Local user account password management fails with winbind active in PAM and nsswitch.conf

(Doc ID 1393432.1)

Last updated on JANUARY 02, 2018

Applies to:

Solaris Operating System - Version 10 3/05 to 10 1/13 U11 [Release 10.0]
Information in this document applies to any platform.

Symptoms

Solaris 10 systems with Samba's Winbind authentication method configured in the /etc/nsswitch.conf and /etc/pam.conf files local password management for users in the /etc/passwd file will fail.
To confirm if Winbind is configured the following files will have the entries shown:

The /etc/nsswitch.conf file will have:
passwd: files winbind
group: files winbind

The /etc/pam.conf file will have the pam_winbind.so module active in the following sections:
# Default definition for Account management

other account required pam_winbind.so

# Default definition for Password management

other password required pam_winbind.so


Users cannot modify their passwords under several conditions. Errors will be returned such as the following.

The non-root local password file user attempting to change their password:

-bash-3.00$ passwd
passwd: Changing password for username
passwd: Unsupported nsswitch entry for "passwd:". Use "-r repository ".
Unexpected failure. Password file/table unchanged.

-bash-3.00$ passwd -r files
passwd: Changing password for username
Enter existing login password:
New Password:
Permission denied


Showing a example of a expired password or a change of password at the next log in by the local password file using being invoked:

# passwd -r files -f username
passwd: password information changed for username
#


When the user attempts to connect or log in to the system they are prompted to change their password but cannot do so:


# ssh -l username host
Password:
Password:
Password:
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).


As root changing the local user password fails:


# passwd -r files username
New Password:
Permission denied
#

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms