[Samba] [HELP] Samba 3.0.23a pam_winbind says password expired
Blindauer Emmanuel
samba at agat.net
Tue Aug 8 15:20:25 GMT 2006
I'm getting the same issue except I can't log in because login only autorise
to get a shell after the pass change.
Any idea why PAM_WINBIND_NEW_AUTHTOK_REQD is sent ?
(I have this problem since upgrading from 200 to 2003 (mixed mode) and
samba-3.0.23a, using security=ads and winbind
Emmanuel
Le mardi 1 août 2006 10:27, Michael Gasch a écrit :
> hi,
>
> i just do some tests with a fresh compiled samba 3.0.23a.
> trying to authenticate against PAM with pam_winbind gives:
>
> Aug 1 09:59:21 humevo36 pam_winbind[27853]: pam_winbind:
> pam_sm_authenticate (flags: 0x0000)
> Aug 1 09:59:23 humevo36 pam_winbind[27853]: Verify user `gasch'
> Aug 1 09:59:23 humevo36 pam_winbind[27853]: enabling cached login flag
> Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' granted access
> Aug 1 09:59:23 humevo36 pam_winbind[27853]: Password has expired
> (Password was last set: 1154074953, the policy says it should expire
> here 1154074952 (now
> it's: 1154419163)
> Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' OK
> Aug 1 09:59:23 humevo36 pam_winbind[27853]: pam_sm_acct_mgmt success
> but PAM_WINBIND_NEW_AUTHTOK_REQD is set
> Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new
> password Aug 1 09:59:27 humevo36 su: FAILED SU (to gasch) gasch on
> /dev/pts/3
>
> there´s no password policy on the domain controller (samba 3.0.14a,
> debian):
>
> root at PDC:~# pdbedit -d 0 -P "maximum password age"
> account policy value for maximum password age is 4294967295
> root at PDC:~# pdbedit -d 0 -P "password history"
> account policy value for password history is 0
>
> some samba-ldap attributes on PDC for user "gasch":
>
> sambaLogonTime: 1130931254
> sambaPwdMustChange: 2147483647
> sambaPasswordHistory: sambaAcctFlags: [UX ]
> sambaKickoffTime: 1204325940
> sambaPwdCanChange: 1154074953
> sambaPwdLastSet: 1154074953
>
> i can provide you with a level 10 debug log of winbindd offline (>700kb)
> if requested.
>
> btw: it worked fine with 3.0.20b RPM from SuSE.
> any ideas?
>
> thx in advance!
>
>
> smb.conf
> ========
> [global]
> workgroup = DOMAIN
> server string = Samba v3
> # username map = /etc/samba/username.map
> time server = yes
> log level = 2
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 10000
> unix extensions = No
> printcap name = cups
> os level = 32
>
> interfaces = lo eth0 vmnet1 vmnet8
> bind interfaces only = yes
> wins server = 192.168.x.y
> preferred master = No
> local master = No
> domain master = No
> dns proxy = No
> panic action = /usr/share/samba/panic-action %d
> idmap backend = idmap_rid:DOMAIN=10000-19999
> idmap uid = 10000-19999
> idmap gid = 10000-19999
> winbind offline logon = yes
> winbind separator = '\'
> winbind enum users = No
> winbind enum groups = No
> winbind use default domain = Yes
> winbind trusted domains only = no
> winbind cache time = 60
> security = domain
> allow trusted domains = no
> template shell = /bin/bash
> template homedir = /home/%U
> invalid users = root
>
>
> pam (common-auth)
> =================
> auth required pam_env.so
> # following also tried without arguments
> auth sufficient pam_winbind.so debug try_first_pass cached_login
> auth required pam_unix2.so use_first_pass
More information about the samba
mailing list