solution: account expired

Steve Langasek vorlon at
Wed May 9 21:23:02 GMT 2001

On Tue, 8 May 2001, Florian Petri wrote:

> On Mon, May 07, 2001 at 05:27:25PM -0500, Steve Langasek wrote:

> > > Some of you maybe get "account disabled ... " when they try to login at NT4 or
> > > W2K workstations and don't know where this comes from, because they can access the samba server eg. with the same accounts without any problem.
> > > (log.smbd show some unknown errors ...)

> > > The PAM service at my linux box was wrong configured. I used in
> > > /etc/pam.d/samba but it seems to me that I have to install (parameters: md5 shadow) to login at my nt4 box.

> > > Problably this could be documented somewhere, I spend a couple of hours on
> > > this and some others posted the same problems, I hope this helps you ...

> > This is a combination of a bug in Samba 2.2.0, and a bug in some versions of
> > pam_unix.  I believe the most current version of pam_unix should work ok -- if
> > not, I'd appreciate knowing about it.

> My version is new, the debian unstable version from april 18.
> If there is a newer version available today, I think you wouldn?t find it
> in a binary distribution (package version 0.72-22).

Ah.. I've just looked at the PAM CVS code more closely, and it seems that I
misremembered how this was being done in pam_unix; there's uid-handling code
in place to handle the pathological case of a program running as non-root
which needs to get access to an /NIS+/ database, but there's nothing for the
case where the calling app invokes PAM as non-root and needs to get access to
the shadow file.  Samba appears to be the first app to try this particular
maneuver, for better or for worse.

I'll add code to pam_unix to handle this for the next Linux-PAM release; on
the Samba side, the sane thing to do is still to call become_root() before
each PAM call.  Unfortunately, this is currently not that easy to achieve
without breaking other parts of the code (e.g., rpcclient, smbclient).

Steve Langasek
psotmodern programmer

More information about the samba-ntdom mailing list