Tabitha Taylor tabithataylorcrockett at yahoo.com
Thu Jun 17 17:03:04 GMT 2004


I am unable to login to a samba system that uses
kerberos  to authenticate to ADS if the users password
has expired on the ADS system or if "User must change
password at next login" is checked on the ADS..  I get
a "login incorrect" message on the linux system and 
the log file gives the following error:

pam_winbind[3647]: request failed: Must change
password, PAM error was 12, NT error was

pam_winbind[3647]: user `blah' new password required  
  Jun 17 10:25:53 samba1 login[3647]: FAILED LOGIN
SESSION FROM /dev/tty1 FOR blah, Authentication token
is no longer valid; new one required.                 

Is it possible for the user to get prompted to change
their password at login?  I am very new to the
Microsoft integration and any advice would be greatly

Note: getent passwd, wbinfo -u, wbinfo -g, and logging
into the samba system with a ADS user account that
hasn't expired or must change password at first login
works great without any issues.

My configuration is as follows:

Suse 8.1 2.4.19-4

Installed packages:


# Global parameters
        workgroup = TEST
        realm = TEST.LOCAL
        security = ADS
        auth methods = winbind
        update encrypted = Yes
        obey pam restrictions = Yes
        password server = win.test.local
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*password* %n\n
*Retype*new*password* %n\n
        unix password sync = Yes
        log file = /var/log/samba/%m.log
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        winbind separator = +
        winbind cache time = 15
        winbind use default domain = Yes

        ticket_lifetime = 24000
        default_realm = TEST.LOCAL
        default_tgs_enctypes = arcfour-hmac-md5
        default_tgs_enctypes = arcfour-hmac-md5
        permitted_enctypes = arcfour-hmac-md5
        #default_tgs_enctypes = des-cbc-crc
        #default_tkt_enctypes = des-cbc-crc
        forwardable = true
        proxiable = true
        dns_lookup_realm = true
        dns_lookup_kdc = true

        TEST.LOCAL = {
                kdc = win.test.local:88
                admin_server = win.test.local:749
                default_domain = TEST.LOCAL

        .test.local = TEST.LOCAL
         test.local = TEST.LOCAL

profile = /var/heimdal/kdc.conf


    default = FILE:/var/log/krb5/libs.log
    kdc = FILE:/var/log/krb5/kdc.log
    admin_server = FILE:/var/log/krb5/admin.log

pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    renewable = true
    krb4_convert = false

        kdc_ports = 88

       TEST.LOCAL = {
           kadmind_port = 749
           max_life = 10h 0m 0s
           max_renewable_life = 7d 0h 0m 0s
           master_key_type = des-cbc-crc
           supported_enctypes = des-cbc-crc:normal

        kdc = FILE:/var/log/kdc.log
        admin_server = FILE:/var/log/kadmin.log

auth required   pam_securetty.so
auth required   pam_env.so
auth sufficient pam_unix2.so    nullok     #set_secrpc
auth sufficient pam_winbind.so use_first_pass #added
auth required   pam_deny.so  #added
auth required   pam_nologin.so
#auth    required       pam_homecheck.so
# auth required pam_mail.so
account sufficient      pam_winbind.so
account required        pam_unix2.so
password required       pam_pwcheck.so  nullok
password required       pam_unix2.so    nullok
use_first_pass use_authtok
session required        pam_mkhomedir.so
skel=/etc/skel/ umask=0022
session required        pam_unix2.so    none     #
debug or trace
session required        pam_limits.so

#/etc/nsswitch.conf (relevant section)

passwd: compat winbind
shadow: files  winbind
group:  compat winbind

Note: nscd is also disabled

Thanks in advance,

Tabitha Taylor

Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.

More information about the samba mailing list