From: Zoolook on
Hello list,

I'll give a detailed explanation below. The quick question is:

How can I configure a workstation (running Linux) so it can change
user password on the PDC?

Details:

At work we are migrating from Windows to Linux and we decided to have
user's /home exported with NFS4 (no kerberos yet). User database is in
LDAP.

Some users have shared directories. Since NFS doesn't allow to force
groups permission (or I've been unable to find a way) we export shared
resources via Samba.

The problem is, we also have a 180-day password policy. We have no
problems with LDAP, but we're unable to change the samba password on
the PDC from the workstations.

The test workstation is configured like this:

smb.conf:

[global]
security = domain
workgroup = OURDOMAIN
password server = *
local master = no

(note: I tried password server = PDCNETBIOSNAME, but I get the same results)


/etc/pam.d/common-password:

password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so
use_authtok try_first_pass

password sufficient pam_winbind.so use_authtok nullok try_first_pass

password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so

(note: the file was configured by ubuntu's pam-auth-update; I added
the pam_winbind.so line)

Now, when I try passwd I get:

$ LC_ALL=C passwd
Enter login(LDAP) password:
passwd: Authentication token manipulation error
passwd: password unchanged

When I use smbpasswd:

$ LC_ALL=C smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE

But if I add -r:

$ LC_ALL=C smbpasswd -r PDCNETBIOSNAME
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user nbensa

Note that changing passwords from a Windows workstation works. Yes,
the Linux workstations were joined to the domain (net rpc join...)

I don't know if this is the better way to do this. Maybe there's a
better way using only LDAP. We're not considering deploying kerberos
for now but I think it will be a much better solution if we could
integrate our kerberos database with LDAP.

Many thanks in advance for any suggestion,

Norberto
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba