Hi Masao, I have essentially the same setup as you (ltsp, AD, Winbind). My users are able to change their passwords with the 'passwd' command.
Here's the contents of /etc/pam.d/common-password file password sufficient pam_winbind.so password required pam_unix.so nullok obscure min=4 max=8 md5 Hth, John On Wed, Jan 20, 2010 at 11:22 AM, Masao Garcia <mas...@fshac.com> wrote: > Has anyone gotten Active Directory user passwords changed from a Linux > (Ubuntu 8.04) client? I used > https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto as a guide, so > I'm using Kerberos and Winbind (all apt-get). Samba version is 3.0.28a with > a Windows Sever 2008 R2 DC, but running AD 2003 native. The client box is > an LTSP box, and I'm able to ssh in with AD accounts. However, when I type > passwd I get the error message "passwd: Authentication token manipulation > error". In the auth.log file I get "pam_unix(passwd:chauthtok): user > "kmasters" does not exist in /etc/passwd". Is it possible my Samba version > is too old? > > > > common-auth: > > auth sufficient pam_krb5.so > > auth required pam_unix.so nullok_secure use_first_pass > > > > common-account: > > account sufficient pam_winbind.so > > account required pam_unix.so > > > > common-session: > > session required pam_mkhomedir.so umask=0022 skel=/etc/skel > > > > common-password: > > password sufficient pam_unix.so nullok md5 shadow > > password sufficient pam_ldap.so use_first_pass > > password required pam_deny.so > > > > smb.conf: > > [global] > > workgroup = MYDOMAIN > > realm = MYDOMAIN.COM > > server string = %h server (Samba, Ubuntu) > > security = ADS > > map to guest = Bad User > > obey pam restrictions = Yes > > password server = dc1.mydomain.com > > passdb backend = tdbsam > > pam password change = Yes > > passwd program = /usr/bin/passwd %u > > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > > unix password sync = Yes > > syslog = 0 > > log file = /var/log/samba/log.%m > > max log size = 1000 > > domain master = No > > dns proxy = No > > usershare allow guests = Yes > > panic action = /usr/share/samba/panic-action %d > > idmap uid = 10000-20000 > > idmap gid = 10000-20000 > > template homedir = /home/%U > > template shell = /bin/bash > > winbind separator = + > > winbind enum users = Yes > > winbind enum groups = Yes > > winbind use default domain = Yes > > invalid users = root > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba