Right, so I have winbind authentication set up for login. However, I think there may still be some situations in which it would be useful for the user to be able to set their unix password (in the traditional /etc/passwd and /etc/shadow files). I'm having real trouble doing this.
My /etc/pam.d/passwd file is shipped like this on my system (ArchLinux):
password required pam_unix.so sha512 shadow nullok
If I use pam_winbind instead, the password is authenticated and changed correctly on the domain. However, what I really want is to make it possible for the user to authenticate with pam_winbind, and then set the password with pam_unix (preferably without setting the password on the domain, as that will probably fail if it's the same as the existing one). Is there any way to do this? If I stack pam_winbind above pam_unix, pam_unix asks for its own password anyway, and use_authtok doesn't help: it still asks for the current unix password. Passing use_first_pass doesn't help because the passwords don't yet match.
