[Samba] [HELP] Samba 3.0.23a pam_winbind says password expired

Peter Trifonov petert at dcn.infos.ru
Wed Aug 2 08:42:46 GMT 2006

Hi Michael,

> thx for your response. so what's the difference in our 
> setups? could you please post your samba DC version, pam 
> settings and smb.conf of the member?

> >>>>09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new password
> >>>>Aug  1 09:59:27 humevo36 su: FAILED SU (to gasch) gasch on dev/pts/3
> >>>It seems to me that I have similar problem. However, su
> >>succeeds and just writes to the console "Your password has expired"
> >>what about logins? can you login successfully?
> > Yes, all pam-based services (pop3, su, etc) permit login. 
> > Some of them (like su) inform the user that he needs to  change the

The network has two domain controllers - Win2000 and Win2003 servers.
Samba 3.0.23a is installed on FreeBSD 6.1 box. 

Please see below my smb.conf 

        dos charset = CP866
        workgroup = RESEARCH
        realm = RESEARCH.DCN
        netbios name = MASTER
        server string = Public file server
        security = ADS
        password server = 
        username map = /usr/local/etc/smbusers
        unix extensions = No
        wins server =
        ldap ssl = no
        idmap uid = 20000-30000
        idmap gid = 20000-30000
        template shell = /usr/local/bin/bash
        winbind separator = /
        winbind use default domain = Yes

[shared directory configuration goes below]

It seems that the "password expired" message originates from the following
piece of code in pam_winbind.c

	case 0:
		pam_get_data( pamh, PAM_WINBIND_NEW_AUTHTOK_REQD, (void
		if (tmp != NULL) {
			retval = atoi(tmp);
			switch (retval) {
				/* fall through, since new token is required
in this case */
				_pam_log(LOG_WARNING, "pam_sm_acct_mgmt
success but %s is set", 
				_pam_log(LOG_NOTICE, "user '%s' needs new
password", username);
				/* PAM_AUTHTOKEN_REQD does not exist, but is
documented in the manpage */
				_pam_log(LOG_WARNING, "pam_sm_acct_mgmt
				_pam_log(LOG_NOTICE, "user '%s' granted
access", username);
				return PAM_SUCCESS;

With best regards,
P. Trifonov  

More information about the samba mailing list