[Bug 570944] Re: passwd : gives "Authentication token manipulation error"
** Changed in: samba (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives "Authentication token manipulation error" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 570944] Re: passwd : gives "Authentication token manipulation error"
Ah, thank you, I missed that On Wed, Jan 9, 2019, 18:34 Mathieu Parent <570...@bugs.launchpad.net wrote: > It is. Closed by me: > > samba (2:4.9.1+dfsg-2) unstable; urgency=medium > [ Mathieu Parent ] > * Allow one to change password via passwd in default config > - third_party: Update pam_wrapper to version 1.0.7 > - third_party: Add pam_set_items.so from pam_wrapper > - nsswitch: Add try_authtok option to pam_winbind > - tests: Check pam_winbind pw change with different options > - Patch for previous 4 commits > - debian/winbind.pam-config: Use the new try_authtok option allowing > password change while preserving current behavior with password strength > modules (Closes: #858923, LP: #570944) > > -- > You received this bug notification because you are subscribed to samba > in Ubuntu. > https://bugs.launchpad.net/bugs/570944 > > Title: > passwd : gives "Authentication token manipulation error" > > Status in samba package in Ubuntu: > Triaged > > Bug description: > Binary package hint: samba > >`passwd` for ActiveDirectory account gives "Authentication token > manipulation error" > > I have latest and greatest of LucidLynx updates. > > winbind2:3.4.7~dfsg-1ubuntu3 > samba 2:3.4.7~dfsg-1ubuntu3 > > I have ActiveDirectory integration with Samba/Winbind. (not > Likewise-Open) > Logging into Console window or `ssh`-ing into machine works fine using > DOMAIN\first.last account names. > > Trying to change password with the `passwd` program: > > $ passwd > Changing password for DOMAIN\first.last > (current) NT password: > passwd: Authentication token manipulation error > passwd: password unchanged > $ > > In the /var/log/auth.log file I get this output in conjunction with > the above passwd attempt: > > pam_unix(passwd:chauthtok): user "DOMAIN\first.last" does not exist in > /etc/passwd > passwd[16109]: pam_winbind(passwd:chauthtok): getting password > (0x002a) > > passwd[16109]: pam_winbind(passwd:chauthtok): user 'DOMAIN\first.last' > granted access > passwd[16109]: pam_unix(passwd:chauthtok): user "DOMAIN\first.last" does > not exist in /etc/passwd > passwd[16109]: pam_winbind(passwd:chauthtok): getting password > (0x0012) > > I don't see anything particularly wrong with that output, other > than it seems to stop prematurely. > > This is my default-created /etc/pam.d/common-password file: > > password [success=2 default=ignore] pam_unix.so obscure sha512 > password [success=1 default=ignore] pam_winbind.so use_authtok > try_first_pass > password requisite pam_deny.so > password required pam_permit.so > password optional pam_gnome_keyring.so > > I've Googled for "Authentication token manipulation error", but most > cases involve local Linux accounts or other uninteresting problems. > > I don't think any entries in smb.conf have an effect on passwd, but > here's a snippet of entries with the word "pass" or "encrypt" in them: > > password server = machine.domain.com > encrypt passwords = true > passdb backend = tdbsam > unix password sync = yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > pam password change = yes > encrypt passwords = true > > > I can successfully change password, using `passwd` for a local Linux > account. > > $ passwd > Changing password for localAccount. > (current) UNIX password: > Enter new UNIX password: > Retype new UNIX password: > passwd: password updated successfully > $ > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions > > Launchpad-Notification-Type: bug > Launchpad-Bug: distribution=ubuntu; sourcepackage=samba; component=main; > status=Triaged; importance=Medium; assignee=None; > Launchpad-Bug-Information-Type: Public > Launchpad-Bug-Private: no > Launchpad-Bug-Security-Vulnerability: no > Launchpad-Bug-Commenters: ahasenack gasinvein guy-moore janitor > lorenzetto-luca math-parent nacc ttx urusha vorlon > Launchpad-Bug-Reporter: gmoore777 (guy-moore) > Launchpad-Bug-Modifier: Mathieu Parent (math-parent) > Launchpad-Message-Rationale: Subscriber (samba in Ubuntu) > Launchpad-Message-For: ahasenack > -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives "Authentication token manipulation error" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 570944] Re: passwd : gives "Authentication token manipulation error"
