[Bug 556285] [NEW] cannot change password of AD user when using pam_winbind

Justin Jon L. Jereza justinjereza at gmail.com
Tue Apr 6 08:58:18 BST 2010


Public bug reported:

Binary package hint: samba

I've been doing these tests on Karmic using the Lucid winbind pam-
config.

When trying to change the user's password using the Lucid winbind pam-
config, I get the following:

$ passwd
passwd: Authentication token manipulation error
passwd: password unchanged

I've attached a patch for the winbind pam-config which at least
recognizes the username, but I still get the following error:

$ passwd
Changing password for EXAMPLE\user
(current) NT password:
passwd: Authentication token manipulation error
passwd: password unchanged

Some more details about the diff patch:

1. For the auth module, I've changed 'try_first_pass' to
'use_first_pass' so that it insists that the credentials used for
authentication are the ones initially entered by the user. Whether
that's a good thing or not, I have no idea. 'try_first_pass' might be a
better idea if there is a chance that the username exists in both
/etc/passwd and active directory but have different passwords.

2. I've changed the 'Password-Type' from 'Additional' to 'Primary'. With
the 'Additional' setting, any failure in pam_unix.so (e.g. user does not
exist in /etc/passwd) means that pam_deny.so is the next module so
pam_winbind.so is never executed. For both 'Password' and 'Password-
Initial', I've changed the control from 'requisite' to '[success=end
default=ignore]' so that it stacks properly with any other module that
may also be in use.

3. I've added pam_mkhomedir.so as an optional module in the session type
since it uses /etc/skel while the 'mkhomedir' argument for
pam_winbind.so does not. Again, whether this is a good thing or not, I
have no idea.

P.S. Apologies if the diff patch contains more than that which is
relevant with this issue.

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New

-- 
cannot change password of AD user when using pam_winbind
https://bugs.launchpad.net/bugs/556285
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in ubuntu.



More information about the Ubuntu-server-bugs mailing list