You are not logged in.

Pages: 1

#1 2015-03-02 14:13:47

starfry
Member
From: Surrey, UK
Registered: 2010-08-18
Posts: 230

Cannot get "passwd" to work with pam_winbind (Active Directory/Samba)

I've have a Samba Active Directory server and AD users can log in to linux boxes. I'd like them to be able to change their passwords from Linux.

I've set up winbind and PAM and users can log in fine. However, users cannot change passwords.

I used the PAM configuration as per the wiki, although I note that /etc/pam.d/passwd doesn't include the "system-auth" file that the Wiki instructions describe. I can either paste the "password" entries into /etc/pam.d/passwd or modify it to include "system-auth". I've tried both ways without any luck. Here is the PAM config I have (from the Wiki instructions):

password [success=1 default=ignore] pam_localuser.so
password [success=2 default=die] pam_winbind.so
password [success=1 default=die] pam_unix.so sha512 shadow
password requisite pam_deny.so
password  optional  pam_permit.so

and here is a typical session

$ passwd
Changing password for MYDOMAIN\myuser
(current) NT password: 
Enter new NT password: 
Retype new NT password: 
passwd: Authentication failure
passwd: password unchanged

and the journal (I enabled debug in the above config)

Mar 02 13:59:48 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] ENTER: pam_sm_chauthtok (flags: 0x4000)
Mar 02 13:59:48 tsodium passwd[981]: pam_winbind(passwd:chauthtok): username [MYDOMAIN\myuser] obtained
Mar 02 13:59:48 tsodium passwd[981]: pam_winbind(passwd:chauthtok): getting password (0x00000021)
Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): request wbcLogonUser succeeded
Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): user 'MYDOMAIN\myuser' granted access
Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] LEAVE: pam_sm_chauthtok returning 0 (PAM_SUCCESS)

Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] ENTER: pam_sm_chauthtok (flags: 0x2000)
Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): username [MYDOMAIN\myuser] obtained
Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): getting password (0x00000001)
Mar 02 13:59:58 tsodium passwd[981]: pam_winbind(passwd:chauthtok): user 'MYDOMAIN\myuser' denied access (incorrect password or invalid membership)
Mar 02 13:59:58 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] LEAVE: pam_sm_chauthtok returning 7 (PAM_AUTH_ERR)

I've done a bit of searching and have seen others reporting the same "incorrect password or invalid membership" but nothing concreate on how this should be configured. So I'd really appreciate anyone who can share a working configuration...

Offline

Pages: 1

Board footer

Powered by FluxBB