirements in both text boxes.
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> If you run : pam-auth-update
> You should see something like this.
>
>
>    „                                                                                                                                                                                                         „
>    „  PAM profiles to enable:                                                                                                                                                                                „
>    „                                                                                                                                                                                                         „
>    „     [ ] Create home directory during login                                                                                                                                                              „
>    „     [*] Kerberos authentication                                                                                                                                                                         „
>    „     [*] Unix authentication                                                                                                                                                                             „
>    „     [*] Winbind NT/Active Directory authentication                                                                                                                                                      „
>    „     [*] Register user sessions in the systemd control group hierarchy                                                                                                                                   „
>    „     [*] Inheritable Capabilities Management                                                                                                                                                             „
>    „                                                                                                                                                                                                         „
>
>
> Same server, but now with a user disabled.
> passwd someuser ( but disabled in AD )
> Current Kerberos password:
> Enter new Kerberos password:
> Retype new Kerberos password:
> Access denied: Not permitted to change password
> Access is denied
> passwd: Authentication token manipulation error
> passwd: password unchanged
>
> Same user but now enabled in AD.
> Current Kerberos password:
> passwd: Authentication token manipulation error
> passwd: password unchanged
> root@rtd-print1:~# passwd xreib
> Current Kerberos password:
> Enter new Kerberos password:
> Retype new Kerberos password:
> passwd: password updated successfully
>
> So this should work fine.
>
> Debian 9.3
> Samba 4.7.3 ( from my own apt )
>
>
>
> Best regards,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:[hidden email]] Namens Dr.
>> Peer-Joachim Koch via samba
>> Verzonden: woensdag 3 januari 2018 14:50
>> Aan: [hidden email]
>> Onderwerp: [Samba] samba AD: using passwd on linux to change PW
>>
>> Hi,
>>
>> a short question about changing passwords. Our linux login server is
>> using winbind
>> for authentication. Everything is working well, but changing the
>> password for a user
>> does not work. We see the following error:
>>
>> passwd
>> Changing password for USER
>> (current) NT password:
>> passwd: Authentication token manipulation error
>> passwd: password unchanged
>>
>> /var/log/auth.log
>>
>> pam_winbind(sshd:auth): getting password (0x00000388)
>> Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth):
>> pam_get_item returned a password
>> Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth): request
>> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN
>> (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was:
>> The specified
>> account does not exist.
>>
>> Login is working fine, also the groups are all correct.
>>
>> Maybe something in the pam-config has to be changed ?
>>
>> Where can I find some description to setup the system that every user
>> can execute passwd ?
>>
>> System Debian 9.3 using winbind against Samba AD.
>>
>>
>> --
>> Bye,
>>       Peer
>> ________________________________________________________
>>
>> Max-Planck-Institut für Biogeochemie
>> Dr. Peer-Joachim Koch
>> Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
>> D-07745 Jena                 Telefax: ++49 3641 57-7705
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
--
Mit freundlichen Grüßen,
     Peer-Joachim Koch
________________________________________________________

Max-Planck-Institut für Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
D-07745 Jena                 Telefax: ++49 3641 57-7705



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba AD: using passwd on linux to change PW

Samba - General mailing list
Your welkom.

For the password change i believe it is.
But give me a few min, i'll disable it and test again.

Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Dr.
> Peer-Joachim Koch via samba
> Verzonden: woensdag 3 januari 2018 15:48
> Aan: [hidden email]
> Onderwerp: Re: [Samba] samba AD: using passwd on linux to change PW
>
> Thanks a lot. I will check it.
> We do not use kerberos - is it necessary ?
>
> Bye, Peer
>
> On 03.01.2018 15:15, L.P.H. van Belle via samba wrote:
> > Hi Peer,
> >
> > This is my output, this account testaccount1 was created 2
> minutes ago before the tests below.
> >
> > passwd testaccount1
> > Current Kerberos password:
> > Enter new Kerberos password:
> > Retype new Kerberos password:
> > Password change rejected: Password change rejected,
> password changes may not be permitted on this account, or the
> minimum password age may not have elapsed.
> > Your password must be at least 5 characters; cannot repeat
> any of your previous 5 passwords; Please type a different
> password. Type a password which meets these requirements in
> both text boxes.
> > passwd: Authentication token manipulation error
> > passwd: password unchanged
> >
> > If you run : pam-auth-update
> > You should see something like this.
> >
> >
> >    ?                                                       
>                                                              
>                                                              
>                      ?
> >    ?  PAM profiles to enable:                              
>                                                              
>                                                              
>                      ?
> >    ?                                                       
>                                                              
>                                                              
>                      ?
> >    ?     [ ] Create home directory during login            
>                                                              
>                                                              
>                      ?
> >    ?     [*] Kerberos authentication                        
>                                                              
>                                                              
>                      ?
> >    ?     [*] Unix authentication                            
>                                                              
>                                                              
>                      ?
> >    ?     [*] Winbind NT/Active Directory authentication    
>                                                              
>                                                              
>                      ?
> >    ?     [*] Register user sessions in the systemd control
> group hierarchy                                              
>                                                              
>                       ?
> >    ?     [*] Inheritable Capabilities Management            
>                                                              
>                                                              
>                      ?
> >    ?                                                       
>                                                              
>                                                              
>                      ?
> >
> >
> > Same server, but now with a user disabled.
> > passwd someuser ( but disabled in AD )
> > Current Kerberos password:
> > Enter new Kerberos password:
> > Retype new Kerberos password:
> > Access denied: Not permitted to change password
> > Access is denied
> > passwd: Authentication token manipulation error
> > passwd: password unchanged
> >
> > Same user but now enabled in AD.
> > Current Kerberos password:
> > passwd: Authentication token manipulation error
> > passwd: password unchanged
> > root@rtd-print1:~# passwd xreib
> > Current Kerberos password:
> > Enter new Kerberos password:
> > Retype new Kerberos password:
> > passwd: password updated successfully
> >
> > So this should work fine.
> >
> > Debian 9.3
> > Samba 4.7.3 ( from my own apt )
> >
> >
> >
> > Best regards,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:[hidden email]] Namens Dr.
> >> Peer-Joachim Koch via samba
> >> Verzonden: woensdag 3 januari 2018 14:50
> >> Aan: [hidden email]
> >> Onderwerp: [Samba] samba AD: using passwd on linux to change PW
> >>
> >> Hi,
> >>
> >> a short question about changing passwords. Our linux login
> server is
> >> using winbind
> >> for authentication. Everything is working well, but changing the
> >> password for a user
> >> does not work. We see the following error:
> >>
> >> passwd
> >> Changing password for USER
> >> (current) NT password:
> >> passwd: Authentication token manipulation error
> >> passwd: password unchanged
> >>
> >> /var/log/auth.log
> >>
> >> pam_winbind(sshd:auth): getting password (0x00000388)
> >> Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth):
> >> pam_get_item returned a password
> >> Jan  3 14:41:36 HOSTNAME sshd[4355]:
> pam_winbind(sshd:auth): request
> >> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error:
> PAM_USER_UNKNOWN
> >> (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was:
> >> The specified
> >> account does not exist.
> >>
> >> Login is working fine, also the groups are all correct.
> >>
> >> Maybe something in the pam-config has to be changed ?
> >>
> >> Where can I find some description to setup the system that
> every user
> >> can execute passwd ?
> >>
> >> System Debian 9.3 using winbind against Samba AD.
> >>
> >>
> >> --
> >> Bye,
> >>       Peer
> >> ________________________________________________________
> >>
> >> Max-Planck-Institut für Biogeochemie
> >> Dr. Peer-Joachim Koch
> >> Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
> >> D-07745 Jena                 Telefax: ++49 3641 57-7705
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >
>
> --
> Mit freundlichen Grüßen,
>      Peer-Joachim Koch
> ________________________________________________________
>
> Max-Planck-Institut für Biogeochemie
> Dr. Peer-Joachim Koch
> Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
> D-07745 Jena                 Telefax: ++49 3641 57-7705
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: samba AD: using passwd on linux to change PW

Samba - General mailing list
Well, test done.

If i disable kerberos im also seeing getting the same error.

pam_winbind(passwd:chauthtok): getting password (0x0000002a)
pam_winbind(passwd:chauthtok): user 'NTDOM\user' granted access
pam_unix(passwd:chauthtok): user "NTDOM\user" does not exist in /etc/passwd
pam_winbind(passwd:chauthtok): getting password (0x00000012)
pam_unix(passwd:chauthtok): user "NTDOM\user" does not exist in /etc/passwd
pam_winbind(passwd:chauthtok): getting password (0x0000002a)
pam_winbind(passwd:chauthtok): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: When trying to update a password, this return status indicates that the value provided as the current password is not correct.
pam_winbind(passwd:chauthtok): user 'NTDOM\user' denied access (incorrect password or invalid membership)

And that last line is crazy, 10000% sure i typed the correct password..  

So enable kerberos and your set.