Ah, thank you, I missed that On Wed, Jan 9, 2019, 18:34 Mathieu Parent <570...@bugs.launchpad.net wrote: > It is. Closed by me: > > samba (2:4.9.1+dfsg-2) unstable; urgency=medium > [ Mathieu Parent ] > * Allow one to change password via passwd in default config > - third_party: Update pam_wrapper to version 1.0.7 > - third_party: Add pam_set_items.so from pam_wrapper > - nsswitch: Add try_authtok option to pam_winbind > - tests: Check pam_winbind pw change with different options > - Patch for previous 4 commits > - debian/winbind.pam-config: Use the new try_authtok option allowing > password change while preserving current behavior with password strength > modules (Closes: #858923, LP: #570944) > > -- > You received this bug notification because you are subscribed to samba > in Ubuntu. > https://bugs.launchpad.net/bugs/570944 > > Title: > passwd : gives "Authentication token manipulation error" > > Status in samba package in Ubuntu: > Triaged > > Bug description: > Binary package hint: samba > >`passwd` for ActiveDirectory account gives "Authentication token > manipulation error" > > I have latest and greatest of LucidLynx updates. > > winbind2:3.4.7~dfsg-1ubuntu3 > samba 2:3.4.7~dfsg-1ubuntu3 > > I have ActiveDirectory integration with Samba/Winbind. (not > Likewise-Open) > Logging into Console window or `ssh`-ing into machine works fine using > DOMAIN\first.last account names. > > Trying to change password with the `passwd` program: > > $ passwd > Changing password for DOMAIN\first.last > (current) NT password: > passwd: Authentication token manipulation error > passwd: password unchanged > $ > > In the /var/log/auth.log file I get this output in conjunction with > the above passwd attempt: > > pam_unix(passwd:chauthtok): user "DOMAIN\first.last" does not exist in > /etc/passwd > passwd[16109]: pam_winbind(passwd:chauthtok): getting password > (0x002a) > > passwd[16109]: pam_winbind(passwd:chauthtok): user 'DOMAIN\first.last' > granted access > passwd[16109]: pam_unix(passwd:chauthtok): user "DOMAIN\first.last" does > not exist in /etc/passwd > passwd[16109]: pam_winbind(passwd:chauthtok): getting password > (0x0012) > > I don't see anything particularly wrong with that output, other > than it seems to stop prematurely. > > This is my default-created /etc/pam.d/common-password file: > > password [success=2 default=ignore] pam_unix.so obscure sha512 > password [success=1 default=ignore] pam_winbind.so use_authtok > try_first_pass > password requisite pam_deny.so > password required pam_permit.so > password optional pam_gnome_keyring.so > > I've Googled for "Authentication token manipulation error", but most > cases involve local Linux accounts or other uninteresting problems. > > I don't think any entries in smb.conf have an effect on passwd, but > here's a snippet of entries with the word "pass" or "encrypt" in them: > > password server = machine.domain.com > encrypt passwords = true > passdb backend = tdbsam > unix password sync = yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > pam password change = yes > encrypt passwords = true > > > I can successfully change password, using `passwd` for a local Linux > account. > > $ passwd > Changing password for localAccount. > (current) UNIX password: > Enter new UNIX password: > Retype new UNIX password: > passwd: password updated successfully > $ > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions > > Launchpad-Notification-Type: bug > Launchpad-Bug: distribution=ubuntu; sourcepackage=samba; component=main; > status=Triaged; importance=Medium; assignee=None; > Launchpad-Bug-Information-Type: Public > Launchpad-Bug-Private: no > Launchpad-Bug-Security-Vulnerability: no > Launchpad-Bug-Commenters: ahasenack gasinvein guy-moore janitor > lorenzetto-luca math-parent nacc ttx urusha vorlon > Launchpad-Bug-Reporter: gmoore777 (guy-moore) > Launchpad-Bug-Modifier: Mathieu Parent (math-parent) > Launchpad-Message-Rationale: Subscriber (samba in Ubuntu) > Launchpad-Message-For: ahasenack > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives "Authentication token manipulation error" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives "Authentication token manipulation error"
It is. Closed by me: samba (2:4.9.1+dfsg-2) unstable; urgency=medium [ Mathieu Parent ] * Allow one to change password via passwd in default config - third_party: Update pam_wrapper to version 1.0.7 - third_party: Add pam_set_items.so from pam_wrapper - nsswitch: Add try_authtok option to pam_winbind - tests: Check pam_winbind pw change with different options - Patch for previous 4 commits - debian/winbind.pam-config: Use the new try_authtok option allowing password change while preserving current behavior with password strength modules (Closes: #858923, LP: #570944) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives "Authentication token manipulation error" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives "Authentication token manipulation error"
