Speidel, Bruce
2006-Jan-26 21:54 UTC
[Samba] pam_winbind.so user expired password config for Solaris /etc/pam.conf
I'm trying to configure my Solaris 9 pam.conf for CDE login/password
expiration using
ADS security on W2003. If my AD account password is in good standing,
my config works great in /etc/pam.conf. However - I'm having trouble
getting it to recognize that my password in AD has expired to ask me
to reset it on the CDE screen. With the config below - it just tells
me "login incorrect". Any ideas?
My /opt/samba/smb.conf file looks like:
[global]
workgroup = QACCESST
realm = QACCESST.ADTEST.AD.LAB
server string = %h server (Samba %v)
security = ADS
update encrypted = Yes
obey pam restrictions = Yes
enable privileges = Yes
pam password change = Yes
passwd program = /bin/passwd %u
username map = /etc/samba/smbusers
unix password sync = Yes
log level = 5
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
idmap uid = 500-100000000
idmap gid = 500-100000000
template shell = /bin/bash
winbind cache time = 10
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind nested groups = Yes
[homes]
valid users = %S
read only = No
browseable = No
/etc/nsswitch.conf:
passwd: files winbind
group: files winbind
hosts: files dns winbind
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
# At present there isn't a 'files' backend for netgroup; the system
will
# figure it out pretty quickly, and won't use netgroups at all.
netgroup: files
automount: files
aliases: files
services: files
sendmailvars: files
printers: user files
auth_attr: files
prof_attr: files
project: files
/etc/pam.conf (snipped for the dtlogin section only):
# CDE login and screenlock
dtlogin auth sufficient pam_winbind.so
debug use_first_pass use_authtok
dtlogin auth requisite pam_authtok_get.so.1
debug
dtlogin auth required pam_dhkeys.so.1
debug
#dtlogin auth optional pam_krb5.so
use_first_pass creds debug
dtlogin auth sufficient pam_unix_auth.so.1
debug try_first_pass
#dtlogin auth sufficient
pam_dial_auth.so.1 debug
#dtlogin account requisite pam_roles.so.1
debug
#dtlogin account requisite
pam_projects.so.1 debug
#dtlogin account sufficient
pam_unix_account.so.1 debug
dtlogin account required pam_winbind.so
use_authtok
#dtlogin password sufficient pam_dhkeys.so.1
debug
#dtlogin password requisite
pam_authtok_get.so.1 debug
#dtlogin password requisite
pam_authtok_check.so.1 debug
#dtlogin password sufficient
pam_authtok_store.so.1 debug
dtlogin password required pam_winbind.so
debug use_authtok
dtsession auth sufficient pam_winbind.so
debug try_first_pass
dtsession auth required pam_unix.so.1
Thanks in advance!
Bruce
Gerald (Jerry) Carter
2006-Jan-27 03:05 UTC
[Samba] pam_winbind.so user expired password config for Solaris /etc/pam.conf
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Speidel, Bruce wrote:> I'm trying to configure my Solaris 9 pam.conf for CDE login/password > expiration using > ADS security on W2003. If my AD account password is in good standing, > my config works great in /etc/pam.conf. However - I'm having trouble > getting it to recognize that my password in AD has expired to ask me > to reset it on the CDE screen. With the config below - it just tells > me "login incorrect". Any ideas?This is fixed in 3.0.21b based on what I understand from Guenther. cheers, jerry ====================================================================I live in a Reply-to-All world ----------------------- Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD2Y3uIR7qMdg1EfYRAj+0AKCP5QlLy4rCuZLxtiVr9tA0LZ4sJQCg4XNS oMWMWtwdoH/MbKk33O2gaok=JdyO -----END PGP SIGNATURE-----