[Samba] [HELP] Samba 3.0.23a pam_winbind says password expired

Wed Aug 2 14:28:47 GMT 2006

just tested it again on fresh SuSE 10.1 and own build of samba 3.0.23a.
everything works fine except of the "password expired" message, but i 
can live with that for now.

thx!

Peter Trifonov wrote:
> Hi Michael,
> 
> 
>> thx for your response. so what's the difference in our 
>> setups? could you please post your samba DC version, pam 
>> settings and smb.conf of the member?
> 
>>>>>> 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new password
>>>>>> Aug  1 09:59:27 humevo36 su: FAILED SU (to gasch) gasch on dev/pts/3
>>>>> It seems to me that I have similar problem. However, su
>>>> succeeds and just writes to the console "Your password has expired"
>>>> what about logins? can you login successfully?
>>> Yes, all pam-based services (pop3, su, etc) permit login. 
>>> Some of them (like su) inform the user that he needs to  change the
> password.
> 
> The network has two domain controllers - Win2000 and Win2003 servers.
> Samba 3.0.23a is installed on FreeBSD 6.1 box. 
> 
> 
> Please see below my smb.conf 
> 
> 
> [global]
>         dos charset = CP866
>         workgroup = RESEARCH
>         realm = RESEARCH.DCN
>         netbios name = MASTER
>         server string = Public file server
>         security = ADS
>         password server = 
>         username map = /usr/local/etc/smbusers
>         unix extensions = No
>         wins server = 10.0.103.5
>         ldap ssl = no
>         idmap uid = 20000-30000
>         idmap gid = 20000-30000
>         template shell = /usr/local/bin/bash
>         winbind separator = /
>         winbind use default domain = Yes
> 
> [shared directory configuration goes below]
> 
> 
> 
> It seems that the "password expired" message originates from the following
> piece of code in pam_winbind.c
> 
> 	case 0:
> 		pam_get_data( pamh, PAM_WINBIND_NEW_AUTHTOK_REQD, (void
> **)&tmp);
> 		if (tmp != NULL) {
> 			retval = atoi(tmp);
> 			switch (retval) {
> 			case PAM_AUTHTOK_EXPIRED:
> 				/* fall through, since new token is required
> in this case */
> 			case PAM_NEW_AUTHTOK_REQD:
> 				_pam_log(LOG_WARNING, "pam_sm_acct_mgmt
> success but %s is set", 
> 					 PAM_WINBIND_NEW_AUTHTOK_REQD);
> 				_pam_log(LOG_NOTICE, "user '%s' needs new
> password", username);
> 				/* PAM_AUTHTOKEN_REQD does not exist, but is
> documented in the manpage */
> 				return PAM_NEW_AUTHTOK_REQD; 
> 			default:
> 				_pam_log(LOG_WARNING, "pam_sm_acct_mgmt
> success");
> 				_pam_log(LOG_NOTICE, "user '%s' granted
> access", username);
> 				return PAM_SUCCESS;
> 			}
> 		}
> 
> 
> 
> With best regards,
> P. Trifonov  
> 
> 
> 

-- 
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137
        49 (0)341 - 3550 374

Fax:   49 (0)341 - 3550 399