My Favorites

Close

Please to see your favorites.

  • Bookmark
  • Email Document
  • Printer Friendly
  • Favorite
  • Rating:

How To Change An Active Directory User's Password From Linux via Winbind

This document (7014733) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 11

Situation

Once a Samba server has joined an Active Directory domain, how does one go about changing the password of an Active Directory user from the command line on Linux?

Resolution

Assuming all was set up correctly (with samba, winbind, pam, and the /etc/nsswitch.conf), changing the password is as simple as follows.  Files from a working setup have been provided below under the Additional Information section:
 
passwd DOMAIN\\username
(current) NT password:  <enter old secret here>
Enter new NT password: <enter new secret here>
Retype new NT password: <re-enter new secret here>
 
If successful the regular command prompt will appear.  If a failure occurs, various messages may be encountered, likely to be completed with the following:
passwd: User not known to the underlying authentication module.
 
The previous error is being returned by pam.  Address any messages/errors above the passwd error above, and attempt to change the password again.
 
If an access denied error is encountered, be sure that the user account in Active Directory does not have a lock on it, or a setting preventing the password from being changed.
 
 

Additional Information

Below is a set of example files from a working configuration (samba joined to an Active Directory domain):
 
smb.conf:
 
[global]
        workgroup = PAUL
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = PAUL.LOCAL
        security = ADS
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind refresh tickets = yes
 
krb5.conf:
 
[libdefaults]
        default_realm = PAUL.LOCAL
        clockskew = 300
#       default_realm = EXAMPLE.COM
[realms]
        PAUL.LOCAL = {
                kdc = 192.168.2.65
                default_domain = paul.local
                admin_server = 192.168.2.65
        }
#       EXAMPLE.COM = {
#                kdc = kerberos.example.com
#               admin_server = kerberos.example.com
#       }
[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        .paul.local = PAUL.LOCAL
[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                minimum_uid = 1
        }
 
 
 
/etc/nsswitch.conf
 
passwd: compat winbind
group:  compat winbind
hosts:  files dns
networks:       files dns
services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files nis
publickey:      files
bootparams:     files
automount:      files nis
aliases:        files
 
/etc/pam.d/<filename>
 
common-account
account requisite pam_unix2.so 
account sufficient pam_localuser.so
account required pam_winbind.so use_first_pass 

common-account-pc
account requisite pam_unix2.so 
account sufficient pam_localuser.so
account required pam_winbind.so use_first_pass 

common-auth
auth required pam_env.so 
auth sufficient pam_unix2.so 
auth required pam_winbind.so use_first_pass 

common-auth-pc
auth required pam_env.so 
auth sufficient pam_unix2.so 
auth required pam_winbind.so use_first_pass 

common-password
password sufficient pam_winbind.so 
password requisite pam_pwcheck.so nullok cracklib
password required pam_unix2.so use_authtok nullok

common-password-pc
password sufficient pam_winbind.so 
password requisite pam_pwcheck.so nullok cracklib
password required pam_unix2.so use_authtok nullok

common-session
session required pam_limits.so 
session required pam_unix2.so 
session required pam_winbind.so 
session optional pam_umask.so 

common-session-pc
session required pam_limits.so 
session required pam_unix2.so 
session required pam_winbind.so 
session optional pam_umask.so 

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7014733
  • Creation Date:12-MAR-14
  • Modified Date:12-MAR-14
    • SUSESUSE Linux Enterprise Server

Did this document solve your problem? Provide Feedback

< Back to Support Search

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center