[Samba] SAMBA 3.0.21b expired password issue for Solaris 9 -
perhaps a bug in winbind or /etc/pam.conf misconfigure
Speidel, Bruce
Bruce.Speidel at qwest.com
Wed Feb 1 22:25:27 GMT 2006
All,
The SAMBA version 3.0.21b expired password pam_winbind.so section
perhaps might still have an issue. It seems to just be in some kind of
loop and
never completes the section in pam_winbind.c of pam_sm_chauthtok.
See ssh (Solaris 4.2.p1 ssh) sequence below:
ssh hermione
Password:
Changing password for leeraym
(current) NT password:
Re-enter new Password:
Password:
Password:
tail -f /var/log/authlog:
Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 467601 auth.error]
request failed: Must change password, PAM error was 10, NT error was
NT_STATUS_PASSWORD_MUST_CHANGE
Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 120530 auth.warning]
user `leeraym' new password required
Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 990559 auth.warning]
pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 775411 auth.notice] user
'leeraym' needs new password
Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 467601 auth.error]
request failed: Must change password, PAM error was 10, NT error was
NT_STATUS_PASSWORD_MUST_CHANGE
Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 120530 auth.warning]
user `leeraym' new password required
Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 467601 auth.error]
request failed: Wrong Password, PAM error was 9, NT error was
NT_STATUS_WRONG_PASSWORD
Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 678512 auth.warning]
user `leeraym' denied access (incorrect password or invalid membership)
Feb 1 14:53:36 hermione sshd[1151]: [ID 800047 auth.error] error: PAM:
Authentication token manipulation error for leeraym from tuvok
tail -10f /var/log/authlog.debug
Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 572310 auth.info] Verify
user `leeraym'
Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 467601 auth.error]
request failed: Must change password, PAM error was 10, NT error was
NT_STATUS_PASSWORD_MUST_CHANGE
Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 120530 auth.warning]
user `leeraym' new password required
Feb 1 14:53:29 hermione sshd[1153]: [ID 509786 auth.debug] roles
pam_sm_authenticate, service = sshd user = leeraym ruser = not set rhost
= tuvok
Feb 1 14:53:29 hermione sshd[1153]: [ID 579461 auth.debug]
pam_unix_account: entering pam_sm_acct_mgmt()
Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 990559 auth.warning]
pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 775411 auth.notice] user
'leeraym' needs new password
Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 743889 auth.debug]
username [leeraym] obtained
Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 467601 auth.error]
request failed: Must change password, PAM error was 10, NT error was
NT_STATUS_PASSWORD_MUST_CHANGE
Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 120530 auth.warning]
user `leeraym' new password required
Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 743889 auth.debug]
username [leeraym] obtained
Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 467601 auth.error]
request failed: Wrong Password, PAM error was 9, NT error was
NT_STATUS_WRONG_PASSWORD
Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 678512 auth.warning]
user `leeraym' denied access (incorrect password or invalid membership)
Feb 1 14:53:32 hermione sshd[1153]: [ID 909140 auth.debug]
pam_authtok_get: verifying authtok
Feb 1 14:53:36 hermione sshd[1151]: [ID 800047 auth.error] error: PAM:
Authentication token manipulation error for leeraym from tuvok
/etc/pam.conf (snipped for sshd only):
# OpenSSH
sshd auth sufficient pam_winbind.so
debug
sshd auth requisite pam_authtok_get.so.1
debug try_first_pass
sshd auth required pam_dhkeys.so.1
debug try_first_pass
sshd auth sufficient pam_unix_auth.so.1
debug try_first_pass
sshd account requisite pam_roles.so.1
debug
sshd account required pam_projects.so.1
debug
sshd account required pam_unix_account.so.1
debug
sshd account required pam_winbind.so
debug
sshd password sufficient pam_winbind.so
debug use_authtok
sshd password required pam_dhkeys.so.1
debug
sshd password requisite pam_authtok_get.so.1
debug
sshd password requisite pam_authtok_check.so.1
debug
sshd password required pam_authtok_store.so.1
debug
sshd session sufficient pam_winbind.so
debug
sshd session required pam_unix.so.1
debug
Recommendations? File a mozilla bug? Does the sshd section of pam.conf
look accurate for Solaris 9?
Thanks,
Bruce
More information about the samba
mailing list