[Samba] passwd: Authentication token manipulation error
hi there, I've got my RHEL4 Mail server authenticating against Active directory using winbind. When I login and try and reset my password using the 'passwd' command I get this error message. passwd: Authentication token manipulation error Is there something i'm meant to do before I can change my ADS password on a unix machine using winbind? Can I? here is my smb.conf file workgroup = myodmain security = ads realm = MYDOMAIN.COM encrypt passwords = yes username map = /etc/samba/smbusers winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%u template shell = /bin/bash -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] passwd: Authentication token manipulation error
hi there, I've got my RHEL4 Mail server authenticating against Active directory using winbind. When I login and try and reset my password using the 'passwd' command I get this error message. passwd: Authentication token manipulation error Is there something i'm meant to do before I can change my ADS password on a unix machine using winbind? Can I? here is my smb.conf file workgroup = myodmain security = ads realm = MYDOMAIN.COM encrypt passwords = yes username map = /etc/samba/smbusers winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%u template shell = /bin/bash -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passwd: Authentication token manipulation error
On Mon, 3 Feb 2003, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Sun, 2 Feb 2003, John H Terpstra wrote: > > > On Sun, 2 Feb 2003, Thorsten D. Marsen wrote: > > > > > Hi John, > > > > > > > The smbpasswd utilitiy only changes the password in /etc/samba/smbpasswd. > > > > It does NOT use PAM at all. > > > > > > > > The system tool 'passwd' (/bin/passwd or /usr/bin/passwd) will use PAM. > > > > Whatever you configure PAM to do it will follow. > > > > > > > > Firstly, pam_smbpass.so does NOT do unix system password changing! It can > > > > be added to your PAM configuration to update the /etc/samba/smbpasswd > > > > file. > > > > > > In the case LDAP is configured, smbpasswd will change the lm/ntPassword > > > Fields in the Samba Schemata instead of /etc/samba/smbpasswd. Do you know if > > > pam_smbpass.so also regognizes this configuration? > > > > No. pam_smbpass.so is a PAM module that directly acts on the > > /etc/samba/smbpasswd file. > > No John. Thorsten is right. If compiled with --with-ldapsam, > pam_smbpass.so will change the lm/nt password atribute in an LDAP > directory. The reason is that pam_smbpass uses the pdb interface for > updating account information. Gerry, Thanks for clearing that up. I should have checked the code more carefully. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passwd: Authentication token manipulation error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, 2 Feb 2003, John H Terpstra wrote: > On Sun, 2 Feb 2003, Thorsten D. Marsen wrote: > > > Hi John, > > > > > The smbpasswd utilitiy only changes the password in /etc/samba/smbpasswd. > > > It does NOT use PAM at all. > > > > > > The system tool 'passwd' (/bin/passwd or /usr/bin/passwd) will use PAM. > > > Whatever you configure PAM to do it will follow. > > > > > > Firstly, pam_smbpass.so does NOT do unix system password changing! It can > > > be added to your PAM configuration to update the /etc/samba/smbpasswd > > > file. > > > > In the case LDAP is configured, smbpasswd will change the lm/ntPassword > > Fields in the Samba Schemata instead of /etc/samba/smbpasswd. Do you know if > > pam_smbpass.so also regognizes this configuration? > > No. pam_smbpass.so is a PAM module that directly acts on the > /etc/samba/smbpasswd file. No John. Thorsten is right. If compiled with --with-ldapsam, pam_smbpass.so will change the lm/nt password atribute in an LDAP directory. The reason is that pam_smbpass uses the pdb interface for updating account information. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc "You can never go home again, Oatman, but I guess you can shop there." --John Cusack - "Grosse Point Blank" (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+Pr+wIR7qMdg1EfYRAkoBAJ9GP2lsT6ibiNOyO4zz30ptJ74B9wCglHf9 aDnBlokdcRurjMAXciFrAbo= =8zwK -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passwd: Authentication token manipulation error
Hi John, Thanks for the help... will try out the "audit migrate" option and see what I get Regards, Keith "The linuX Files -- The Source is Out There." - Original Message - From: "John H Terpstra" <[EMAIL PROTECTED]> To: "Keith Fernandez" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Sunday, February 02, 2003 5:30 AM Subject: Re: [Samba] passwd: Authentication token manipulation error > On Sun, 2 Feb 2003, Keith Fernandez wrote: > > Whoa Keith! Nowhere in your first email did you explain that you had > already changed your Linux PAM configuration _AND_ are trying to use > pam_smbpass.so. > > The smbpasswd utilitiy only changes the password in /etc/samba/smbpasswd. > It does NOT use PAM at all. > > The system tool 'passwd' (/bin/passwd or /usr/bin/passwd) will use PAM. > Whatever you configure PAM to do it will follow. > > Firstly, pam_smbpass.so does NOT do unix system password changing! It can > be added to your PAM configuration to update the /etc/samba/smbpasswd > file. If you want to update both /etc/passwd (/etc/shadow) entries as well > as /etc/samba/smbpasswd then the following recommendation is included in > the source code by the author: > > #%PAM-1.0 > # password-sync > # > # A sample PAM configuration that shows the use of pam_smbpass to make > # sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow) > # is changed. Useful when an expired password might be changed by an > # application (such as ssh). > > auth requisitepam_nologin.so > auth required pam_unix.so > accountrequired pam_unix.so > password requisitepam_cracklib.so retry=3 > password requisitepam_unix.so shadow md5 use_authtok > try_first_pass > password required pam_smbpass.so nullok use_authtok > try_first_pass > sessionrequired pam_unix.so > > And that is from the documentation in ~samba/source/pam_smbpass/samples. > > Your RH8 machine may use pam_pwdb.so, or pam_unix2.so, or similar for > system account password changing. > > > > I think it is a samba question, I did try to use more than 8 characters in > > the password and it still gave the same error. > > If you do not have the pam_pwdb.so or pam_unix.so module in your PAM > configuration then you have a hosed up PAM. > > > I got this error when I tried to add a new user to the unix system and > > change his password. This is ONLY when I used the pam_smbpass option to > > samba. > > Wait a moment. You added pam_smbpass.so to PAM - NOT to samba! > > > So I think it is a samba question. > > Whatever! > > > the only workaround is what I had given below. > > If you have got the pam_smbpass option to sync unixpassword with smbpassword > > for NEW users, Please let me know. > > > You say smbpassword adds any user present in /etc/password, TRUE... But my > > question is why cant I add a unix password to the user which will sync it > > with smbpassword the 1st time I create a user.. > > Explained above. > > > Once I create my smbpassword and then I change my unix password then it > > sync's it with smbpassword and no error, why cant it do it the first time. > > Fix you PAM configuration. > > > > > Here is my error again using 8 characters in my password . > > --- > > [root@localhost named]# useradd -g users keith > > [root@localhost named]# passwd keith > > Changing password for user keith. > > New password: > > Retype new password: > > Failed to find entry for user keith. > > > > passwd: Authentication token manipulation error > > - > > Right. Did you add the 'debug' or 'audit' options to the pam_smbpass.so > line in your PAM configuration and then check /var/log/messages or > /var/log/security for error messages? > > > > NOW IF I HAD DONE THIS > > > > [root@localhost named]# useradd -g users keith > > [root@localhost named]# smbpasswd -a keith > > New SMB password: > > Retype new SMB password: > > Added user keith. > > Password changed for user keith. > > Of course it worked! It just changes /etc/samba/smbpasswd entries. > You added the account (with the -a option), so now pam_smbpass.so can > change the password. The account entry in /etc/samba/smbpasswd has to > exist first. > > > [root@localhost named]# passwd keith > > Changing password for user keith. > > New password: > > Retype new password: > >
Re: [Samba] passwd: Authentication token manipulation error
On Sun, 2 Feb 2003, Thorsten D. Marsen wrote: > Hi John, > > > The smbpasswd utilitiy only changes the password in /etc/samba/smbpasswd. > > It does NOT use PAM at all. > > > > The system tool 'passwd' (/bin/passwd or /usr/bin/passwd) will use PAM. > > Whatever you configure PAM to do it will follow. > > > > Firstly, pam_smbpass.so does NOT do unix system password changing! It can > > be added to your PAM configuration to update the /etc/samba/smbpasswd > > file. > > In the case LDAP is configured, smbpasswd will change the lm/ntPassword > Fields in the Samba Schemata instead of /etc/samba/smbpasswd. Do you know if > pam_smbpass.so also regognizes this configuration? No. pam_smbpass.so is a PAM module that directly acts on the /etc/samba/smbpasswd file. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passwd: Authentication token manipulation error
Hi John, > The smbpasswd utilitiy only changes the password in /etc/samba/smbpasswd. > It does NOT use PAM at all. > > The system tool 'passwd' (/bin/passwd or /usr/bin/passwd) will use PAM. > Whatever you configure PAM to do it will follow. > > Firstly, pam_smbpass.so does NOT do unix system password changing! It can > be added to your PAM configuration to update the /etc/samba/smbpasswd > file. In the case LDAP is configured, smbpasswd will change the lm/ntPassword Fields in the Samba Schemata instead of /etc/samba/smbpasswd. Do you know if pam_smbpass.so also regognizes this configuration? Thanks, Thorsten. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passwd: Authentication token manipulation error
On Sun, 2 Feb 2003, Keith Fernandez wrote: Whoa Keith! Nowhere in your first email did you explain that you had already changed your Linux PAM configuration _AND_ are trying to use pam_smbpass.so. The smbpasswd utilitiy only changes the password in /etc/samba/smbpasswd. It does NOT use PAM at all. The system tool 'passwd' (/bin/passwd or /usr/bin/passwd) will use PAM. Whatever you configure PAM to do it will follow. Firstly, pam_smbpass.so does NOT do unix system password changing! It can be added to your PAM configuration to update the /etc/samba/smbpasswd file. If you want to update both /etc/passwd (/etc/shadow) entries as well as /etc/samba/smbpasswd then the following recommendation is included in the source code by the author: #%PAM-1.0 # password-sync # # A sample PAM configuration that shows the use of pam_smbpass to make # sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow) # is changed. Useful when an expired password might be changed by an # application (such as ssh). auth requisitepam_nologin.so auth required pam_unix.so accountrequired pam_unix.so password requisitepam_cracklib.so retry=3 password requisitepam_unix.so shadow md5 use_authtok try_first_pass password required pam_smbpass.so nullok use_authtok try_first_pass sessionrequired pam_unix.so And that is from the documentation in ~samba/source/pam_smbpass/samples. Your RH8 machine may use pam_pwdb.so, or pam_unix2.so, or similar for system account password changing. > I think it is a samba question, I did try to use more than 8 characters in > the password and it still gave the same error. If you do not have the pam_pwdb.so or pam_unix.so module in your PAM configuration then you have a hosed up PAM. > I got this error when I tried to add a new user to the unix system and > change his password. This is ONLY when I used the pam_smbpass option to > samba. Wait a moment. You added pam_smbpass.so to PAM - NOT to samba! > So I think it is a samba question. Whatever! > the only workaround is what I had given below. > If you have got the pam_smbpass option to sync unixpassword with smbpassword > for NEW users, Please let me know. > You say smbpassword adds any user present in /etc/password, TRUE... But my > question is why cant I add a unix password to the user which will sync it > with smbpassword the 1st time I create a user.. Explained above. > Once I create my smbpassword and then I change my unix password then it > sync's it with smbpassword and no error, why cant it do it the first time. Fix you PAM configuration. > > Here is my error again using 8 characters in my password . > --- > [root@localhost named]# useradd -g users keith > [root@localhost named]# passwd keith > Changing password for user keith. > New password: > Retype new password: > Failed to find entry for user keith. > > passwd: Authentication token manipulation error > - Right. Did you add the 'debug' or 'audit' options to the pam_smbpass.so line in your PAM configuration and then check /var/log/messages or /var/log/security for error messages? > NOW IF I HAD DONE THIS > > [root@localhost named]# useradd -g users keith > [root@localhost named]# smbpasswd -a keith > New SMB password: > Retype new SMB password: > Added user