Hi,
I am unable to login to a samba system that uses
kerberos to authenticate to ADS if the users password
has expired on the ADS system or if "User must change
password at next login" is checked on the ADS.. I get
a "login incorrect" message on the linux system and
the log file gives the following error:
pam_winbind[3647]: request failed: Must change
password, PAM error was 12, NT error was
NT_STATUS_PASSWORD_MUST_CHANGE
pam_winbind[3647]: user `blah' new password required
Jun 17 10:25:53 samba1 login[3647]: FAILED LOGIN
SESSION FROM /dev/tty1 FOR blah, Authentication token
is no longer valid; new one required.
Is it possible for the user to get prompted to change
their password at login? I am very new to the
Microsoft integration and any advice would be greatly
appreciated.
Note: getent passwd, wbinfo -u, wbinfo -g, and logging
into the samba system with a ADS user account that
hasn't expired or must change password at first login
works great without any issues.
My configuration is as follows:
Suse 8.1 2.4.19-4
Installed packages:
samba3-client-3.0.4-1
samba3-3.0.4-1
samba3-winbind-3.0.4-1
heimdal-lib-0.4e-204
heimdal-0.4e-204
heimdal-devel-0.4e-204
pam_smb-1.1.6-371
pam_krb5-1.0.3-74
#smb.conf
# Global parameters
[global]
workgroup = TEST
realm = TEST.LOCAL
security = ADS
auth methods = winbind
update encrypted = Yes
obey pam restrictions = Yes
password server = win.test.local
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n
*Retype*new*password* %n\n
*password:*all*authentication*tokens*updated*successfully
unix password sync = Yes
log file = /var/log/samba/%m.log
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +
winbind cache time = 15
winbind use default domain = Yes
#/etc/krb5.conf
[libdefaults]
ticket_lifetime = 24000
default_realm = TEST.LOCAL
default_tgs_enctypes = arcfour-hmac-md5
default_tgs_enctypes = arcfour-hmac-md5
permitted_enctypes = arcfour-hmac-md5
#default_tgs_enctypes = des-cbc-crc
des-cbc-md5
#default_tkt_enctypes = des-cbc-crc
des-cbc-md5
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
TEST.LOCAL = {
kdc = win.test.local:88
admin_server = win.test.local:749
default_domain = TEST.LOCAL
}
[domain_realm]
.test.local = TEST.LOCAL
test.local = TEST.LOCAL
[kdc]
profile = /var/heimdal/kdc.conf
[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/admin.log
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
renewable = true
krb4_convert = false
#/var/heimdal/kdc.conf
[kdcdefaults]
kdc_ports = 88
[realms]
TEST.LOCAL = {
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal
}
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
#/etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_env.so
auth sufficient pam_unix2.so nullok #set_secrpc
auth sufficient pam_winbind.so use_first_pass #added
auth required pam_deny.so #added
auth required pam_nologin.so
#auth required pam_homecheck.so
# auth required pam_mail.so
account sufficient pam_winbind.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok
use_first_pass use_authtok
session required pam_mkhomedir.so
skel=/etc/skel/ umask=0022
session required pam_unix2.so none #
debug or trace
session required pam_limits.so
#/etc/nsswitch.conf (relevant section)
passwd: compat winbind
shadow: files winbind
group: compat winbind
Note: nscd is also disabled
Thanks in advance,
Tabitha Taylor
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
