[Samba] PAM_WINBIND problem with sambaPwdMustChange
Eduardo Sachs
edu.sachs at gmail.com
Fri Mar 13 01:21:07 GMT 2009
Hi People!
I use pam_winbind for authentication in my computer workstation using
Debian Lenny 5.0, Stable Version.
I configure my user with this option "sambaPwdMustChange: 0", and I
logon in GDM without asking to change password. Who knows what can be?
I use Samba PDC with Heimdal Kerberos, but, I configure PAM with only
pam_winbind for tests...
Client versions:
ii libwbclient0 2:3.2.5-4
client library for interfacing with winbind service
ii samba 2:3.2.5-4 a
LanManager-like file and printer server for Unix
ii samba-common 2:3.2.5-4
Samba common files used by both the server and the client
ii winbind 2:3.2.5-4
service to resolve user and group information from Windows NT
Server versions:
ii samba 2:3.2.5-4 a
LanManager-like file and printer server for Unix
My configuration of PAM is simple:
auth sufficient pam_winbind.so debug
auth required pam_unix.so nullok_secure use_first_pass
account sufficient pam_unix.so
account sufficient pam_winbind.so
account required pam_deny.so
password sufficient pam_unix.so nullok obscure md5
password required pam_winbind.so
session optional pam_unix.so
session optional pam_winbind.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=077
Debug PAM:
pam_winbind(gdm:auth): [pamh: 0x88bcf70] ENTER: pam_sm_authenticate
(flags: 0x0000)
pam_winbind(gdm:auth): getting password (0x00000181)
pam_winbind(gdm:auth): Verify user 'sachs'
pam_winbind(gdm:auth): CONFIG file: krb5_ccache_type 'FILE'
pam_winbind(gdm:auth): enabling krb5 login flag
pam_winbind(gdm:auth): enabling request for a FILE krb5 ccache
pam_winbind(gdm:auth): user 'sachs' granted access
pam_winbind(gdm:auth): Returned user was 'sachs'
pam_winbind(gdm:auth): [pamh: 0x88bcf70] LEAVE: pam_sm_authenticate returning 0
pam_winbind(gdm:account): user 'sachs' OK
pam_winbind(gdm:account): user 'sachs' granted access
pam_winbind(gdm:setcred): [pamh: 0x88bcf70] ENTER: pam_sm_setcred
(flags: 0x0002)
pam_winbind(gdm:setcred): PAM_ESTABLISH_CRED not implemented
pam_winbind(gdm:setcred): [pamh: 0x88bcf70] LEAVE: pam_sm_setcred returning 0
Some configurations:
1 - Nsswitch configure with LDAP, its work fine.
2 - smb.conf
[global]
workgroup = _LOCAL_
netbios name = debian-x11
realm = LOCAL.INT.BR
security = domain
wins server = 10.111.222.100
use kerberos keytab = yes
client use spnego = yes
client NTLMv2 auth = yes
bind interfaces only = yes
interfaces = eth0 10.111.222.103, lo 127.0.0.1
hosts allow = 10.111.222.0/24, 127.0.0.1
debug level = 2
log file = /var/log/samba/%m.log
max log size = 50
log level = 1
syslog = 0
utmp = Yes
idmap uid = 10000-15000
idmap gid = 10000-15000
template shell = /bin/bash
template homedir = /home/users/%U
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
encrypt passwords = yes
invalid users = root
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
dns proxy = no
preserve case = yes
short preserve case = no
default case = lower
case sensitive = no
dos charset = cp850
unix charset = iso8859-1
display charset = LOCALE
restrict anonymous = 0
Thanks!
More information about the samba
mailing list