keith. > Password changed for user keith. Of course it worked! It just changes /etc/samba/smbpasswd entries. You added the account (with the -a option), so now pam_smbpass.so can change the password. The account entry in /etc/samba/smbpasswd has to exist first. > [root@localhost named]# passwd keith > Changing password for user keith. > New password: > Retype new password: > passwd: all authentication tokens updated successfully > -- > > Added this line to my /etc/pam.d/system-auth to get it to work after the > "pam_cracklib.so" line > password required /lib/security/pam_smbpass.so nullok use_authtok > try_first_pass Try: password required /lib/security/pam_smbpass.so nullok use_authtok try_first_pass audit migrate Cheers, John T. > > > > Regards, > Keith > > "The linuX Files -- The Source is Out There." > ---- > ----- Original Message ----- > From: "John H Terpstra" <[EMAIL PROTECTED]> > To: "Keith Fernandez" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Saturday, February 01, 2003 11:46 PM > Subject: Re: [Samba] passwd: Authentication token manipulation error > > > > On Sat, 1 Feb 2003, Keith Fernandez wrote: > > > > > Hi Can anyone tell me what thi
Re: [Samba] passwd: Authentication token manipulation error
I think it is a samba question, I did try to use more than 8 characters in the password and it still gave the same error. I got this error when I tried to add a new user to the unix system and change his password. This is ONLY when I used the pam_smbpass option to samba. So I think it is a samba question. the only workaround is what I had given below. If you have got the pam_smbpass option to sync unixpassword with smbpassword for NEW users, Please let me know. You say smbpassword adds any user present in /etc/password, TRUE... But my question is why cant I add a unix password to the user which will sync it with smbpassword the 1st time I create a user.. Once I create my smbpassword and then I change my unix password then it sync's it with smbpassword and no error, why cant it do it the first time. Here is my error again using 8 characters in my password . --- [root@localhost named]# useradd -g users keith [root@localhost named]# passwd keith Changing password for user keith. New password: Retype new password: Failed to find entry for user keith. passwd: Authentication token manipulation error - NOW IF I HAD DONE THIS [root@localhost named]# useradd -g users keith [root@localhost named]# smbpasswd -a keith New SMB password: Retype new SMB password: Added user keith. Password changed for user keith. [root@localhost named]# passwd keith Changing password for user keith. New password: Retype new password: passwd: all authentication tokens updated successfully -- Added this line to my /etc/pam.d/system-auth to get it to work after the "pam_cracklib.so" line password required /lib/security/pam_smbpass.so nullok use_authtok try_first_pass Regards, Keith "The linuX Files -- The Source is Out There." - Original Message - From: "John H Terpstra" <[EMAIL PROTECTED]> To: "Keith Fernandez" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Saturday, February 01, 2003 11:46 PM Subject: Re: [Samba] passwd: Authentication token manipulation error > On Sat, 1 Feb 2003, Keith Fernandez wrote: > > > Hi Can anyone tell me what this error is. > > Firstly, it's NOT a samba question. > > Secondly, it means the password you tried to use is too short. Your RH8 > system has a PAM configuration that insists on a password being longer > than a certain number of characters. > > I think that if you do: > grep /etc/passwd mandy > you will find that the account was added, but it now has NO password. > You really DO want to enter a system password, or use Red Hat's method for > locking the Linux system account for mandy. > > smbpasswd will add any user who has an entry in the /etc/passwd file. > > SMB passwords are independant of the system password. > > - John T. > > > > > Thanks. > > Regards, > > Keith > > > > "The linuX Files -- The Source is Out There." > > > > - Original Message - > > From: "Keith Fernandez" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, January 31, 2003 8:34 PM > > Subject: [Samba] passwd: Authentication token manipulation error > > > > > > > Hi, > > > > > > I am trying to add a new user to my RedHat 8.0 System running samba > > 2.2.7-1a > > > This is the error I get. > > > > > > --- > > > [root@localhost named]# useradd -g users mandy > > > [root@localhost named]# passwd mandy > > > Changing password for user mandy. > > > New password: > > > BAD PASSWORD: it is too short > > > Retype new password: > > > Failed to find entry for user mandy. > > > > > > passwd: Authentication token manipulation error > > > - > > > > > > This error is only when I am creating a new user. Password sync happens if > > there is an existing user. > > > if after using useradd -g users mandy > > > I do a smbpassword -a mandy > > > then everything is fine > > > What could be the problem... > > > > > > > > > Regards, > > > Keith > > > > > > "The linuX Files -- The Source is Out There." > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > -- > John H Terpstra > Email: [EMAIL PROTECTED] > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passwd: Authentication token manipulation error
On Sat, 1 Feb 2003, Keith Fernandez wrote: > Hi Can anyone tell me what this error is. Firstly, it's NOT a samba question. Secondly, it means the password you tried to use is too short. Your RH8 system has a PAM configuration that insists on a password being longer than a certain number of characters. I think that if you do: grep /etc/passwd mandy you will find that the account was added, but it now has NO password. You really DO want to enter a system password, or use Red Hat's method for locking the Linux system account for mandy. smbpasswd will add any user who has an entry in the /etc/passwd file. SMB passwords are independant of the system password. - John T. > > Thanks. > Regards, > Keith > > "The linuX Files -- The Source is Out There." > > - Original Message - > From: "Keith Fernandez" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, January 31, 2003 8:34 PM > Subject: [Samba] passwd: Authentication token manipulation error > > > > Hi, > > > > I am trying to add a new user to my RedHat 8.0 System running samba > 2.2.7-1a > > This is the error I get. > > > > --- > > [root@localhost named]# useradd -g users mandy > > [root@localhost named]# passwd mandy > > Changing password for user mandy. > > New password: > > BAD PASSWORD: it is too short > > Retype new password: > > Failed to find entry for user mandy. > > > > passwd: Authentication token manipulation error > > - > > > > This error is only when I am creating a new user. Password sync happens if > there is an existing user. > > if after using useradd -g users mandy > > I do a smbpassword -a mandy > > then everything is fine > > What could be the problem... > > > > > > Regards, > > Keith > > > > "The linuX Files -- The Source is Out There." > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passwd: Authentication token manipulation error
Hi Can anyone tell me what this error is. Thanks. Regards, Keith "The linuX Files -- The Source is Out There." - Original Message - From: "Keith Fernandez" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 31, 2003 8:34 PM Subject: [Samba] passwd: Authentication token manipulation error > Hi, > > I am trying to add a new user to my RedHat 8.0 System running samba 2.2.7-1a > This is the error I get. > > --- > [root@localhost named]# useradd -g users mandy > [root@localhost named]# passwd mandy > Changing password for user mandy. > New password: > BAD PASSWORD: it is too short > Retype new password: > Failed to find entry for user mandy. > > passwd: Authentication token manipulation error > - > > This error is only when I am creating a new user. Password sync happens if there is an existing user. > if after using useradd -g users mandy > I do a smbpassword -a mandy > then everything is fine > What could be the problem... > > > Regards, > Keith > > "The linuX Files -- The Source is Out There." > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] passwd: Authentication token manipulation error
Hi, I am trying to add a new user to my RedHat 8.0 System running samba 2.2.7-1a This is the error I get. --- [root@localhost named]# useradd -g users mandy [root@localhost named]# passwd mandy Changing password for user mandy. New password: BAD PASSWORD: it is too short Retype new password: Failed to find entry for user mandy. passwd: Authentication token manipulation error - This error is only when I am creating a new user. Password sync happens if there is an existing user. if after using useradd -g users mandy I do a smbpassword -a mandy then everything is fine What could be the problem... Regards, Keith "The linuX Files -- The Source is Out There." -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba