Speidel, Bruce
2006-Feb-01 22:45 UTC
[Samba] SAMBA 3.0.21b expired password issue for Solaris 9 - perhaps a bug in winbind or /etc/pam.conf misconfigure
All, The SAMBA version 3.0.21b expired password pam_winbind.so section perhaps might still have an issue. It seems to just be in some kind of loop and never completes the section in pam_winbind.c of pam_sm_chauthtok. See ssh (Solaris 4.2.p1 ssh) sequence below: ssh hermione Password: Changing password for leeraym (current) NT password: Re-enter new Password: Password: Password: tail -f /var/log/authlog: Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 467601 auth.error] request failed: Must change password, PAM error was 10, NT error was NT_STATUS_PASSWORD_MUST_CHANGE Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 120530 auth.warning] user `leeraym' new password required Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 990559 auth.warning] pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 775411 auth.notice] user 'leeraym' needs new password Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 467601 auth.error] request failed: Must change password, PAM error was 10, NT error was NT_STATUS_PASSWORD_MUST_CHANGE Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 120530 auth.warning] user `leeraym' new password required Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 678512 auth.warning] user `leeraym' denied access (incorrect password or invalid membership) Feb 1 14:53:36 hermione sshd[1151]: [ID 800047 auth.error] error: PAM: Authentication token manipulation error for leeraym from tuvok tail -10f /var/log/authlog.debug Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 572310 auth.info] Verify user `leeraym' Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 467601 auth.error] request failed: Must change password, PAM error was 10, NT error was NT_STATUS_PASSWORD_MUST_CHANGE Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 120530 auth.warning] user `leeraym' new password required Feb 1 14:53:29 hermione sshd[1153]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = leeraym ruser = not set rhost = tuvok Feb 1 14:53:29 hermione sshd[1153]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt() Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 990559 auth.warning] pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 775411 auth.notice] user 'leeraym' needs new password Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 743889 auth.debug] username [leeraym] obtained Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 467601 auth.error] request failed: Must change password, PAM error was 10, NT error was NT_STATUS_PASSWORD_MUST_CHANGE Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 120530 auth.warning] user `leeraym' new password required Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 743889 auth.debug] username [leeraym] obtained Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 678512 auth.warning] user `leeraym' denied access (incorrect password or invalid membership) Feb 1 14:53:32 hermione sshd[1153]: [ID 909140 auth.debug] pam_authtok_get: verifying authtok Feb 1 14:53:36 hermione sshd[1151]: [ID 800047 auth.error] error: PAM: Authentication token manipulation error for leeraym from tuvok /etc/pam.conf (snipped for sshd only): # OpenSSH sshd auth sufficient pam_winbind.so debug sshd auth requisite pam_authtok_get.so.1 debug try_first_pass sshd auth required pam_dhkeys.so.1 debug try_first_pass sshd auth sufficient pam_unix_auth.so.1 debug try_first_pass sshd account requisite pam_roles.so.1 debug sshd account required pam_projects.so.1 debug sshd account required pam_unix_account.so.1 debug sshd account required pam_winbind.so debug sshd password sufficient pam_winbind.so debug use_authtok sshd password required pam_dhkeys.so.1 debug sshd password requisite pam_authtok_get.so.1 debug sshd password requisite pam_authtok_check.so.1 debug sshd password required pam_authtok_store.so.1 debug sshd session sufficient pam_winbind.so debug sshd session required pam_unix.so.1 debug Recommendations? File a mozilla bug? Does the sshd section of pam.conf look accurate for Solaris 9? Thanks, Bruce