Hello all, I have a pretty large DC and am using winbind for our linux workstations and im having a preculiar issue. Not all accounts but some...including mine are recieving the pam error to change password. example... ... WARNING: Your password has expired. You must change your password now and login again! Changing password for user msellers. Changing password for msellers (current) NT password: Changing my password works, but reconnecting results in the same prompt, thus going over and over again. Aug 15 16:02:38 ctilinux2 pam_winbind[1081]: user 'msellers' granted access Aug 15 16:02:38 ctilinux2 pam_winbind[1081]: user 'msellers' OK Aug 15 16:02:38 ctilinux2 pam_winbind[1081]: pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Aug 15 16:02:38 ctilinux2 pam_winbind[1081]: user 'msellers' needs new password Im never able to login with this account. Ive looked at debug 10 of winbind and cant see anything exciting. Ive seen a few posts in the past but no resolutions.... any ideas? Thanks Much! Matt Sellers
known bug, they work on setting password expiry to "none" but a date far in the future should circumvent this problem micha Matt Sellers wrote:> Hello all, > > I have a pretty large DC and am using winbind for our linux workstations > and > im having a preculiar issue. Not all accounts but some...including mine are > recieving the pam error to change password. > > example... > > ... > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user msellers. > Changing password for msellers > (current) NT password: > > Changing my password works, but reconnecting results in the same prompt, > thus going over and over again. > > Aug 15 16:02:38 ctilinux2 pam_winbind[1081]: user 'msellers' granted access > Aug 15 16:02:38 ctilinux2 pam_winbind[1081]: user 'msellers' OK > Aug 15 16:02:38 ctilinux2 pam_winbind[1081]: pam_sm_acct_mgmt success but > PAM_WINBIND_NEW_AUTHTOK_REQD is set > Aug 15 16:02:38 ctilinux2 pam_winbind[1081]: user 'msellers' needs new > password > > Im never able to login with this account. Ive looked at debug 10 of > winbind > and cant see anything exciting. Ive seen a few posts in the past but no > resolutions.... any ideas? > > Thanks Much! > Matt Sellers-- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT Staff) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 49 (0)341 - 3550 374 Fax: 49 (0)341 - 3550 399
Dear Matt,> I have a pretty large DC and am using winbind for our linux > workstations and im having a preculiar issue. Not all > accounts but some...including mine are recieving the pam > error to change password. >This seems to be another instance of https://bugzilla.samba.org/show_bug.cgi?id=3969 With best regards, P. Trifonov
Hello again :-) So my understanding is that somehow the pam library throws this flag to pam_winbind for some reason thus even if the account is not expired. I do not have direct access to the DC that we are doing authentication from so testing a workaround is difficult. Am I correct in assuming that the only way to fix this problem is to set the account expiration far in the future? Is there anyway pam_winbind can be configured to ignore this flag. ie: i tried /etc/pam.d/system-auth password [default=ok new_authtok_reqd=ignore] /lib/security/$ISA/pam_winbind.so try_first_pass use_authtok but no different behaviour observed. considering I cant access this bug report, is there anyway I can find more information? On 8/16/06, Peter Trifonov <petert@dcn.infos.ru> wrote:> > Dear Matt, > > > > I have a pretty large DC and am using winbind for our linux > > workstations and im having a preculiar issue. Not all > > accounts but some...including mine are recieving the pam > > error to change password. > > > > This seems to be another instance of > https://bugzilla.samba.org/show_bug.cgi?id=3969 > > > With best regards, > P. Trifonov > > >