[Samba-it] winbind pam password scaduta

Sat Jun 27 03:07:32 MDT 2009

Un saluto a tutti.

Ho installato un nuovo desktop con Ubuntu 9.04 come domain member.
Samba di default e il 3.3.2.
Inserito in dominio gestito da con Samba ed LDAP.
Le configurazioni del nuovo domain member sono identiche ad altri già 
funzionanti.
L'autenticazione dovrebbe avvenire tramite pam_winbind.
Il problema è che qualsiasi utente di dominio non riesce ad accedere con 
segnalazione di Password scaduta.

Alcune verifiche con effetto positivo già effettuate riguardano:

- wbinfo -a user%pass
- perfetto funzionamento se setto acctflag a X
- perfetto funzionamento se usato direttamente pam_ldap (ma ovviamente 
mi perdo la gestione di dominio in senso "windowsiano")

Da un estratto di /var/log/auth.log (che riporto sotto) rilevo che:

1) pam_winbind riporta una ipotetica policy che farebbe scadere la 
password 1 secondo prima del momento in cui la password è stata settata.

2) procede correttamente il cambio password "obbligatorio"

3) comunque viene effettuato un confronto fra il "last set " e l' 
"expire" calcolato con un secondo di anticipo, riproponendosi un ciclo 
senza uscita.

Già capitato a qualcuno? E' problema noto?

saluti, grazie
aldo

estratto di /var/log/auth.log
...
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:auth): Verify 
user 'aatest'
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:auth): 
request wbcLogonUser succeeded
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:auth): user 
'aatest' granted access
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:auth): 
Password has expired (Password was last set: 1246085963, the policy says 
it should expire here 1246085962 (now it's: 1246091974))
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:auth): [pamh: 
0x98c1570] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:account): 
[pamh: 0x98c1570] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:account): 
pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:account): 
user 'aatest' needs new password
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:account): 
[pamh: 0x98c1570] LEAVE: pam_sm_acct_mgmt returning 12 
(PAM_NEW_AUTHTOK_REQD)
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:chauthtok): 
[pamh: 0x98c1570] ENTER: pam_sm_chauthtok (flags: 0x4020)
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:chauthtok): 
username [aatest] obtained
Jun 27 10:39:34 sport-stage login[4539]: pam_winbind(login:chauthtok): 
getting password (0x00000021)
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok): 
request wbcLogonUser succeeded
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok): 
user 'aatest' granted access
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok): 
Password has expired (Password was last set: 1246085963, the policy says 
it should exp
ire here 1246085962 (now it's: 1246091979))
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok): 
[pamh: 0x98c1570] LEAVE: pam_sm_chauthtok returning 0 (PAM_SUCCESS)
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok): 
[pamh: 0x98c1570] ENTER: pam_sm_chauthtok (flags: 0x2020)
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok): 
username [aatest] obtained
Jun 27 10:39:39 sport-stage login[4539]: pam_winbind(login:chauthtok): 
getting password (0x00000001)
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok): 
request wbcChangeUserPasswordEx succeeded
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok): 
user 'aatest' OK
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok): 
user 'aatest' password changed
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok): 
request wbcLogonUser succeeded
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok): 
user 'aatest' granted access
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok): 
Password has expired (Password was last set: 1246091983, the policy says 
it should exp
ire here 1246091982 (now it's: 1246091984))
Jun 27 10:39:44 sport-stage login[4539]: pam_winbind(login:chauthtok): 
[pamh: 0x98c1570] LEAVE: pam_sm_chauthtok returning 27 (PAM_AUTHTOK_EXPIRED)
Jun 27 10:39:44 sport-stage login[4539]: pam_unix(login:chauthtok): user 
"aatest" does not exist in /etc/passwd
Jun 27 10:39:44 sport-stage login[4539]: Authentication token 
manipulation error