[Samba] Winbind - Login succeeds while password is expired (set with --must-change-at-next-login)

Rowland penny rpenny at samba.org
Sun Jun 6 11:17:05 UTC 2021

On 06/06/2021 12:02, Kees van Vloten wrote:
> On 06-06-2021 12:52, Rowland penny via samba wrote:
>> On 06/06/2021 11:20, Kees van Vloten wrote:
>>> The problem is not on the DC, users do not login there.
>>> There are some member-servers that do need domain-user logins, e.g. 
>>> over ssh.
>>> I have already found out that sssd is not good to maintain the 
>>> computer-account password, does not support ntlm and really want the 
>>> same tool for id-mapping everywhere. Since that is winbind on the DC 
>>> and on the SMB-fileserver, the idea is to use it on other member 
>>> servers for NSS as well.
>>> However due to https://bugzilla.samba.org/show_bug.cgi?id=14622 
>>> pam-winbind is not the right tool for user logins. I tried pam-sss 
>>> instead with good results.
>>> That's the background.
>>> - Would pam-sss + winbind for NSS work on a member-server?
>> Probably, possibly, but you only get authentication, so you might 
>> just as well use sssd by itself. If you want shares, then you really 
>> need the full Samba stack.
> Not really, as it does not update the computer-account pw after 30 
> days automatically. That is why I want the computer-account to be 
> maintained by winbind.

There you go, yet another reason not to use sssd, it has been that long 
since I used sssd, so I was unaware of that.

>>> - Does the combination nslcd, pam, ldap provide the users with a 
>>> kerberos ticket?
>> It has been sometime since I used nslcd, but I believe so.
>> Of course it would be so much better if that bug was fixed, it is (in 
>> my opinion) a security bug, disabled users or users with expired 
>> passwords should not be able to login by any method.
>> Rowland
> I agree with you that this a security bug, the whole idea of expiring 
> is that they do not get access without changing their pw.
> Is there anything that can be done to get the bug 14622 labelled as a 
> security issue?
> For me pam-winbind would be the preferred solution because it 
> simplifies the setup, less software is better :-)

Okay Andrew, why isn't this a security problem ??


More information about the samba mailing list