Samba AD DC Password Expiry problem
Izzet Aydın
izzet.aydin at pardus.org.tr
Fri May 3 15:58:49 UTC 2019
Hello everyone,
I am trying to force a user to change his password at login screen, (
test2 is the username ) with the following command
samba-tool user setpassword test2 --must-change-at-next-login
Client computer is configured and joined to domain. However, when i try
to login in lightdm, i see the following line in auth.log
pam_winbind(lightdm:auth): request wbcLogonUser failed:
WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHTOK_EXPIRED (27), NTSTATUS:
NT_STATUS_PASSWORD_EXPIRED, Error message was: Password expired
but the user is still able to login.
If i configure another client computer with gnome interface, i get the
same auth.log message, but in this case i see the password expired
message in gdm. Yet no user password change interrupts appears.
I auto-configured my pam files with pam-auth-update. What can be the
error ?
I add my pam and smb.conf files below
Thanks
/etc/pam.d/common-account
::::::::::::::
#
# /etc/pam.d/common-account - authorization settings common to all services
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
/etc/pam.d/common-auth
::::::::::::::
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
/etc/pam.d/common-password
::::::::::::::
# here are the per-package modules (the "Primary" block)
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so try_authtok
try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
# end of pam-auth-update config
/etc/pam.d/common-session
::::::::::::::
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_winbind.so
session optional pam_systemd.so
session optional pam_mkhomedir.so
# end of pam-auth-update config
/etc/samba/smb.conf
[global]
realm = test.local
workgroup = TEST
security = ads
password server = xxx.xx.xx.xx
#wins server = IP of wins server
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = false
#winbind separator = +
#allow trusted domains = Yes
More information about the samba-technical
mailing list