[Samba] PAM_WINBIND problem with sambaPwdMustChange

Eduardo Sachs edu.sachs at gmail.com
Fri Mar 13 01:21:07 GMT 2009

Hi People!

	I use pam_winbind for authentication in my computer workstation using
Debian Lenny 5.0, Stable Version.

	I configure my user with this option "sambaPwdMustChange: 0", and I
logon in GDM without asking to change password. Who knows what can be?

	I use Samba PDC with Heimdal Kerberos, but, I configure PAM with only
pam_winbind for tests...

	Client versions:
	ii  libwbclient0                         2:3.2.5-4
client library for interfacing with winbind service
	ii  samba                                2:3.2.5-4                  a
LanManager-like file and printer server for Unix
	ii  samba-common                         2:3.2.5-4
Samba common files used by both the server and the client
	ii  winbind                              2:3.2.5-4
service to resolve user and group information from Windows NT

	Server versions:
	ii  samba                             	 2:3.2.5-4             a
LanManager-like file and printer server for Unix

	My configuration of PAM is simple:
	auth    	sufficient      pam_winbind.so debug
	auth    	required        pam_unix.so nullok_secure use_first_pass
	account 	sufficient      pam_unix.so
	account 	sufficient      pam_winbind.so
	account 	required        pam_deny.so
	password  	sufficient   	pam_unix.so nullok obscure md5
	password  	required     	pam_winbind.so
	session      	optional      	pam_unix.so
	session      	optional      	pam_winbind.so
	session      	optional      	pam_mkhomedir.so skel=/etc/skel/ umask=077

	Debug PAM:
	pam_winbind(gdm:auth): [pamh: 0x88bcf70] ENTER: pam_sm_authenticate
(flags: 0x0000)
	pam_winbind(gdm:auth): getting password (0x00000181)
	pam_winbind(gdm:auth): Verify user 'sachs'
	pam_winbind(gdm:auth): CONFIG file: krb5_ccache_type 'FILE'
	pam_winbind(gdm:auth): enabling krb5 login flag
	pam_winbind(gdm:auth): enabling request for a FILE krb5 ccache
	pam_winbind(gdm:auth): user 'sachs' granted access
	pam_winbind(gdm:auth): Returned user was 'sachs'
	pam_winbind(gdm:auth): [pamh: 0x88bcf70] LEAVE: pam_sm_authenticate returning 0
	pam_winbind(gdm:account): user 'sachs' OK
	pam_winbind(gdm:account): user 'sachs' granted access
	pam_winbind(gdm:setcred): [pamh: 0x88bcf70] ENTER: pam_sm_setcred
(flags: 0x0002)
	pam_winbind(gdm:setcred): PAM_ESTABLISH_CRED not implemented
	pam_winbind(gdm:setcred): [pamh: 0x88bcf70] LEAVE: pam_sm_setcred returning 0

	Some configurations:
	1 - Nsswitch configure with LDAP, its work fine.
	2 - smb.conf

	        workgroup = _LOCAL_
	        netbios name = debian-x11
	        realm = LOCAL.INT.BR
	        security = domain
	        wins server =
		use kerberos keytab = yes
		client use spnego = yes
		client NTLMv2 auth = yes
		bind interfaces only = yes
		interfaces = eth0, lo
		hosts allow =,
		debug level = 2
		log file = /var/log/samba/%m.log
		max log size = 50
		log level = 1
		syslog = 0	
		utmp = Yes

	        idmap uid = 10000-15000
	        idmap gid = 10000-15000
	        template shell = /bin/bash
	        template homedir = /home/users/%U
	        winbind separator = +
	        winbind enum users = yes
	        winbind enum groups = yes
	        winbind use default domain = yes

		encrypt passwords = yes
	        invalid users = root
	        local master = no
		domain master = no
		dns proxy = no
		preserve case = yes
		short preserve case = no
		default case = lower
        	case sensitive = no
        	dos charset = cp850
        	unix charset = iso8859-1
        	display charset = LOCALE
        	restrict anonymous = 0


More information about the samba mailing list