SUSE Support

Here When You Need Us

How To Change An Active Directory User's Password From Linux via Winbind

This document (7014733) is provided subject to the disclaimer at the end of this document.


SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15


Once a Samba server has joined an Active Directory domain, how does one go about changing the password of an Active Directory user from the command line on Linux?


Assuming all was set up correctly (with samba, winbind, pam, and the /etc/nsswitch.conf), changing the password is as simple as follows.  Files from a working setup have been provided below under the Additional Information section:
passwd DOMAIN\\username
(current) NT password:  <enter old secret here>
Enter new NT password: <enter new secret here>
Retype new NT password: <re-enter new secret here>
If successful the regular command prompt will appear.  If a failure occurs, various messages may be encountered, likely to be completed with the following:
passwd: User not known to the underlying authentication module.
The previous error is being returned by pam.  Address any messages/errors above the passwd error above, and attempt to change the password again.
If an access denied error is encountered, be sure that the user account in Active Directory does not have a lock on it, or a setting preventing the password from being changed.
Note for SLES 12 and later:
In the /etc/samba/smb.conf add the following parameter to the "[global]" section of the file:

    pam password change = yes

Additional Information

Below is a set of example files from a working configuration (samba joined to an Active Directory domain):
        workgroup = PAUL
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = PAUL.LOCAL
        security = ADS
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind refresh tickets = yes
        default_realm = PAUL.LOCAL
        clockskew = 300
#       default_realm = EXAMPLE.COM
        PAUL.LOCAL = {
                kdc =
                default_domain = paul.local
                admin_server =
#       EXAMPLE.COM = {
#                kdc =
#               admin_server =
#       }
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
        .paul.local = PAUL.LOCAL
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                minimum_uid = 1
passwd: compat winbind
group:  compat winbind
hosts:  files dns
networks:       files dns
services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files nis
publickey:      files
bootparams:     files
automount:      files nis
aliases:        files
account requisite 
account sufficient
account required use_first_pass 

account requisite 
account sufficient
account required use_first_pass 

auth required 
auth sufficient 
auth required use_first_pass 

auth required 
auth sufficient 
auth required use_first_pass 

password sufficient 
password requisite nullok cracklib
password required use_authtok nullok

password sufficient 
password requisite nullok cracklib
password required use_authtok nullok

session required 
session required 
session required 
session optional 

session required 
session required 
session required 
session optional 


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7014733
  • Creation Date: 12-Mar-2014
  • Modified Date:09-Sep-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.