[Samba] Winbind - Login succeeds while password is expired (set with --must-change-at-next-login)
Kees van Vloten
keesvanvloten at gmail.com
Thu Apr 22 20:11:54 UTC 2021
Hi,
I have freshly setup 2 lxc containers with Samba 4.13 on Debian Buster
(installed from apt.van-belle.nl/debian).
The first runs samba-ad-dc, the second has samba + winbind and has
joined the AD domain.
A domain user is created with samba-tool with the option
--must-change-at-next-login. A login with the user succeeds the first
time some interesting output:
kvv at bach:~$ ssh grieg
kvv at grieg's password:
Password expired. You must change it now.
Password change rejected: Try a more complex password, or contact your
administrator.. Please try again.
Password change rejected: Try a more complex password, or contact your
administrator.. Please try again.
Your password has expired
Linux grieg 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 12 20:08:22 2021 from 192.168.10.1
kvv at grieg:~$
In the login sequence I never got the opportunity to enter a new password.
Logout and login (2nd time) with the same user logs me in without asking
anything at all (I guess I have a valid ticket already) and the fact
that my password is expired does not seem relevant anymore.
What went wrong here, why is there no password change dialog and do I
get logged in anyway?
I have tried the same scenario with Debian stock Samba 4.9,
unfortunately it shows exactly the same result.
Details on the setup of the domain-member:
Packages installed: krb5-user, samba, winbind, libnss-winbind,
libpam-winbind, libpam-krb5
Samba config:
[global]
netbios name = GRIEG
security = ADS
realm = COMPOSERS.LAN
workgroup = COMPOSERS
kerberos method = system keytab
kerberos encryption types = strong
idmap config composers:backend = ad
idmap config composers:schema_mode = rfc2307
idmap config composers:unix_nss_info = yes
idmap config composers:unix_primary_group = yes
idmap config composers:range = 1001-999999
idmap config *:backend = tdb
idmap config *:range = 1000000-1999999
winbind cache time = 300
winbind refresh tickets = yes
rpc server dynamic port range = 50000-55000
disable netbios = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 8
winbind normalize names = yes
winbind offline logon = yes
winbind scan trusted domains = no
winbind use default domain = yes
bind interfaces only = yes
smb ports = 445
interfaces = lo
/etc/krb5.conf
[libdefaults]
default_realm = COMPOSERS.LAN
dns_lookup_kdc = false
dns_lookup_realm = false
rdns = false
allow_weak_crypto = false
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
permitted_enctypes = aes256-cts
ticket_lifetime = 10h
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[logging]
default = SYSLOG
[realms]
COMPOSERS.LAN = {
kdc = 192.168.10.3:88
master_kdc = 192.168.10.3:88
kpasswd_server = 192.168.10.3
}
[domain_realm]
einaudi.composers.lan = COMPOSERS.LAN
192.168.10.3 = COMPOSERS.LAN
nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd winbind
group: files systemd winbind
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
sshd_config (some relevant settings)
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
UsePAM yes
UseDNS yes
There are no ssh authorized_keys in the container.
/etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth required pam_tally2.so deny=5 onerr=fail unlock_time=60
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
try_first_pass
auth [success=2 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success
code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
/etc/pam.d/common-password
#
# /etc/pam.d/common-password - password-related modules common to all
services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
password requisite pam_pwquality.so retry=3
password requisite pam_pwquality.so use_authtok local_users_only
minlen=8 minclass=3
password [success=3 default=ignore] pam_krb5.so
minimum_uid=1000 try_first_pass use_authtok
password [success=2 default=ignore] pam_unix.so obscure
use_authtok try_first_pass sha512 remember=10
password [success=1 default=ignore] pam_winbind.so
try_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success
code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
With debug and state_debug in /etc/security/pam_winbind.conf this output
is logged in auth.log:
Apr 13 22:24:29 grieg sshd[3211]: Connection from 192.168.10.1 port
36384 on 192.168.10.41 port 22
Apr 13 22:24:29 grieg sshd[3211]: Failed publickey for kvv from
192.168.10.1 port 36384 ssh2: RSA
SHA256:dWeILY6lk45UQc/iU9jxUAS3/HxfAS5/KaHSHi4Z/z8
Apr 13 22:24:39 grieg sshd[3211]: pam_krb5(sshd:auth): authentication
failure; logname=kvv uid=0 euid=0 tty=ssh ruser=
rhost=vivaldi.composers.lan
Apr 13 22:24:39 grieg sshd[3211]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=vivaldi.composers.lan user=kvv
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] ENTER: pam_sm_authenticate (flags: 0x0001)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_SERVICE) = "sshd" (0x558c645b4130)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_USER) = "kvv" (0x558c645b5f20)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_TTY) = "ssh" (0x558c645e0b40)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_RHOST) = "vivaldi.composers.lan"
(0x558c645b3bc0)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_AUTHTOK) = 0x558c645e56c0
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_CONV) = 0x558c645e20c0
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): getting
password (0x00001389)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): pam_get_item
returned a password
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): Verify user 'kvv'
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): PAM config:
krb5_ccache_type 'FILE'
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): enabling krb5
login flag
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): enabling
cached login flag
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): enabling
request for a FILE krb5 ccache
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHTOK_EXPIRED
(27), NTSTATUS: NT_STATUS_PASSWORD_EXPIRED, Error message was: The user
account password has expired.
