[Samba] RE: Samba 3.0.20, pam_winbind broken?

diego at rivera.net diego at rivera.net
Fri May 26 18:22:47 GMT 2006

Hello all!  I apologize for my previous post, it seems this list doesn't like GPG/GPG-MIME signatures.

I'm trying to configure my linux servers to have automatic password changes happen when the passwords expire, or the AD's "User must change password..." checkbox is marked.

I can do this fine with pam_krb5, but not with pam_winbind.  I need to use pam_winbind instead of pam_krb5 because there's a requirement to use kerberos tickets to log on to the servers via SSH, and using pam_krb5 in combination with OpenSSH's GSSAPI authentication (required to allow kerberos tickets over SSH from Windows) doesn't seem to work (I sort of understand why...).  So, I'm forced to use pam_winbind.

So the question is: why isn't pam_winbind forcing a password change on first login or password expiry?

I noticed through some experimentation that setting a new password on expiry is triggered in the account phase of pam authorization (probably through returning PAM_NEW_AUTHTOK_REQD).  I experimented with pam_krb5 - the only time it wouldn't work as expected was when it wasn't used as part of the account checking phase.

I even tried using nothing but pam_winbind to authorize users (temporarily locking out local unix users), and it still wouldn't work.

Can anyone provide any insight?



More information about the samba mailing list