[Samba] [HELP] Samba 3.0.23a pam_winbind says password expired

Blindauer Emmanuel samba at agat.net
Tue Aug 8 15:20:25 GMT 2006


I'm getting the same issue except I can't log in because login only autorise 
to get a shell after the pass change.
Any idea why PAM_WINBIND_NEW_AUTHTOK_REQD  is sent ?
(I have this problem since upgrading from 200 to 2003 (mixed mode) and 
samba-3.0.23a, using security=ads and winbind 

Emmanuel

Le mardi 1 août 2006 10:27, Michael Gasch a écrit :
> hi,
>
> i just do some tests with a fresh compiled samba 3.0.23a.
> trying to authenticate against PAM with pam_winbind gives:
>
> Aug  1 09:59:21 humevo36 pam_winbind[27853]: pam_winbind:
> pam_sm_authenticate (flags: 0x0000)
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: Verify user `gasch'
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: enabling cached login flag
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' granted access
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: Password has expired
> (Password was last set: 1154074953, the policy says it should expire
> here 1154074952 (now
> it's: 1154419163)
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' OK
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: pam_sm_acct_mgmt success
> but PAM_WINBIND_NEW_AUTHTOK_REQD is set
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new
> password Aug  1 09:59:27 humevo36 su: FAILED SU (to gasch) gasch on
> /dev/pts/3
>
> there´s no password policy on the domain controller (samba 3.0.14a,
> debian):
>
> root at PDC:~# pdbedit -d 0 -P "maximum password age"
> account policy value for maximum password age is 4294967295
> root at PDC:~# pdbedit -d 0 -P "password history"
> account policy value for password history is 0
>
> some samba-ldap attributes on PDC for user "gasch":
>
> sambaLogonTime: 1130931254
> sambaPwdMustChange: 2147483647
> sambaPasswordHistory: sambaAcctFlags: [UX         ]
> sambaKickoffTime: 1204325940
> sambaPwdCanChange: 1154074953
> sambaPwdLastSet: 1154074953
>
> i can provide you with a level 10 debug log of winbindd offline (>700kb)
> if requested.
>
> btw: it worked fine with 3.0.20b RPM from SuSE.
> any ideas?
>
> thx in advance!
>
>
> smb.conf
> ========
> [global]
>          workgroup = DOMAIN
>          server string = Samba v3
> #       username map = /etc/samba/username.map
>          time server = yes
>          log level = 2
>          syslog = 0
>          log file = /var/log/samba/log.%m
>          max log size = 10000
>          unix extensions = No
>          printcap name = cups
>          os level = 32
>
>          interfaces = lo eth0 vmnet1 vmnet8
>          bind interfaces only = yes
>          wins server = 192.168.x.y
>          preferred master = No
>          local master = No
>          domain master = No
>          dns proxy = No
>          panic action = /usr/share/samba/panic-action %d
>          idmap backend = idmap_rid:DOMAIN=10000-19999
>          idmap uid = 10000-19999
>          idmap gid = 10000-19999
>          winbind offline logon = yes
>          winbind separator = '\'
>          winbind enum users = No
>          winbind enum groups = No
>          winbind use default domain = Yes
>          winbind trusted domains only = no
>          winbind cache time = 60
>          security = domain
>          allow trusted domains = no
>          template shell = /bin/bash
>          template homedir = /home/%U
>          invalid users = root
>
>
> pam (common-auth)
> =================
> auth    required        pam_env.so
> # following also tried without arguments
> auth    sufficient      pam_winbind.so debug try_first_pass cached_login
> auth    required        pam_unix2.so use_first_pass


More information about the samba mailing list