I don't know why that samba upload closed this bug: #570944 is nowhere in d/changelog. ** Changed in: samba (Ubuntu) Status: Fix Released => Triaged -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives "Authentication token manipulation error" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives "Authentication token manipulation error"
I don't know why that samba upload closed this bug: #570944 is nowhere in d/changelog. ** Changed in: samba (Ubuntu) Status: Fix Released => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives "Authentication token manipulation error" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives "Authentication token manipulation error"
This bug was fixed in the package samba - 2:4.9.2+dfsg-2ubuntu2 --- samba (2:4.9.2+dfsg-2ubuntu2) disco; urgency=medium * d/p/smbd-startup-with-winbind.patch: ignore create_builtin_guests() failing without a valid idmap configuration. This fixes the smbd startup on a standalone server where winbind is available and running. Thanks to Stefan Metzmacher . (LP: #1806035) -- Andreas Hasenack Fri, 21 Dec 2018 10:39:23 -0200 ** Changed in: samba (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives "Authentication token manipulation error" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives "Authentication token manipulation error"
Note the similar bug in libpam-ldap: https://bugs.launchpad.net/ubuntu/+source/libpam-ldap/+bug/329067 (and https://bugs.debian.org/858923). I propose a new "try_authtok" option to solve this (I'm writing a patch for libpam-winbind). ** Bug watch added: Debian Bug tracker #858923 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858923 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives "Authentication token manipulation error" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives "Authentication token manipulation error"
@gsainvein, thanks for your input, but as mentioned in c#15, this is not "easily fixable". The workaround mentioned in c#10 is possibly fine in some situations, but will break others. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives "Authentication token manipulation error" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives "Authentication token manipulation error"
6 years passed, and the bug introduced by maintainers, confirmed and easly fixable, is still present. Shame on you, Canonical. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives "Authentication token manipulation error" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
As suggested by gmoore777 removing use_authtok allowed me to go on with password changing -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
I forgot to say i'm on precise with latest updates -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
As suggested by gmoore777 removing use_authtok allowed me to go on with password changing -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
I forgot to say i'm on precise with latest updates -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Here is my solution: 1) copy winbind winbind-noauthtok unix-noauthtok files from attachments to /usr/share/pam-configs/ (with overwrite) 2) copy pam_winbind.conf from attachment to /etc/security/ 3) run pam-auth-update and check Unix authentication (no use_authtok) Winbind NT/Active Directory authentication (no use_authtok), also uncheck Unix authentication Winbind NT/Active Directory authentication 4) use it What it is: 1) new configs. 1. winbind - is the same as default winbind (you need to overwrite it) but: a) without krb5_*, cached_login options, I think these should be placed in special config file /etc/security/pam_winbind.conf - this is much more customizable way to configure pam_winbind without any involving of pam-auth-update. Also this solves bug about not getting krb ticket and ccache when changing expired password on login (pam_winbind passwd section should contain krb5_* options too, but it doesn't) b) increased Priority, it's to solve buggy changing expired password on login. Winbind should be before unix (like pam_krb5 does) 2. winbind-noauthtok, unix-noauthtok - is the same as winbind and unix, but without use_authtok option. These configs conflicts with winbind, unix and cracklib, so you can't install winbind-noauthtok with winbind or cracklib 2) see 1-1-a 3) just changing configs in /etc/pam.d/ the right way 4) this solution has the next advantages: 1. customizable - you may choose: use cracklib or not, pam-auth-update suggests different ways 2. solves some existing bugs: allows you to change unix, wb password via passwd command (or any other graphical tools); allows to change expired unix, wb password on login; gets krb ticket and ccache after wb expired password has been changed; maybe some others... To packages supporters: Why not to implement this in all pam modules packages (add unix, unix-noauthtok in libpam-runtime for example), while thinking about upgrading whole pam system? It would be really nice to add function of detecting if use use_authtok or not to pam-auth-update (just read configs of higher priority modules). Some offtopic (to pam-auth-update supporters): Even if I use pam_winbind.conf option mkhomedir = yes it doesn't copy skel directory to new user home. So I'm forced to use pam_mkhomedir. But if I create config for it in /usr/share/pam-configs, it adds lines about making home derictories to /etc/pam.d/common-session-noninteractive too, and this is really BAD behavior. So the right way is to implement Session-noninteractive: section in config files, I think. Thanks for attantion. ** Attachment added: winbind https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+attachment/2391119/+files/winbind -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
** Attachment added: winbind-noauthtok https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+attachment/2391120/+files/winbind-noauthtok -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
** Attachment added: unix-noauthtok https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+attachment/2391121/+files/unix-noauthtok -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
** Attachment added: pam_winbind.conf https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+attachment/2391122/+files/pam_winbind.conf -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Oh, about offtopic - forget about it. Now I see - there is Session- Interactive-Only: yes option. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Here is my solution: 1) copy winbind winbind-noauthtok unix-noauthtok files from attachments to /usr/share/pam-configs/ (with overwrite) 2) copy pam_winbind.conf from attachment to /etc/security/ 3) run pam-auth-update and check Unix authentication (no use_authtok) Winbind NT/Active Directory authentication (no use_authtok), also uncheck Unix authentication Winbind NT/Active Directory authentication 4) use it What it is: 1) new configs. 1. winbind - is the same as default winbind (you need to overwrite it) but: a) without krb5_*, cached_login options, I think these should be placed in special config file /etc/security/pam_winbind.conf - this is much more customizable way to configure pam_winbind without any involving of pam-auth-update. Also this solves bug about not getting krb ticket and ccache when changing expired password on login (pam_winbind passwd section should contain krb5_* options too, but it doesn't) b) increased Priority, it's to solve buggy changing expired password on login. Winbind should be before unix (like pam_krb5 does) 2. winbind-noauthtok, unix-noauthtok - is the same as winbind and unix, but without use_authtok option. These configs conflicts with winbind, unix and cracklib, so you can't install winbind-noauthtok with winbind or cracklib 2) see 1-1-a 3) just changing configs in /etc/pam.d/ the right way 4) this solution has the next advantages: 1. customizable - you may choose: use cracklib or not, pam-auth-update suggests different ways 2. solves some existing bugs: allows you to change unix, wb password via passwd command (or any other graphical tools); allows to change expired unix, wb password on login; gets krb ticket and ccache after wb expired password has been changed; maybe some others... To packages supporters: Why not to implement this in all pam modules packages (add unix, unix-noauthtok in libpam-runtime for example), while thinking about upgrading whole pam system? It would be really nice to add function of detecting if use use_authtok or not to pam-auth-update (just read configs of higher priority modules). Some offtopic (to pam-auth-update supporters): Even if I use pam_winbind.conf option mkhomedir = yes it doesn't copy skel directory to new user home. So I'm forced to use pam_mkhomedir. But if I create config for it in /usr/share/pam-configs, it adds lines about making home derictories to /etc/pam.d/common-session-noninteractive too, and this is really BAD behavior. So the right way is to implement Session-noninteractive: section in config files, I think. Thanks for attantion. ** Attachment added: winbind https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+attachment/2391119/+files/winbind -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
** Attachment added: winbind-noauthtok https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+attachment/2391120/+files/winbind-noauthtok -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
** Attachment added: unix-noauthtok https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+attachment/2391121/+files/unix-noauthtok -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
** Attachment added: pam_winbind.conf https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+attachment/2391122/+files/pam_winbind.conf -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Oh, about offtopic - forget about it. Now I see - there is Session- Interactive-Only: yes option. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/570944 Title: passwd : gives Authentication token manipulation error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Right. We clearly don't want to introduce new failures when we fix a specific combination :) In the mean time, users affected by this issue can workaround it by following comment 10. -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Right. We clearly don't want to introduce new failures when we fix a specific combination :) In the mean time, users affected by this issue can workaround it by following comment 10. -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
I'd like a second pair of PAM eyes before making that change. -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
This is a tricky one. Dropping use_authtok does solve the problem of pam_unix not prompting for the password, but it also changes the behavior in the case that you have a password strength checking module stacked first, such as pam_cracklib. If pam_cracklib is configured, we don't want pam_winbind to prompt for a different password after we've gone to all the trouble of checking the strength of the first one entered! This problem affects other combinations of stacked modules as well (e.g., pam_krb5+pam_unix), and needs to be solved generally. Currently the best solution I can offer is for PAM modules to always prompt for passwords even when they don't need them, in order to ensure correct usage of use_authtok. Alternatively, we could fix modules that accept use_authtok to recognize the lack of a password token as valid and prompt for it after all, or we could introduce a new common module option with use_authtok_if_available semantics. In any event, we don't want to lose the current behavior that modules *must* use the existing password if provided rather than prompting separately, and any solution we implement needs to be done systemically; so please don't change the winbind pam profile without us first having a larger conversation about how to make this work. -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
I'd like a second pair of PAM eyes before making that change. -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
This is a tricky one. Dropping use_authtok does solve the problem of pam_unix not prompting for the password, but it also changes the behavior in the case that you have a password strength checking module stacked first, such as pam_cracklib. If pam_cracklib is configured, we don't want pam_winbind to prompt for a different password after we've gone to all the trouble of checking the strength of the first one entered! This problem affects other combinations of stacked modules as well (e.g., pam_krb5+pam_unix), and needs to be solved generally. Currently the best solution I can offer is for PAM modules to always prompt for passwords even when they don't need them, in order to ensure correct usage of use_authtok. Alternatively, we could fix modules that accept use_authtok to recognize the lack of a password token as valid and prompt for it after all, or we could introduce a new common module option with use_authtok_if_available semantics. In any event, we don't want to lose the current behavior that modules *must* use the existing password if provided rather than prompting separately, and any solution we implement needs to be done systemically; so please don't change the winbind pam profile without us first having a larger conversation about how to make this work. -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
OK, I misread use_authtok. It will *not* prompt for a new password if none has been set by the previous module in stack. Since pam_unix doesn't prompt for a new password (due to user DOMAIN\first.last does not exist in /etc/passwd), pam_winbind has nothing to use and fails. Looks like we should just drop use_authtok here. ** Changed in: samba (Ubuntu) Status: Confirmed = Triaged -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
OK, I misread use_authtok. It will *not* prompt for a new password if none has been set by the previous module in stack. Since pam_unix doesn't prompt for a new password (due to user DOMAIN\first.last does not exist in /etc/passwd), pam_winbind has nothing to use and fails. Looks like we should just drop use_authtok here. ** Changed in: samba (Ubuntu) Status: Confirmed = Triaged -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
I have interleaved the information, removed the timestamps and substituted DOMAIN\first.last for the actual: $ passwd Changing password for DOMAIN\first.last passwd[30381]: pam_unix(passwd:chauthtok): user DOMAIN\first.last does not exist in /etc/passwd passwd[30381]: pam_winbind(passwd:chauthtok): getting password (0x0028) (current) NT password: passwd[30381]: pam_winbind(passwd:chauthtok): user 'DOMAIN\first.last' granted access passwd[30381]: pam_unix(passwd:chauthtok): user DOMAIN\first.last does not exist in /etc/passwd passwd[30381]: pam_winbind(passwd:chauthtok): getting password (0x) Enter new NT password: Retype new NT password: passwd: password updated successfully passwd[30381]: pam_winbind(passwd:chauthtok): user 'DOMAIN\first.last' OK passwd[30381]: pam_winbind(passwd:chauthtok): user 'DOMAIN\first.last' password changed passwd[30381]: pam_winbind(passwd:chauthtok): user 'DOMAIN\first.last' granted access gnome-keyring-daemon[30390]: gp11_module_get_slots: assertion `data-funcs' failed gnome-keyring-daemon[30390]: lookup_login_session: assertion `slot' failed gnome-keyring-daemon[30390]: lookup_login_keyring: assertion `GP11_IS_SESSION (session)' failed gnome-keyring-daemon[30390]: create_credential: assertion `GP11_IS_SESSION (session)' failed gnome-keyring-daemon[30390]: egg_error_message: assertion `error' failed gnome-keyring-daemon[30390]: couldn't create new login credential: (unknown) passwd[30381]: gkr-pam: couldn't change password for the login keyring: the passwords didn't match. $ and the password has changed via a test of `ssh`-ing into any Linux machine. -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
I have interleaved the information, removed the timestamps and substituted DOMAIN\first.last for the actual: $ passwd Changing password for DOMAIN\first.last passwd[30381]: pam_unix(passwd:chauthtok): user DOMAIN\first.last does not exist in /etc/passwd passwd[30381]: pam_winbind(passwd:chauthtok): getting password (0x0028) (current) NT password: passwd[30381]: pam_winbind(passwd:chauthtok): user 'DOMAIN\first.last' granted access passwd[30381]: pam_unix(passwd:chauthtok): user DOMAIN\first.last does not exist in /etc/passwd passwd[30381]: pam_winbind(passwd:chauthtok): getting password (0x) Enter new NT password: Retype new NT password: passwd: password updated successfully passwd[30381]: pam_winbind(passwd:chauthtok): user 'DOMAIN\first.last' OK passwd[30381]: pam_winbind(passwd:chauthtok): user 'DOMAIN\first.last' password changed passwd[30381]: pam_winbind(passwd:chauthtok): user 'DOMAIN\first.last' granted access gnome-keyring-daemon[30390]: gp11_module_get_slots: assertion `data-funcs' failed gnome-keyring-daemon[30390]: lookup_login_session: assertion `slot' failed gnome-keyring-daemon[30390]: lookup_login_keyring: assertion `GP11_IS_SESSION (session)' failed gnome-keyring-daemon[30390]: create_credential: assertion `GP11_IS_SESSION (session)' failed gnome-keyring-daemon[30390]: egg_error_message: assertion `error' failed gnome-keyring-daemon[30390]: couldn't create new login credential: (unknown) passwd[30381]: gkr-pam: couldn't change password for the login keyring: the passwords didn't match. $ and the password has changed via a test of `ssh`-ing into any Linux machine. -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Interesting. Short explanation of the parameters: the pam passwd stack asks for two passwords, one to authenticate and one as the new password. try_first_pass makes pam_winbind try to use the authentication password provided to the previous module (pam_unix). If it fails, it will prompt for a new authentication password. use_authtok makes pam_winbind use the new password as set by the previous module. If there is none, it will prompt for a new password to use. Looks like the latter is failing: you don't get prompted for a new password ever if use_authtok is present. Could you post the output and logs you get when changing winbind password and using password [success=1 default=ignore] pam_winbind.so try_first_pass ? I'll try to compare it with the output and logs you posted in Description. -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
FYI: I can get `passwd` to work if I change one line in common-password From the winbind default-configured line of: password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass To: password [success=1 default=ignore] pam_winbind.so try_first_pass So looks like just the use_authtok parameter is misbehaving. (not sure what that really means or with whom the problem lies) -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
