[Samba] SAMBA 3.0.21b expired password issue for Solaris 9 - perhaps a bug in winbind or /etc/pam.conf misconfigure

Speidel, Bruce Bruce.Speidel at qwest.com
Wed Feb 1 22:25:27 GMT 2006 

All,
 
The SAMBA version 3.0.21b expired password pam_winbind.so section 
perhaps might still have an issue.  It seems to just be in some kind of
loop and
never completes the section in pam_winbind.c of pam_sm_chauthtok.
 
See ssh (Solaris 4.2.p1 ssh) sequence below:
 
ssh hermione
 
Password: 
Changing password for leeraym
(current) NT password: 
Re-enter new Password: 
Password: 
Password: 
 

tail -f /var/log/authlog:
 
Feb  1 14:53:29 hermione pam_winbind[1153]: [ID 467601 auth.error]
request failed: Must change password, PAM error was 10, NT error was
NT_STATUS_PASSWORD_MUST_CHANGE
Feb  1 14:53:29 hermione pam_winbind[1153]: [ID 120530 auth.warning]
user `leeraym' new password required
Feb  1 14:53:29 hermione pam_winbind[1153]: [ID 990559 auth.warning]
pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
Feb  1 14:53:29 hermione pam_winbind[1153]: [ID 775411 auth.notice] user
'leeraym' needs new password
Feb  1 14:53:32 hermione pam_winbind[1153]: [ID 467601 auth.error]
request failed: Must change password, PAM error was 10, NT error was
NT_STATUS_PASSWORD_MUST_CHANGE
Feb  1 14:53:32 hermione pam_winbind[1153]: [ID 120530 auth.warning]
user `leeraym' new password required
Feb  1 14:53:32 hermione pam_winbind[1153]: [ID 467601 auth.error]
request failed: Wrong Password, PAM error was 9, NT error was
NT_STATUS_WRONG_PASSWORD
Feb  1 14:53:32 hermione pam_winbind[1153]: [ID 678512 auth.warning]
user `leeraym' denied access (incorrect password or invalid membership)
Feb  1 14:53:36 hermione sshd[1151]: [ID 800047 auth.error] error: PAM:
Authentication token manipulation error for leeraym from tuvok
 
tail -10f /var/log/authlog.debug
 
Feb  1 14:53:29 hermione pam_winbind[1153]: [ID 572310 auth.info] Verify
user `leeraym'
Feb  1 14:53:29 hermione pam_winbind[1153]: [ID 467601 auth.error]
request failed: Must change password, PAM error was 10, NT error was
NT_STATUS_PASSWORD_MUST_CHANGE
Feb  1 14:53:29 hermione pam_winbind[1153]: [ID 120530 auth.warning]
user `leeraym' new password required
Feb  1 14:53:29 hermione sshd[1153]: [ID 509786 auth.debug] roles
pam_sm_authenticate, service = sshd user = leeraym ruser = not set rhost
= tuvok
Feb  1 14:53:29 hermione sshd[1153]: [ID 579461 auth.debug]
pam_unix_account: entering pam_sm_acct_mgmt()
Feb  1 14:53:29 hermione pam_winbind[1153]: [ID 990559 auth.warning]
pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
Feb  1 14:53:29 hermione pam_winbind[1153]: [ID 775411 auth.notice] user
'leeraym' needs new password
Feb  1 14:53:29 hermione pam_winbind[1153]: [ID 743889 auth.debug]
username [leeraym] obtained
Feb  1 14:53:32 hermione pam_winbind[1153]: [ID 467601 auth.error]
request failed: Must change password, PAM error was 10, NT error was
NT_STATUS_PASSWORD_MUST_CHANGE
Feb  1 14:53:32 hermione pam_winbind[1153]: [ID 120530 auth.warning]
user `leeraym' new password required
Feb  1 14:53:32 hermione pam_winbind[1153]: [ID 743889 auth.debug]
username [leeraym] obtained
Feb  1 14:53:32 hermione pam_winbind[1153]: [ID 467601 auth.error]
request failed: Wrong Password, PAM error was 9, NT error was
NT_STATUS_WRONG_PASSWORD
Feb  1 14:53:32 hermione pam_winbind[1153]: [ID 678512 auth.warning]
user `leeraym' denied access (incorrect password or invalid membership)
Feb  1 14:53:32 hermione sshd[1153]: [ID 909140 auth.debug]
pam_authtok_get: verifying authtok
Feb  1 14:53:36 hermione sshd[1151]: [ID 800047 auth.error] error: PAM:
Authentication token manipulation error for leeraym from tuvok
 
/etc/pam.conf (snipped for sshd only):
 
# OpenSSH
sshd            auth            sufficient      pam_winbind.so
debug
sshd            auth            requisite       pam_authtok_get.so.1
debug   try_first_pass
sshd            auth            required        pam_dhkeys.so.1
debug   try_first_pass
sshd            auth            sufficient      pam_unix_auth.so.1
debug   try_first_pass
sshd            account         requisite       pam_roles.so.1
debug
sshd            account         required        pam_projects.so.1
debug
sshd            account         required        pam_unix_account.so.1
debug
sshd            account         required        pam_winbind.so
debug
sshd            password        sufficient      pam_winbind.so
debug   use_authtok
sshd            password        required        pam_dhkeys.so.1
debug
sshd            password        requisite       pam_authtok_get.so.1
debug
sshd            password        requisite       pam_authtok_check.so.1
debug
sshd            password        required        pam_authtok_store.so.1
debug
sshd            session         sufficient      pam_winbind.so
debug
sshd            session         required        pam_unix.so.1
debug
 

Recommendations?  File a mozilla bug?  Does the sshd section of pam.conf
look accurate for Solaris 9?
 
Thanks,
Bruce

More information about the samba mailing list