passwd - can't login, change password (pam_winbind pam-auth-update profile)

Can't add users. The password portion of the add fails.
Then try to set the password and it fails as well
bill@sam:~$ sudo passwd charlie
[sudo] password for bill:
passwd: System error
passwd: password unchanged

10.04 Beta 1 AMD64 Server version

The message "System error" is coming from PAM.

My first guess is that you have a misconfiguration on your system, but this could also be a PAM bug.

Can you check you /var/log/auth.log for messages from PAM?
Can you provide you PAM configuration?
(/etc/pam.d/passwd and the files linked from there)

i'm having the same issue

pam is trying to authenticate you in a domain, to resolv this issue u have to reconfigure pam and disable Winbin NT/AD authentication

sudo dpkg-reconfigure -plow libpam-runtime

Phoenix, that solved the problem. I can now login to my system - about time too, because I couldn't work another day on Windows. :-)

Anyway the login issue is resolved but the whole messing with passwords put me in a world of hurt when it comes to my encrypted home folder. Now ecryptfs is acting up - but thats a topic for another bug thread if it applies.

Again, thanks.

If any developer needs some more info on this bug I'm ready to provide the neccessary info.

If this is Winbind NT/AD authentication that you're having to disable, then the bug is in samba. Reassigning.

sudo dpkg-reconfigure -plow libpam-runtime
Fixed it.
It was set to use Winbind NT/Active Directory authentication. I did not ask it to this, it seems maybe Samba is setting this by default.
Thanks

Yes, the purpose of the 'winbind' package is to provide integration with a Windows domain or AD realm; that extends to enabling pam_winbind by default now that this is supported.

Of course, any problems this causes for you being able to use your local system accounts is a bug.

BTW, the idiomatic way to change this is by running 'sudo pam-auth-update' instead - shorter to type :)

Same here,

Lucid Beta 1 (latest kernel, latest updates) on AMD64.

As above 'sudo pam-auth-update' plus disabling winbind does the trick.

If you simply remove winbind, it fails to update pam config. You still must run pam-auth-update to unfsck it.

http://cdimage.ubuntu.com/ubuntu-server/daily/20100331/

Tried installing with this: turns out login is broken. Even holding SHIFT to go into single-user mode comes up with a read-only filesystem I can't remount as rw to run the dpkg-reconfigure on.

Well, if base-passwd & shadow aren't impacted, then what the heck are? I'm curious how a samba package ends up breaking normal user login & password changing processes. I knew to check here about the problem because I tried updating some samba packages yesterday & ended up breaking Samba access to a Konica scanner, then finding out I couldn't assign passwords to users while setting up FTP.

There seem to be two issues:
* one is about the profile itself, which apparently breaks pam config when enabled
* the other is about winbind.{postinst,prerm} not calling "pam-auth-update --package" to enable/disable the profile (which is marked Default:yes, so it will get enabled by the next pam-auth-update run ?)

I'd argue the pam_winbind profile could be "Default: no" since most people get winbind installed when installing wine, and don't care so much about winbind PAM integration. Those who care usually read documentation...

Disable Winbin NT/AD authentication by running:

sudo dpkg-reconfigure -plow libpam-runtime

... worked for me. Pretty show stopping bug! I experienced this on 64 bit install of Lucid beta.

breaks the passwd and the systemsettings way of changing the password in lucid beta1.

workaround works,

This happened to me on a clean install of ubuntu server i386 with packages dns, openssh, lamp, and samba. I was not able to login after the install. Above fix worked for me chrooted from a live cd.

Reproduced on a beta2 candidate, installing samba-server task, cannot log in on console.
See attached /etc/pam.d contents.

Only the password stack is borken, but that prevents ISO installs (samba file server) from setting the password for the user correctly, so that also prevents login for those cases.

Fix is to
<slangasek> 1) call pam-auth-update in winbind.postinst
<ttx> (and prerm)
<slangasek> 2) Password-Type: Primary instead of Password-Type: Additional in debian/winbind.pam-config

This bug was fixed in the package samba - 2:3.4.7~dfsg-1ubuntu2

---------------
samba (2:3.4.7~dfsg-1ubuntu2) lucid; urgency=low

  * debian/winbind.pam-config: Fix password PAM profile for winbind, thanks to
    Steve Langasek for investigation and fix (LP: #546874)
  * debian/winbind.prerm, debian/winbind.postinst: Enable and disable winbind
    PAM profile on package install/removal (LP: #556342)
 -- Thierry Carrez <email address hidden> Tue, 06 Apr 2010 11:59:54 +0200

Got the same problem:
- can not log in
- can not change passwork
- can not create new user

1. case: native 9.10 srv to 10.04 srv with apt-get upgrade. There was no Samba but Likewise 5.4.0.7985. Testbed Intel Celeron 667MHz
2. case production file and www server 9.10 srv. Samba. No Likewise. 'apt-get purge samba' started upgrade all by itself. Intel P4. Uptime about 180 days.
3. case native 10.04 srv rc1 to 10.04 srv with apt-get upgrade. No Samba, but Likewise 5.4.0.7985. Testbed Intel Atom 330

All the upgrades were made after the official release,
In all cases the servers were registered in a large AD and had users.
There was normal user 'root', a local user with sudo rights and a domain user with sudo rights, one basic user with no special rights. None of us can log in.
All the configurations was made over SSH (Putty) as 'root'. I had at least two SSH connections open from either one or two workstations, so that I could test various tricks.
Cases 1 and 3 didn't allow local login with keyboard. I didn't try connection over RS232 (port is open and tested before upgrade).
Now the connections are closed by automatic timeout.
None of the fixes in previous messages did help.

Not even root can log in. What to do with the 2.case ? There is customer data in there and a lot of scripts. Most of the data and scripts have been automatically copied to a backup. Still there is a lot of work to make it functional again, if I got to start with CD-installation.

I think I can replicate the sittuation, because I copied two of the root manual logs to another server. One problem is that I'm extremely short of time.

If the workarounds above didn't work, why do you think that's the same bug at all? I think you should open a new report.

The other issue is that if you actually upgraded your system using 'apt-get upgrade' (not even 'dist-upgrade'?!), that's not the correct procedure and is likely to break. See https://help.ubuntu.com/community/LucidUpgrades.

The problem happens for me only after some time. Restarting winbind fixes it for some minutes.