FYI: I can get `passwd` to work if I change one line in common-password From the winbind default-configured line of: password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass To: password [success=1 default=ignore] pam_winbind.so try_first_pass So looks like just the use_authtok parameter is misbehaving. (not sure what that really means or with whom the problem lies) -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
FYI: I can get `passwd` to work if I change the line in common-password From: password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass To: password sufficient pam_winbind.so I'm not sure if I'm creating other problems with the above edit, since I'm not PAM savvy. I have to wait one day to change my password again, but I will try a more minimal change of: password [success=1 default=ignore] pam_winbind.so try_first_pass Meaning, I will just remove the use_authtok to see if that is the problem. -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
FYI: I can get `passwd` to work if I change the line in common-password From: password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass To: password sufficient pam_winbind.so I'm not sure if I'm creating other problems with the above edit, since I'm not PAM savvy. I have to wait one day to change my password again, but I will try a more minimal change of: password [success=1 default=ignore] pam_winbind.so try_first_pass Meaning, I will just remove the use_authtok to see if that is the problem. -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
** Changed in: samba (Ubuntu) Status: Incomplete = Confirmed -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
** Changed in: samba (Ubuntu) Status: Incomplete = Confirmed -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Is this what you need? $ cd /etc/pam.d $ cat common-auth common-session-noninteractive common-session common-password common-account | grep -v ^# auth[success=2 default=ignore] pam_unix.so nullok_secure auth[success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass authrequisite pam_deny.so authrequiredpam_permit.so session [default=1] pam_permit.so session requisite pam_deny.so session requiredpam_permit.so session requiredpam_unix.so session optionalpam_winbind.so session [default=1] pam_permit.so session requisite pam_deny.so session requiredpam_permit.so sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0027 session requiredpam_unix.so session optionalpam_winbind.so session optionalpam_ck_connector.so nox11 password[success=2 default=ignore] pam_unix.so obscure sha512 password[success=1 default=ignore] pam_winbind.so use_authtok try_first_pass passwordrequisite pam_deny.so passwordrequiredpam_permit.so passwordoptionalpam_gnome_keyring.so account [success=2 new_authtok_reqd=done default=ignore]pam_unix.so account [success=1 new_authtok_reqd=done default=ignore]pam_winbind.so account requisite pam_deny.so account requiredpam_permit.so Here is the smb.conf, with comments removed and substituted in shortDOMAINname, MACHINEX, DOMAIN where appropriate. [global] workgroup = shortDOMAINname security = ADS password server = MACHINE1.DOMAIN.com, MACHINE2.DOMAIN.com realm = DOMAIN.COM server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user idmap backend = idmap_rid:DOMAIN=50-99 idmap uid = 50-99 idmap gid = 50-99 allow trusted domains = no winbind offline logon = true template shell = /bin/bash template homedir = /home/%D/%U winbind normalize names = yes winbind use default domain = yes usershare allow guests = yes -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Is this what you need? $ cd /etc/pam.d $ cat common-auth common-session-noninteractive common-session common-password common-account | grep -v ^# auth[success=2 default=ignore] pam_unix.so nullok_secure auth[success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass authrequisite pam_deny.so authrequiredpam_permit.so session [default=1] pam_permit.so session requisite pam_deny.so session requiredpam_permit.so session requiredpam_unix.so session optionalpam_winbind.so session [default=1] pam_permit.so session requisite pam_deny.so session requiredpam_permit.so sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0027 session requiredpam_unix.so session optionalpam_winbind.so session optionalpam_ck_connector.so nox11 password[success=2 default=ignore] pam_unix.so obscure sha512 password[success=1 default=ignore] pam_winbind.so use_authtok try_first_pass passwordrequisite pam_deny.so passwordrequiredpam_permit.so passwordoptionalpam_gnome_keyring.so account [success=2 new_authtok_reqd=done default=ignore]pam_unix.so account [success=1 new_authtok_reqd=done default=ignore]pam_winbind.so account requisite