[Samba-it] winbind pam password scaduta
Aldo Bortot
abortot at comune.belluno.it
Sat Jun 27 03:07:32 MDT 2009
Un saluto a tutti.
Ho installato un nuovo desktop con Ubuntu 9.04 come domain member.
Samba di default e il 3.3.2.
Inserito in dominio gestito da con Samba ed LDAP.
Le configurazioni del nuovo domain member sono identiche ad altri già
funzionanti.
L'autenticazione dovrebbe avvenire tramite pam_winbind.
Il problema è che qualsiasi utente di dominio non riesce ad accedere con
segnalazione di Password scaduta.
Alcune verifiche con effetto positivo già effettuate riguardano:
- wbinfo -a user%pass
- perfetto funzionamento se setto acctflag a X
- perfetto funzionamento se usato direttamente pam_ldap (ma ovviamente
mi perdo la gestione di dominio in senso "windowsiano")
Da un estratto di /var/log/auth.log (che riporto sotto) rilevo che:
1) pam_winbind riporta una ipotetica policy che farebbe scadere la
password 1 secondo prima del momento in cui la password è stata settata.
2) procede correttamente il cambio password "obbligatorio"
3) comunque viene effettuato un confronto fra il "last set " e l'
"expire" calcolato con un secondo di anticipo, riproponendosi un ciclo
senza uscita.
Già capitato a qualcuno? E' problema noto?
saluti, grazie
aldo
estratto di /var/log/auth.log
...
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:auth): Verify
user 'aatest'
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:auth):
request wbcLogonUser succeeded
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:auth): user
'aatest' granted access
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:auth):
Password has expired (Password was last set: 1246085963, the policy says
it should expire here 1246085962 (now it's: 1246091974))
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:auth): [pamh:
0x98c1570] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:account):
[pamh: 0x98c1570] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:account):
pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:account):
user 'aatest' needs new password
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:account):
[pamh: 0x98c1570] LEAVE: pam_sm_acct_mgmt returning 12
(PAM_NEW_AUTHTOK_REQD)
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:chauthtok):
[pamh: 0x98c1570] ENTER: pam_sm_chauthtok (flags: 0x4020)
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:chauthtok):
username [aatest] obtained
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:chauthtok):
getting password (0x00000021)
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok):
request wbcLogonUser succeeded
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok):
user 'aatest' granted access
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok):
Password has expired (Password was last set: 1246085963, the policy says
it should exp
ire here 1246085962 (now it's: 1246091979))
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok):
[pamh: 0x98c1570] LEAVE: pam_sm_chauthtok returning 0 (PAM_SUCCESS)
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok):
[pamh: 0x98c1570] ENTER: pam_sm_chauthtok (flags: 0x2020)
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok):
username [aatest] obtained
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok):
getting password (0x00000001)
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok):
request wbcChangeUserPasswordEx succeeded
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok):
user 'aatest' OK
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok):
user 'aatest' password changed
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok):
request wbcLogonUser succeeded
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok):
user 'aatest' granted access
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok):
Password has expired (Password was last set: 1246091983, the policy says
it should exp
ire here 1246091982 (now it's: 1246091984))
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok):
[pamh: 0x98c1570] LEAVE: pam_sm_chauthtok returning 27 (PAM_AUTHTOK_EXPIRED)
Jun 27 10:39:44 sport-stage login[4539]: pam_unix(login:chauthtok): user
"aatest" does not exist in /etc/passwd
Jun 27 10:39:44 sport-stage login[4539]: Authentication token
manipulation error
More information about the samba-it
mailing list