[Samba] pam_winbind troubles

gat1182 at free.fr gat1182 at free.fr
Mon Jan 3 14:03:29 GMT 2005


Hi and happy New Year.

I test the integration of samba 3.0.10 on a fedora core 3 box in a Microsoft
Active Directory (Windows 2003) environment.
I already configure samba for the integration in the AD domain and it works fine
but I have a problem with the pam_winbind.
I can authenticate my AD domain users on the fedora box but I can’t change their
password with the passwd command.

For example, I can log with the "VDP\kalaghan" domain user but when I try to
change his password with the passwd command, I’ve got the next error messages
in /var/log/messages:

Jan  3 14:55:01 fedogat pam_winbind[2869]: user 'VDP\kalaghan' granted access
Jan  3 14:55:20 fedogat pam_winbind[2869]: request failed:
NT_STATUS_PASSWORD_RESTRICTION, PAM error was 4, NT error was
NT_STATUS_PASSWORD_RESTRICTION
Jan  3 14:55:20 fedogat pam_winbind[2869]: internal module error (retval = 4,
user = `VDP\kalaghan'

The password I’m using is more than eight characters and I’ve disabled the GPO
in AD which concerns the complexity of password.

My /etc/pam.d/system-auth file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_winbind.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so


If someone have an idea

Regards


More information about the samba mailing list