Speidel, Bruce
2006-Jan-26 21:54 UTC
[Samba] pam_winbind.so user expired password config for Solaris /etc/pam.conf
I'm trying to configure my Solaris 9 pam.conf for CDE login/password expiration using ADS security on W2003. If my AD account password is in good standing, my config works great in /etc/pam.conf. However - I'm having trouble getting it to recognize that my password in AD has expired to ask me to reset it on the CDE screen. With the config below - it just tells me "login incorrect". Any ideas? My /opt/samba/smb.conf file looks like: [global] workgroup = QACCESST realm = QACCESST.ADTEST.AD.LAB server string = %h server (Samba %v) security = ADS update encrypted = Yes obey pam restrictions = Yes enable privileges = Yes pam password change = Yes passwd program = /bin/passwd %u username map = /etc/samba/smbusers unix password sync = Yes log level = 5 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no idmap uid = 500-100000000 idmap gid = 500-100000000 template shell = /bin/bash winbind cache time = 10 winbind use default domain = Yes winbind trusted domains only = Yes winbind nested groups = Yes [homes] valid users = %S read only = No browseable = No /etc/nsswitch.conf: passwd: files winbind group: files winbind hosts: files dns winbind ipnodes: files networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; the system will # figure it out pretty quickly, and won't use netgroups at all. netgroup: files automount: files aliases: files services: files sendmailvars: files printers: user files auth_attr: files prof_attr: files project: files /etc/pam.conf (snipped for the dtlogin section only): # CDE login and screenlock dtlogin auth sufficient pam_winbind.so debug use_first_pass use_authtok dtlogin auth requisite pam_authtok_get.so.1 debug dtlogin auth required pam_dhkeys.so.1 debug #dtlogin auth optional pam_krb5.so use_first_pass creds debug dtlogin auth sufficient pam_unix_auth.so.1 debug try_first_pass #dtlogin auth sufficient pam_dial_auth.so.1 debug #dtlogin account requisite pam_roles.so.1 debug #dtlogin account requisite pam_projects.so.1 debug #dtlogin account sufficient pam_unix_account.so.1 debug dtlogin account required pam_winbind.so use_authtok #dtlogin password sufficient pam_dhkeys.so.1 debug #dtlogin password requisite pam_authtok_get.so.1 debug #dtlogin password requisite pam_authtok_check.so.1 debug #dtlogin password sufficient pam_authtok_store.so.1 debug dtlogin password required pam_winbind.so debug use_authtok dtsession auth sufficient pam_winbind.so debug try_first_pass dtsession auth required pam_unix.so.1 Thanks in advance! Bruce
Gerald (Jerry) Carter
2006-Jan-27 03:05 UTC
[Samba] pam_winbind.so user expired password config for Solaris /etc/pam.conf
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Speidel, Bruce wrote:> I'm trying to configure my Solaris 9 pam.conf for CDE login/password > expiration using > ADS security on W2003. If my AD account password is in good standing, > my config works great in /etc/pam.conf. However - I'm having trouble > getting it to recognize that my password in AD has expired to ask me > to reset it on the CDE screen. With the config below - it just tells > me "login incorrect". Any ideas?This is fixed in 3.0.21b based on what I understand from Guenther. cheers, jerry ====================================================================I live in a Reply-to-All world ----------------------- Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD2Y3uIR7qMdg1EfYRAj+0AKCP5QlLy4rCuZLxtiVr9tA0LZ4sJQCg4XNS oMWMWtwdoH/MbKk33O2gaok=JdyO -----END PGP SIGNATURE-----