[Samba] winbind forced password change requires interactive shell
Peter Åstrand
astrand at cendio.se
Sun Jan 20 15:31:16 GMT 2008
We've discovered that although Winbind supports password changes when the
account password is expired, this only works with *interactive* shells.
This is a major problem for us. Use case 1: SSH tunnels:
$ ssh user2 at localhost -N -L 4711:localhost:22
user2 at localhost's password:
<trying to use the tunnel>
channel 2: open failed: administratively prohibited: open failed
As you can see, in this case, the user gets no hint whatsoever that the
password has expired. Use case 2: Executing a command:
$ ssh user2 at localhost /usr/bin/env
user2 at localhost's password:
WARNING: Your password has expired.
Password change required but no TTY available.
Here you will at least know what's going on, but you have no chance of
changing the password.
Is this really the intended behaviour? To me, it looks like the password
changing is done too late; when starting an interactive session, rather
than in the authentication phase. Why? With the SSH keyboard-interactive
authentication, a password change interaction with the user should be
possible.
I've tried with samba-3.0.25b-1.el5_1.4 on RHEL5, but also
samba-3.0.23c-2. Of course, this might be something specific to Red Hat,
but I'm fairly sure we have seen this on SLED10 as well.
I've also tried running pam_winbind with debugging. When logging in
non-interactively, I'll get:
sshd[12345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain user=user2
sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] ENTER: pam_sm_authenticate (flags: 0x0001)
sshd[12345]: pam_winbind(sshd:auth): getting password (0x00000011)
sshd[12345]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[12345]: pam_winbind(sshd:auth): Verify user 'user2'
sshd[12345]: pam_winbind(sshd:auth): request failed: Must change password, PAM error was Authentication token is no longer valid; new one required (12), NT error was NT_STATUS_PASSWORD_MUST_CHANGE
sshd[12345]: pam_winbind(sshd:auth): user 'user2' new password required
sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] LEAVE: pam_sm_authenticate returning 0
sshd[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
sshd[12345]: pam_winbind(sshd:account): user 'user2' OK
sshd[12345]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
sshd[12345]: pam_winbind(sshd:account): user 'user2' needs new password
sshd[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] LEAVE: pam_sm_acct_mgmt returning 12
sshd[12345]: Accepted password for user2 from 127.0.0.1 port 4711 ssh2
sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0002)
sshd[12345]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0
sshd[12345]: pam_unix(sshd:session): session opened for user user2 by (uid=0)
sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0008)
sshd[12346]: pam_winbind(sshd:setcred): PAM_REINITIALIZE_CRED not implemented
sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0
When interactive, I'll get:
sshd[12345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain user=user2
sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] ENTER: pam_sm_authenticate (flags: 0x0001)
sshd[12345]: pam_winbind(sshd:auth): getting password (0x00000011)
sshd[12345]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[12345]: pam_winbind(sshd:auth): Verify user 'user2'
sshd[12345]: pam_winbind(sshd:auth): request failed: Must change password, PAM error was Authentication token is no longer valid; new one required (12), NT error was NT_STATUS_PASSWORD_MUST_CHANGE
sshd[12345]: pam_winbind(sshd:auth): user 'user2' new password required
sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] LEAVE: pam_sm_authenticate returning 0
sshd[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
sshd[12345]: pam_winbind(sshd:account): user 'user2' OK
sshd[12345]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
sshd[12345]: pam_winbind(sshd:account): user 'user2' needs new password
sshd[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] LEAVE: pam_sm_acct_mgmt returning 12
sshd[12345]: Accepted password for user2 from 127.0.0.1 port 4711 ssh2
sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0002)
sshd[12345]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0
sshd[12345]: pam_unix(sshd:session): session opened for user user2 by (uid=0)
sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0008)
sshd[12346]: pam_winbind(sshd:setcred): PAM_REINITIALIZE_CRED not implemented
sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0
passwd: pam_winbind(passwd:chauthtok): [pamh: 0x09fc4b10] ENTER: pam_sm_chauthtok (flags: 0x4000)
passwd: pam_winbind(passwd:chauthtok): username [user2] obtained
passwd: pam_winbind(passwd:chauthtok): user 'user2' OK
passwd: pam_winbind(passwd:chauthtok): getting password (0x00000021)
passwd: pam_winbind(passwd:chauthtok): request failed: Must change password, PAM error was Authentication token is no longer valid; new one required (12), NT error was NT_STATUS_PASSWORD_MUST_CHANGE
passwd: pam_winbind(passwd:chauthtok): user 'user2' new password required
passwd: pam_winbind(passwd:chauthtok): [pamh: 0x09fc4b10] LEAVE: pam_sm_chauthtok returning 0
passwd: pam_winbind(passwd:chauthtok): [pamh: 0x09fc4b10] ENTER: pam_sm_chauthtok (flags: 0x2000)
passwd: pam_winbind(passwd:chauthtok): username [user2] obtained
passwd: pam_winbind(passwd:chauthtok): user 'user2' OK
passwd: pam_winbind(passwd:chauthtok): getting password (0x00000001)
sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0004)
sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_close_session (flags: 0x0004)
sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_close_session returning 0
sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0
sshd[12345]: pam_unix(sshd:session): session closed for user user2
(pids and adresses normalized). A "diff" indicates that the only
difference is that the interactive session does
"pam_winbind(passwd:chauthtok)"; this never happens when running a
command or just using tunnels. Any ideas?
Best regards,
---
Peter Åstrand ThinLinc Chief Developer
Cendio AB http://www.cendio.se
Wallenbergs gata 4
583 30 Linköping Phone: +46-13-21 46 00
More information about the samba
mailing list