# How to use passwd to change password of a non-local/NIS user



## Xylene (Sep 6, 2018)

I would like to change the password of a non-local or nis user using the passwd binary.  When I attempt to change the user I get:

passwd: Sorry, `passwd' can only change passwords for local or NIS users.

I haven't seen passwd complain like this since the early AIX days.  Is there a approved way of doing this without having to overwrite the passwd binary with a home grown script like I have seen for ldap users?


----------



## VladiBG (Sep 6, 2018)

use chroot


----------



## VladiBG (Sep 6, 2018)

in pw you also have -R and -V to select different root path and different etc


----------



## Xylene (Sep 6, 2018)

In this particular case the users all reside in Active Directory. What doesn't make sense is that passwd is supposed to be pam aware, yet it puts a restriction on what the user source must be. Isn't the purpose of being pam aware is to allow the end user to configure their pam stack according to their needs?


----------



## ShelLuser (Sep 7, 2018)

I think you should read passwd(1) a bit more thoroughly because it explains quite a bit about the process. It makes it quite clear that passwd is focused on locally stored passwords:


```
The passwd utility has built-in support for NIS.  If a user exists in the
     NIS password database but does not exist locally, passwd automatically
     switches into yppasswd mode.  If the specified user does not exist in
     either the local password database or the NIS password maps, passwd
     returns an error.
```
Which makes me conclude that passwd _definitely_ has its limitations. This is also illustrated in the section which explains Kerberos:

```
To change another user's Kerberos password, one must first run kinit(1)
     followed by passwd.  The super-user is not required to provide a user's
     current password if only the local password is modified.
```



Xylene said:


> What doesn't make sense is that passwd is supposed to be pam aware, yet it puts a restriction on what the user source must be.


To my understanding PAM is all about _authentication_, not necessarily password management. This is strongly hinted at if you read pam(3) and pam.conf(5).

passwd is capable of using the PAM framework to make sure that the user has the required privileges it needs to utilize it, but it doesn't use that framework to actually manage the password database(s). See also /etc/pam.d/passwd:


```
# passwd(1) does not use the auth, account or session services.

# password
#password       requisite       pam_passwdqc.so         enforce=users
password        required        pam_unix.so             no_warn try_first_pass n
ullok
```



Xylene said:


> Isn't the purpose of being pam aware is to allow the end user to configure their pam stack according to their needs?


I'm definitely not an expert on PAM but if I check 

		Code:
	

`Password Management
     The pam_chauthtok() function allows the server to change the user's
     password, either at the user's request or because the password has
     expired.`


----------



## VladiBG (Sep 7, 2018)

If you are talking about Windows Active Directory user then you can use smbpasswd(8)


----------



## Xylene (Sep 10, 2018)

Looks like it is an open bug in the FreeBSD code. Opened in 2004 and still not fixed.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=71290


----------

