Package: libpam-winbind Version: 2:4.5.6+dfsg-1 Severity: normal Domain-only users cannot change their password in the default configuration.
Ubuntu has a bug for this with a workaround, though the workaround has its own issues: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944 It appears there is a problem with having use_authtok in the winbind line for the password pam service. However, there are other issues in some configurations with removing that option. I've tried the workaround suggested there: removing use_authtok from the winbind entry in /etc/pam.d/common-password, and it worked for me -- my environment doesn't have the concerns with removing that item that may apply to others. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-1-amd64 (SMP w/12 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libpam-winbind depends on: ii dpkg 1.18.23 ii libbsd0 0.8.3-1 ii libc6 2.24-9 ii libpam-runtime 1.1.8-3.5 ii libpam0g 1.1.8-3.5 ii libtalloc2 2.1.8-1 ii libwbclient0 2:4.5.6+dfsg-1 ii samba-common 2:4.5.6+dfsg-1 ii samba-libs 2:4.5.6+dfsg-1 ii winbind 2:4.5.6+dfsg-1 libpam-winbind recommends no packages. Versions of packages libpam-winbind suggests: ii libnss-winbind 2:4.5.6+dfsg-1 -- no debconf information
