[Bug 556285] [NEW] cannot change password of AD user when using pam_winbind
Justin Jon L. Jereza
justinjereza at gmail.com
Tue Apr 6 08:58:18 BST 2010
Public bug reported:
Binary package hint: samba
I've been doing these tests on Karmic using the Lucid winbind pam-
config.
When trying to change the user's password using the Lucid winbind pam-
config, I get the following:
$ passwd
passwd: Authentication token manipulation error
passwd: password unchanged
I've attached a patch for the winbind pam-config which at least
recognizes the username, but I still get the following error:
$ passwd
Changing password for EXAMPLE\user
(current) NT password:
passwd: Authentication token manipulation error
passwd: password unchanged
Some more details about the diff patch:
1. For the auth module, I've changed 'try_first_pass' to
'use_first_pass' so that it insists that the credentials used for
authentication are the ones initially entered by the user. Whether
that's a good thing or not, I have no idea. 'try_first_pass' might be a
better idea if there is a chance that the username exists in both
/etc/passwd and active directory but have different passwords.
2. I've changed the 'Password-Type' from 'Additional' to 'Primary'. With
the 'Additional' setting, any failure in pam_unix.so (e.g. user does not
exist in /etc/passwd) means that pam_deny.so is the next module so
pam_winbind.so is never executed. For both 'Password' and 'Password-
Initial', I've changed the control from 'requisite' to '[success=end
default=ignore]' so that it stacks properly with any other module that
may also be in use.
3. I've added pam_mkhomedir.so as an optional module in the session type
since it uses /etc/skel while the 'mkhomedir' argument for
pam_winbind.so does not. Again, whether this is a good thing or not, I
have no idea.
P.S. Apologies if the diff patch contains more than that which is
relevant with this issue.
** Affects: samba (Ubuntu)
Importance: Undecided
Status: New
--
cannot change password of AD user when using pam_winbind
https://bugs.launchpad.net/bugs/556285
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in ubuntu.
More information about the Ubuntu-server-bugs
mailing list