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): user 'kvv'
password expired
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_SERVICE) = "sshd" (0x558c645b4130)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_USER) = "kvv" (0x558c645b5f20)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_TTY) = "ssh" (0x558c645e0b40)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_RHOST) = "vivaldi.composers.lan"
(0x558c645b3bc0)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_AUTHTOK) = 0x558c645e56c0
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_CONV) = 0x558c645e20c0
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD) = "27"
(0x558c64604840)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:auth): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH) =
"1" (0x558c64604cf0)
Apr 13 22:24:39 grieg sshd[3211]: Accepted password for kvv from
192.168.10.1 port 36384 ssh2
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] ENTER: pam_sm_setcred (flags: 0x0002)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_SERVICE) = "sshd" (0x558c645b4130)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_USER) = "kvv" (0x558c645b5f20)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_TTY) = "ssh" (0x558c645e0b40)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_RHOST) = "vivaldi.composers.lan"
(0x558c645b3bc0)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_CONV) = 0x558c645b3430
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD) = "27"
(0x558c64604840)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH) =
"1" (0x558c64604cf0)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred):
PAM_ESTABLISH_CRED not implemented
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_SERVICE) = "sshd" (0x558c645b4130)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_USER) = "kvv" (0x558c645b5f20)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_TTY) = "ssh" (0x558c645e0b40)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_RHOST) = "vivaldi.composers.lan"
(0x558c645b3bc0)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_CONV) = 0x558c645b3430
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD) = "27"
(0x558c64604840)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH) =
"1" (0x558c64604cf0)
Apr 13 22:24:39 grieg sshd[3211]: pam_unix(sshd:session): session opened
for user kvv by (uid=0)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] ENTER: pam_sm_open_session (flags: 0x0000)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_SERVICE) = "sshd" (0x558c645b4130)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_USER) = "kvv" (0x558c645b5f20)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_TTY) = "ssh" (0x558c645e0b40)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_RHOST) = "vivaldi.composers.lan"
(0x558c645b3bc0)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_CONV) = 0x558c645ed5d0
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD) = "27"
(0x558c64604840)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH) =
"1" (0x558c64604cf0)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] LEAVE: pam_sm_open_session returning 0 (PAM_SUCCESS)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_SERVICE) = "sshd" (0x558c645b4130)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_USER) = "kvv" (0x558c645b5f20)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_TTY) = "ssh" (0x558c645e0b40)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_RHOST) = "vivaldi.composers.lan"
(0x558c645b3bc0)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_CONV) = 0x558c645ed5d0
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD) = "27"
(0x558c64604840)
Apr 13 22:24:39 grieg sshd[3211]: pam_winbind(sshd:session): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH) =
"1" (0x558c64604cf0)
Apr 13 22:24:40 grieg sshd[3211]: User child is on pid 3230
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] ENTER: pam_sm_setcred (flags: 0x0002)
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_SERVICE) = "sshd" (0x558c645b4130)
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_USER) = "kvv" (0x558c645b5f20)
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_TTY) = "ssh" (0x558c645e0b40)
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_RHOST) = "vivaldi.composers.lan"
(0x558c645b3bc0)
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_CONV) = 0x558c645aef20
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD) = "27"
(0x558c64604840)
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH) =
"1" (0x558c64604cf0)
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred):
PAM_ESTABLISH_CRED not implemented
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_SERVICE) = "sshd" (0x558c645b4130)
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_USER) = "kvv" (0x558c645b5f20)
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_TTY) = "ssh" (0x558c645e0b40)
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_RHOST) = "vivaldi.composers.lan"
(0x558c645b3bc0)
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: ITEM(PAM_CONV) = 0x558c645aef20
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD) = "27"
(0x558c64604840)
Apr 13 22:24:40 grieg sshd[3230]: pam_winbind(sshd:setcred): [pamh:
0x558c645b90f0] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH) =
"1" (0x558c64604cf0)
Apr 13 22:24:40 grieg sshd[3230]: Starting session: shell on pts/4 for
kvv from 192.168.10.1 port 36384 id 0
--
Regards,
Kees van Vloten
More information about the samba
mailing list