[Samba] PAM_WINBIND problem with sambaPwdMustChange
Eduardo Sachs
edu.sachs at gmail.com
Fri Mar 13 11:26:23 GMT 2009
Hi Friends...
Now is working.
When I use the command: smbldap-usermod sachs -B 1
Smbldap-tools change only sambaPwdMustChange to 0, I will report this
for IDEALX and to group Debian.
Thanks!
2009/3/13 David Markey <dmarkey at comp.dit.ie>:
> sambaPwdMustChange is depreciated.
>
> Its now calculated dynamically. sambaPwdLastSet + sambaMaxPwdAge
>
> If you want to force a password change set sambaPwdLastSet to 0.
>
>
>
>
>
>
> Eduardo Sachs wrote:
>> Hi People!
>>
>> I use pam_winbind for authentication in my computer workstation using
>> Debian Lenny 5.0, Stable Version.
>>
>> I configure my user with this option "sambaPwdMustChange: 0", and I
>> logon in GDM without asking to change password. Who knows what can be?
>>
>> I use Samba PDC with Heimdal Kerberos, but, I configure PAM with only
>> pam_winbind for tests...
>>
>> Client versions:
>> ii libwbclient0 2:3.2.5-4
>> client library for interfacing with winbind service
>> ii samba 2:3.2.5-4 a
>> LanManager-like file and printer server for Unix
>> ii samba-common 2:3.2.5-4
>> Samba common files used by both the server and the client
>> ii winbind 2:3.2.5-4
>> service to resolve user and group information from Windows NT
>>
>> Server versions:
>> ii samba 2:3.2.5-4 a
>> LanManager-like file and printer server for Unix
>>
>> My configuration of PAM is simple:
>> auth sufficient pam_winbind.so debug
>> auth required pam_unix.so nullok_secure use_first_pass
>> account sufficient pam_unix.so
>> account sufficient pam_winbind.so
>> account required pam_deny.so
>> password sufficient pam_unix.so nullok obscure md5
>> password required pam_winbind.so
>> session optional pam_unix.so
>> session optional pam_winbind.so
>> session optional pam_mkhomedir.so skel=/etc/skel/ umask=077
>>
>> Debug PAM:
>> pam_winbind(gdm:auth): [pamh: 0x88bcf70] ENTER: pam_sm_authenticate
>> (flags: 0x0000)
>> pam_winbind(gdm:auth): getting password (0x00000181)
>> pam_winbind(gdm:auth): Verify user 'sachs'
>> pam_winbind(gdm:auth): CONFIG file: krb5_ccache_type 'FILE'
>> pam_winbind(gdm:auth): enabling krb5 login flag
>> pam_winbind(gdm:auth): enabling request for a FILE krb5 ccache
>> pam_winbind(gdm:auth): user 'sachs' granted access
>> pam_winbind(gdm:auth): Returned user was 'sachs'
>> pam_winbind(gdm:auth): [pamh: 0x88bcf70] LEAVE: pam_sm_authenticate returning 0
>> pam_winbind(gdm:account): user 'sachs' OK
>> pam_winbind(gdm:account): user 'sachs' granted access
>> pam_winbind(gdm:setcred): [pamh: 0x88bcf70] ENTER: pam_sm_setcred
>> (flags: 0x0002)
>> pam_winbind(gdm:setcred): PAM_ESTABLISH_CRED not implemented
>> pam_winbind(gdm:setcred): [pamh: 0x88bcf70] LEAVE: pam_sm_setcred returning 0
>>
>> Some configurations:
>> 1 - Nsswitch configure with LDAP, its work fine.
>>
>> 2 - smb.conf
>>
>> [global]
>> workgroup = _LOCAL_
>> netbios name = debian-x11
>> realm = LOCAL.INT.BR
>> security = domain
>> wins server = 10.111.222.100
>> use kerberos keytab = yes
>> client use spnego = yes
>> client NTLMv2 auth = yes
>>
>> bind interfaces only = yes
>> interfaces = eth0 10.111.222.103, lo 127.0.0.1
>> hosts allow = 10.111.222.0/24, 127.0.0.1
>>
>> debug level = 2
>> log file = /var/log/samba/%m.log
>> max log size = 50
>> log level = 1
>> syslog = 0
>> utmp = Yes
>>
>> idmap uid = 10000-15000
>> idmap gid = 10000-15000
>> template shell = /bin/bash
>> template homedir = /home/users/%U
>> winbind separator = +
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>>
>> encrypt passwords = yes
>> invalid users = root
>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> local master = no
>> domain master = no
>> dns proxy = no
>>
>> preserve case = yes
>> short preserve case = no
>> default case = lower
>> case sensitive = no
>>
>> dos charset = cp850
>> unix charset = iso8859-1
>> display charset = LOCALE
>> restrict anonymous = 0
>>
>> Thanks!
>>
>
>
More information about the samba
mailing list