Greetz,

Louis
 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> L.P.H. van Belle via samba
> Verzonden: woensdag 3 januari 2018 15:52
> Aan: [hidden email]
> Onderwerp: Re: [Samba] samba AD: using passwd on linux to change PW
>
> Your welkom.
>
> For the password change i believe it is.
> But give me a few min, i'll disable it and test again.
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens Dr.
> > Peer-Joachim Koch via samba
> > Verzonden: woensdag 3 januari 2018 15:48
> > Aan: [hidden email]
> > Onderwerp: Re: [Samba] samba AD: using passwd on linux to change PW
> >
> > Thanks a lot. I will check it.
> > We do not use kerberos - is it necessary ?
> >
> > Bye, Peer
> >
> > On 03.01.2018 15:15, L.P.H. van Belle via samba wrote:
> > > Hi Peer,
> > >
> > > This is my output, this account testaccount1 was created 2
> > minutes ago before the tests below.
> > >
> > > passwd testaccount1
> > > Current Kerberos password:
> > > Enter new Kerberos password:
> > > Retype new Kerberos password:
> > > Password change rejected: Password change rejected,
> > password changes may not be permitted on this account, or the
> > minimum password age may not have elapsed.
> > > Your password must be at least 5 characters; cannot repeat
> > any of your previous 5 passwords; Please type a different
> > password. Type a password which meets these requirements in
> > both text boxes.
> > > passwd: Authentication token manipulation error
> > > passwd: password unchanged
> > >
> > > If you run : pam-auth-update
> > > You should see something like this.
> > >
> > >
> > >    ?                                                       
> >                                                              
> >                                                              
> >                      ?
> > >    ?  PAM profiles to enable:                              
> >                                                              
> >                                                              
> >                      ?
> > >    ?                                                       
> >                                                              
> >                                                              
> >                      ?
> > >    ?     [ ] Create home directory during login            
> >                                                              
> >                                                              
> >                      ?
> > >    ?     [*] Kerberos authentication                        
> >                                                              
> >                                                              
> >                      ?
> > >    ?     [*] Unix authentication                            
> >                                                              
> >                                                              
> >                      ?
> > >    ?     [*] Winbind NT/Active Directory authentication    
> >                                                              
> >                                                              
> >                      ?
> > >    ?     [*] Register user sessions in the systemd control
> > group hierarchy                                              
> >                                                              
> >                       ?
> > >    ?     [*] Inheritable Capabilities Management            
> >                                                              
> >                                                              
> >                      ?
> > >    ?                                                       
> >                                                              
> >                                                              
> >                      ?
> > >
> > >
> > > Same server, but now with a user disabled.
> > > passwd someuser ( but disabled in AD )
> > > Current Kerberos password:
> > > Enter new Kerberos password:
> > > Retype new Kerberos password:
> > > Access denied: Not permitted to change password
> > > Access is denied
> > > passwd: Authentication token manipulation error
> > > passwd: password unchanged
> > >
> > > Same user but now enabled in AD.
> > > Current Kerberos password:
> > > passwd: Authentication token manipulation error
> > > passwd: password unchanged
> > > root@rtd-print1:~# passwd xreib
> > > Current Kerberos password:
> > > Enter new Kerberos password:
> > > Retype new Kerberos password:
> > > passwd: password updated successfully
> > >
> > > So this should work fine.
> > >
> > > Debian 9.3
> > > Samba 4.7.3 ( from my own apt )
> > >
> > >
> > >
> > > Best regards,
> > >
> > > Louis
> > >
> > >
> > >> -----Oorspronkelijk bericht-----
> > >> Van: samba [mailto:[hidden email]] Namens Dr.
> > >> Peer-Joachim Koch via samba
> > >> Verzonden: woensdag 3 januari 2018 14:50
> > >> Aan: [hidden email]
> > >> Onderwerp: [Samba] samba AD: using passwd on linux to change PW
> > >>
> > >> Hi,
> > >>
> > >> a short question about changing passwords. Our linux login
> > server is
> > >> using winbind
> > >> for authentication. Everything is working well, but changing the
> > >> password for a user
> > >> does not work. We see the following error:
> > >>
> > >> passwd
> > >> Changing password for USER
> > >> (current) NT password:
> > >> passwd: Authentication token manipulation error
> > >> passwd: password unchanged
> > >>
> > >> /var/log/auth.log
> > >>
> > >> pam_winbind(sshd:auth): getting password (0x00000388)
> > >> Jan  3 14:41:36 HOSTNAME sshd[4355]: pam_winbind(sshd:auth):
> > >> pam_get_item returned a password
> > >> Jan  3 14:41:36 HOSTNAME sshd[4355]:
> > pam_winbind(sshd:auth): request
> > >> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error:
> > PAM_USER_UNKNOWN
> > >> (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was:
> > >> The specified
> > >> account does not exist.
> > >>
> > >> Login is working fine, also the groups are all correct.
> > >>
> > >> Maybe something in the pam-config has to be changed ?
> > >>
> > >> Where can I find some description to setup the system that
> > every user
> > >> can execute passwd ?
> > >>
> > >> System Debian 9.3 using winbind against Samba AD.
> > >>
> > >>
> > >> --
> > >> Bye,
> > >>       Peer
> > >> ________________________________________________________
> > >>
> > >> Max-Planck-Institut für Biogeochemie
> > >> Dr. Peer-Joachim Koch
> > >> Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
> > >> D-07745 Jena                 Telefax: ++49 3641 57-7705
> > >>
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL
> and read the
> > >> instructions:  https://lists.samba.org/mailman/options/samba
> > >>
> > >
> >
> > --
> > Mit freundlichen Grüßen,
> >      Peer-Joachim Koch
> > ________________________________________________________
> >
> > Max-Planck-Institut für Biogeochemie
> > Dr. Peer-Joachim Koch
> > Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
> > D-07745 Jena                 Telefax: ++49 3641 57-7705
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba