[Samba] [HELP] Samba 3.0.23a pam_winbind says password expired

Tue Aug 1 08:27:13 GMT 2006

hi,

i just do some tests with a fresh compiled samba 3.0.23a.
trying to authenticate against PAM with pam_winbind gives:

Aug  1 09:59:21 humevo36 pam_winbind[27853]: pam_winbind: 
pam_sm_authenticate (flags: 0x0000)
Aug  1 09:59:23 humevo36 pam_winbind[27853]: Verify user `gasch'
Aug  1 09:59:23 humevo36 pam_winbind[27853]: enabling cached login flag
Aug  1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' granted access
Aug  1 09:59:23 humevo36 pam_winbind[27853]: Password has expired 
(Password was last set: 1154074953, the policy says it should expire 
here 1154074952 (now
it's: 1154419163)
Aug  1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' OK
Aug  1 09:59:23 humevo36 pam_winbind[27853]: pam_sm_acct_mgmt success 
but PAM_WINBIND_NEW_AUTHTOK_REQD is set
Aug  1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new password
Aug  1 09:59:27 humevo36 su: FAILED SU (to gasch) gasch on /dev/pts/3

there´s no password policy on the domain controller (samba 3.0.14a, debian):

root at PDC:~# pdbedit -d 0 -P "maximum password age"
account policy value for maximum password age is 4294967295
root at PDC:~# pdbedit -d 0 -P "password history"
account policy value for password history is 0

some samba-ldap attributes on PDC for user "gasch":

sambaLogonTime: 1130931254
sambaPwdMustChange: 2147483647
sambaPasswordHistory: sambaAcctFlags: [UX         ]
sambaKickoffTime: 1204325940
sambaPwdCanChange: 1154074953
sambaPwdLastSet: 1154074953

i can provide you with a level 10 debug log of winbindd offline (>700kb) 
if requested.

btw: it worked fine with 3.0.20b RPM from SuSE.
any ideas?

thx in advance!

smb.conf
========
[global]
         workgroup = DOMAIN
         server string = Samba v3
#       username map = /etc/samba/username.map
         time server = yes
         log level = 2
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 10000
         unix extensions = No
         printcap name = cups
         os level = 32

         interfaces = lo eth0 vmnet1 vmnet8
         bind interfaces only = yes
         wins server = 192.168.x.y
         preferred master = No
         local master = No
         domain master = No
         dns proxy = No
         panic action = /usr/share/samba/panic-action %d
         idmap backend = idmap_rid:DOMAIN=10000-19999
         idmap uid = 10000-19999
         idmap gid = 10000-19999
         winbind offline logon = yes
         winbind separator = '\'
         winbind enum users = No
         winbind enum groups = No
         winbind use default domain = Yes
         winbind trusted domains only = no
         winbind cache time = 60
         security = domain
         allow trusted domains = no
         template shell = /bin/bash
         template homedir = /home/%U
         invalid users = root

pam (common-auth)
=================
auth    required        pam_env.so
# following also tried without arguments
auth    sufficient      pam_winbind.so debug try_first_pass cached_login
auth    required        pam_unix2.so use_first_pass