[Samba] pam_winbind: user needs new password

Eric shrodi+samba at gmail.com
Fri May 1 16:11:17 GMT 2009


In the meantime someone gets a better idea, I compiled pam_winbind.so
from Samaba 3.3.4 sources with the following modifications to pam_winbind.c:

--- samba-3.3.4/source/nsswitch/pam_winbind.c   2009-04-28
02:46:16.000000000 -0400                     
+++ samba-3.3.4.modified/source/nsswitch/pam_winbind.c  2009-05-01
11:57:37.000000000 -0400             
@@ -821,6 +821,9
@@                                                                                     

                                              int
warn_pwd_expire,                                      
                                              bool
*already_expired)                                    
 {                                                                                                      

+       // Added by Eric Martel: avoid faulty expiry
message                                            
+       return
false;                                                                                   

+                                                                                                       

        int days =
0;                                                                                   

        struct tm tm_now, tm_next_change;

@@ -2703,14 +2706,16 @@
                        case PAM_AUTHTOK_EXPIRED:
                                /* fall through, since new token is
required in this case */
                        case PAM_NEW_AUTHTOK_REQD:
-                               _pam_log(ctx, LOG_WARNING,
+                               // commented by Eric Martel to prevent
faulty logon rejection
+                               /*_pam_log(ctx, LOG_WARNING,
                                         "pam_sm_acct_mgmt success but
%s is set",
                                         PAM_WINBIND_NEW_AUTHTOK_REQD);
                                _pam_log(ctx, LOG_NOTICE,
                                         "user '%s' needs new password",
                                         username);
                                /* PAM_AUTHTOKEN_REQD does not exist,
but is documented in the manpage */
-                               ret = PAM_NEW_AUTHTOK_REQD;
+                               //ret = PAM_NEW_AUTHTOK_REQD;
+                               ret = PAM_SUCCESS;
                                goto out;
                        default:
                                _pam_log(ctx, LOG_WARNING,

This is a very ugly dirty fix, but at least it works and my users can
login without a glitch now. Still hoping to hear from Samba gurus out
there! :)


Eric a écrit :
> Hi,
>
> I just upgraded from Mandriva 2009.0 (Samba 3.2.3) to Mandriva 2009.1
> (Samba 3.3.2), keeping all the same config files I had before. I use
> pam_winbind to authenticate users against MS Active Directory.
> Everything was working perfectly prior to the upgrade, and now
> everything seems to be fine except for one thing: no user can have
> access due to the following errors (taken from auth.log):
>
> May  1 10:27:25 poste161-186 su: pam_winbind(su:auth): getting password
> (0x00000010)
> May  1 10:27:25 poste161-186 su: pam_winbind(su:auth): pam_get_item
> returned a password
> May  1 10:27:25 poste161-186 su: pam_winbind(su:auth): user 'emartel'
> granted access
> May  1 10:27:25 poste161-186 su: pam_winbind(su:account):
> pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
> May  1 10:27:25 poste161-186 su: pam_winbind(su:account): user 'emartel'
> needs new password
> May  1 10:27:27 poste161-186 su: pam_tcb(su:chauthtok): Credentials for
> user emartel unknown
>
> So access is granted, but for whatever reason the user (any user) is
> informed by the console that his password has expired and he needs to
> change it. If he tries to change it at the console as proposed, not only
> he still doesn't get access but the password is not changed whatsoever.
> I googled this, but all I found were old infos regarding a bug in Samba
> 3.0.2x; has this bug returned? Am I missing something? Is that a
> Mandriva issue? Is there any workaround that doesn't involve playing
> with AD settings?
>
> Thanks!
>
> Eric Martel
> Québec, Canada
>   



More information about the samba mailing list