SUSE Support

Here When You Need Us

How To Change An Active Directory User's Password From Linux via Winbind

This document (7014733) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15

Situation

Once a Samba server has joined an Active Directory domain, how does one go about changing the password of an Active Directory user from the command line on Linux?

Resolution

Assuming all was set up correctly (with samba, winbind, pam, and the /etc/nsswitch.conf), changing the password is as simple as follows.  Files from a working setup have been provided below under the Additional Information section:
 
passwd DOMAIN\\username
(current) NT password:  <enter old secret here>
Enter new NT password: <enter new secret here>
Retype new NT password: <re-enter new secret here>
 
If successful the regular command prompt will appear.  If a failure occurs, various messages may be encountered, likely to be completed with the following:
passwd: User not known to the underlying authentication module.
 
The previous error is being returned by pam.  Address any messages/errors above the passwd error above, and attempt to change the password again.
 
If an access denied error is encountered, be sure that the user account in Active Directory does not have a lock on it, or a setting preventing the password from being changed.
 
Note for SLES 12 and later:
In the /etc/samba/smb.conf add the following parameter to the "[global]" section of the file:

    pam password change = yes
 

Additional Information

Below is a set of example files from a working configuration (samba joined to an Active Directory domain):
 
smb.conf:
 
[global]
        workgroup = PAUL
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = PAUL.LOCAL
        security = ADS
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind refresh tickets = yes
 
krb5.conf:
 
[libdefaults]
        default_realm = PAUL.LOCAL
        clockskew = 300
#       default_realm = EXAMPLE.COM
[realms]
        PAUL.LOCAL = {
                kdc = 192.168.2.65
                default_domain = paul.local
                admin_server = 192.168.2.65
        }
#       EXAMPLE.COM = {
#                kdc = kerberos.example.com
#               admin_server = kerberos.example.com
#       }
[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        .paul.local = PAUL.LOCAL
[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                minimum_uid = 1
        }
 
 
 
/etc/nsswitch.conf
 
passwd: compat winbind
group:  compat winbind
hosts:  files dns
networks:       files dns
services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files nis
publickey:      files
bootparams:     files
automount:      files nis
aliases:        files
 
/etc/pam.d/<filename>
 
common-account
account requisite pam_unix2.so 
account sufficient pam_localuser.so
account required pam_winbind.so use_first_pass 

common-account-pc
account requisite pam_unix2.so 
account sufficient pam_localuser.so
account required pam_winbind.so use_first_pass 

common-auth
auth required pam_env.so 
auth sufficient pam_unix2.so 
auth required pam_winbind.so use_first_pass 

common-auth-pc
auth required pam_env.so 
auth sufficient pam_unix2.so 
auth required pam_winbind.so use_first_pass 

common-password
password sufficient pam_winbind.so 
password requisite pam_pwcheck.so nullok cracklib
password required pam_unix2.so use_authtok nullok

common-password-pc
password sufficient pam_winbind.so 
password requisite pam_pwcheck.so nullok cracklib
password required pam_unix2.so use_authtok nullok

common-session
session required pam_limits.so 
session required pam_unix2.so 
session required pam_winbind.so 
session optional pam_umask.so 

common-session-pc
session required pam_limits.so 
session required pam_unix2.so 
session required pam_winbind.so 
session optional pam_umask.so 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7014733
  • Creation Date: 12-Mar-2014
  • Modified Date:09-Sep-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.