cannot change password of AD user when using pam_winbind
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: samba
I've been doing these tests on Karmic using the Lucid winbind pam-config.
When trying to change the user's password using the Lucid winbind pam-config, I get the following:
$ passwd
passwd: Authentication token manipulation error
passwd: password unchanged
I've attached a patch for the winbind pam-config which at least recognizes the username, but I still get the following error:
$ passwd
Changing password for EXAMPLE\user
(current) NT password:
passwd: Authentication token manipulation error
passwd: password unchanged
Some more details about the diff patch:
1. For the auth module, I've changed 'try_first_pass' to 'use_first_pass' so that it insists that the credentials used for authentication are the ones initially entered by the user. Whether that's a good thing or not, I have no idea. 'try_first_pass' might be a better idea if there is a chance that the username exists in both /etc/passwd and active directory but have different passwords.
2. I've changed the 'Password-Type' from 'Additional' to 'Primary'. With the 'Additional' setting, any failure in pam_unix.so (e.g. user does not exist in /etc/passwd) means that pam_deny.so is the next module so pam_winbind.so is never executed. For both 'Password' and 'Password-Initial', I've changed the control from 'requisite' to '[success=end default=ignore]' so that it stacks properly with any other module that may also be in use.
3. I've added pam_mkhomedir.so as an optional module in the session type since it uses /etc/skel while the 'mkhomedir' argument for pam_winbind.so does not. Again, whether this is a good thing or not, I have no idea.
P.S. Apologies if the diff patch contains more than that which is relevant with this issue.