[Samba] More pam_winbind trouble

Diego Rivera diego at rivera.net
Sun Jun 4 08:38:23 GMT 2006

I've found the problem.  As it turns out, it was me suffering from 
accute cranial rectalitis.

Note to interested parties regarding try_first_pass and use_first_pass: 
I had, for some reason that now escapes my comprehension, assumed they 
had behavior differen than what they truly have.  I had assumed that 
"try_first_pass" implied attempting to authenticate with stored 
credentials, but asking for new ones if old ones weren't found (correct 
behavior) or if authentication failed (incorrect behavior).  
try_first_pass simply means "obtain credentials if there are none 
stored", whereas use_first_pass means "use whatever is stored ONLY".  
Thus, if the stored credentials are wrong, neither of these flags will 
cause pam_winbind to ask the user for new credentials if the stored 
credentials fail authentication.  This is the correct behavior because 
if the stored credentials are wrong, and we get new credentials, and 
those are wrong as well, we run into a scenario whereas we have two bad 
credentials that need to be passed to other modules in the chain, and no 
objective criterion to select one above the other (we can only pass 
along one set of credentials).

Sorry for the trouble.  My setup is now complete (I think :) ).  I'll be 
posting a nice little howto which includes how to set up kerberos 
(GSSAPI) enabled SSH access, AD-centric authentication (with password 
change using the unix passwd command), and automatic password changing 
on expiry (through pam), within the next couple of days.

I also came up with a backported patch from Samba 3.0.22 to Samba 3.0.20 
allowing for the automatic password change on expiry.  I'll post that as 
well for interested parties.



Diego Rivera wrote:

> Hello all.  Sorry for the re-post, I MUST remember to turn off HTML 
> text and GPG signing...
> First off, I'm using Samba 3.0.22 and can't risk to use Samba 
> 3.0.23rc1 because I have no "valid" test environment for it.
> My problem is this:  I'm using pam_winbind to authenticate users 
> against ActiveDirectory, and whenever they enter a bad password, 
> pam_winbind will fail 3 times in a row, but the user is only asked to 
> enter the password once (the first time).  This, of course, is 
> resulting in a lot of needlessly locked accounts.  I tried 
> substituting with pam_krb5, and it worked fine, which means it's a 
> logic problem with winbind.  However, there's other reasons I can't 
> use pam_krb5.
> I'm trying to figure out where the logic fault is within pam_winbind, 
> but it would help if whoever wrote it could shine a light my way.  I'm 
> in the process of comparing the pam_winbind code from 3.0.22 with 
> 3.0.23rc1 to see if I catch anything obvious.  The toughest part is 
> "filtering out" all the new stuff.
> If I come up with a patch to fix this, I'll submit it for review.  
> This is the last remaining step in getting my environment up and 
> working.  Once it's verified to be OK, I'll be posting a small howto 
> for what I've done, as I'm sure others may be interested in doing 
> similar things.
> Thanks
> Diego

More information about the samba mailing list