How To Change An Active Directory User's Password From Linux via Winbind
This document (7014733) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15
Situation
Once a Samba server has joined an Active Directory domain, how does one go about changing the password of an Active Directory user from the command line on Linux?
Resolution
Assuming all was set up correctly (with samba, winbind, pam, and the /etc/nsswitch.conf), changing the password is as simple as follows. Files from a working setup have been provided below under the Additional Information section:
passwd DOMAIN\\username
(current) NT password: <enter old secret here>
Enter new NT password: <enter new secret here>
Retype new NT password: <re-enter new secret here>
If successful the regular command prompt will appear. If a failure occurs, various messages may be encountered, likely to be completed with the following:
passwd: User not known to the underlying authentication module.
The previous error is being returned by pam. Address any messages/errors above the passwd error above, and attempt to change the password again.
If an access denied error is encountered, be sure that the user account in Active Directory does not have a lock on it, or a setting preventing the password from being changed.
Note for SLES 12 and later:
In the /etc/samba/smb.conf add the following parameter to the "[global]" section of the file:
In the /etc/samba/smb.conf add the following parameter to the "[global]" section of the file:
pam password change = yes
Additional Information
Below is a set of example files from a working configuration (samba joined to an Active Directory domain):
smb.conf:
[global]
workgroup = PAUL
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = PAUL.LOCAL
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
winbind refresh tickets = yes
workgroup = PAUL
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = PAUL.LOCAL
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
winbind refresh tickets = yes
krb5.conf:
[libdefaults]
default_realm = PAUL.LOCAL
clockskew = 300
# default_realm = EXAMPLE.COM
default_realm = PAUL.LOCAL
clockskew = 300
# default_realm = EXAMPLE.COM
[realms]
PAUL.LOCAL = {
kdc = 192.168.2.65
default_domain = paul.local
admin_server = 192.168.2.65
}
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
PAUL.LOCAL = {
kdc = 192.168.2.65
default_domain = paul.local
admin_server = 192.168.2.65
}
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.paul.local = PAUL.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.paul.local = PAUL.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
group: compat winbind
hosts: files dns
networks: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
automount: files nis
aliases: files
/etc/pam.d/<filename>
common-account
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_winbind.so use_first_pass
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_winbind.so use_first_pass
common-account-pc
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_winbind.so use_first_pass
common-auth
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_winbind.so use_first_pass
common-auth-pc
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_winbind.so use_first_pass
common-password
password sufficient pam_winbind.so
password requisite pam_pwcheck.so nullok cracklib
password required pam_unix2.so use_authtok nullok
common-password-pc
password sufficient pam_winbind.so
password requisite pam_pwcheck.so nullok cracklib
password required pam_unix2.so use_authtok nullok
common-session
session required pam_limits.so
session required pam_unix2.so
session required pam_winbind.so
session optional pam_umask.so
common-session-pc
session required pam_limits.so
session required pam_unix2.so
session required pam_winbind.so
session optional pam_umask.so
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7014733
- Creation Date: 12-Mar-2014
- Modified Date:09-Sep-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