pam_deny.so account requiredpam_permit.so Here is the smb.conf, with comments removed and substituted in shortDOMAINname, MACHINEX, DOMAIN where appropriate. [global] workgroup = shortDOMAINname security = ADS password server = MACHINE1.DOMAIN.com, MACHINE2.DOMAIN.com realm = DOMAIN.COM server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user idmap backend = idmap_rid:DOMAIN=50-99 idmap uid = 50-99 idmap gid = 50-99 allow trusted domains = no winbind offline logon = true template shell = /bin/bash template homedir = /home/%D/%U winbind normalize names = yes winbind use default domain = yes usershare allow guests = yes -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Note that likewise 5.x doesn't add another layer on top of samba/winbind, it's a complete reimplementation. It's also simpler to set up, and since in your case something must be wrong with the winbind setup, it might help you... Could you attach your winbind configuration ? -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Note that likewise 5.x doesn't add another layer on top of samba/winbind, it's a complete reimplementation. It's also simpler to set up, and since in your case something must be wrong with the winbind setup, it might help you... Could you attach your winbind configuration ? -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
i am not using likewise-open on Lucid cause likewise-open no longer supports setting up Samba shares with ActiveDirectory integration. Meaning from a Windows machine, I cannot access \\linuxmachinename\sharename and this is important to our Windows/Linux workplace. (And I no longer see the advantage or point to using likewise-open. It only adds another mysterious layer to the whole samba/winbind realm.) -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
i am not using likewise-open on Lucid cause likewise-open no longer supports setting up Samba shares with ActiveDirectory integration. Meaning from a Windows machine, I cannot access \\linuxmachinename\sharename and this is important to our Windows/Linux workplace. (And I no longer see the advantage or point to using likewise-open. It only adds another mysterious layer to the whole samba/winbind realm.) -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Probably an issue with the winbind configuration... Any reason why you're not using likewise-open in lucid as well ? -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Probably an issue with the winbind configuration... Any reason why you're not using likewise-open in lucid as well ? -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Correct, `passwd` works with likewise-open on hardy, and fails with winbind on lucid. I do not know what the outcome of `passwd` is on hardy without likewise-open, nor the outcome of `passwd` on lucid with likewise-open. I will ask this on the Lucid forum at http://ubuntuforums.org/showthread.php?t=1459309 -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
So it works with likewise-open on Hardy, and fails with winbind on lucid ? Or did you also successfully use winbind on hardy ? -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Correct, `passwd` works with likewise-open on hardy, and fails with winbind on lucid. I do not know what the outcome of `passwd` is on hardy without likewise-open, nor the outcome of `passwd` on lucid with likewise-open. I will ask this on the Lucid forum at http://ubuntuforums.org/showthread.php?t=1459309 -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Thanks for your input. Did it ever work on previous releases ? ** Changed in: samba (Ubuntu) Importance: Undecided = Medium ** Changed in: samba (Ubuntu) Status: New = Incomplete -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Yes it works on HardyHeron. I used likewise-open to faciitate the ActiveDirectory integration on HardyHeron, rather than just the native samba/winbind integration on LucidLynx. But that may have nothing to do with it, but is worthy of mentioning. -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Thanks for your input. Did it ever work on previous releases ? ** Changed in: samba (Ubuntu) Importance: Undecided = Medium ** Changed in: samba (Ubuntu) Status: New = Incomplete -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 570944] Re: passwd : gives Authentication token manipulation error
Yes it works on HardyHeron. I used likewise-open to faciitate the ActiveDirectory integration on HardyHeron, rather than just the native samba/winbind integration on LucidLynx. But that may have nothing to do with it, but is worthy of mentioning. -- passwd : gives Authentication token manipulation error https://bugs.launchpad.net/bugs/570944 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs