A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba/attachments/20060525/a6a8d41f/signature.bin
Hello all! I apologize for my previous post, it seems this list doesn't like GPG/GPG-MIME signatures. I'm trying to configure my linux servers to have automatic password changes happen when the passwords expire, or the AD's "User must change password..." checkbox is marked. I can do this fine with pam_krb5, but not with pam_winbind. I need to use pam_winbind instead of pam_krb5 because there's a requirement to use kerberos tickets to log on to the servers via SSH, and using pam_krb5 in combination with OpenSSH's GSSAPI authentication (required to allow kerberos tickets over SSH from Windows) doesn't seem to work (I sort of understand why...). So, I'm forced to use pam_winbind. So the question is: why isn't pam_winbind forcing a password change on first login or password expiry? I noticed through some experimentation that setting a new password on expiry is triggered in the account phase of pam authorization (probably through returning PAM_NEW_AUTHTOK_REQD). I experimented with pam_krb5 - the only time it wouldn't work as expected was when it wasn't used as part of the account checking phase. I even tried using nothing but pam_winbind to authorize users (temporarily locking out local unix users), and it still wouldn't work. Can anyone provide any insight? Thanks Diego
On Fri, 2006-05-26 at 12:22 -0600, diego@rivera.net wrote:> Can anyone provide any insight?Diego can you test with 3.0.23rc1 ? There has been a lot of improvements in winbindd lately and I think this one may have already been fixed. Thanks, Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: idra@samba.org http://samba.org
Unfortunately, they're all production servers. The experimentation I spoke of happened on one of those servers, in off hours while maintenance was being performed on the other 3 (so I was able to sneak the 4th one in under the "closed for maintenance" umbrella). However, you seem to imply that this is a known bug, with no workaround other than a (potential) backport of code from 3.0.23rc1?> ----- Original Message ----- > From: simo <idra@samba.org> > To: diego@rivera.net > Subject: Re: [Samba] RE: Samba 3.0.20, pam_winbind broken? > Date: Fri, 26 May 2006 14:28:59 -0400 > > > On Fri, 2006-05-26 at 12:22 -0600, diego@rivera.net wrote: > > Can anyone provide any insight? > > Diego can you test with 3.0.23rc1 ? > > There has been a lot of improvements in winbindd lately and I think this > one may have already been fixed. > Thanks, > Simo. > > -- > Simo Sorce > Samba Team GPL Compliance Officer > email: idra@samba.org > http://samba.org>
I can confirm that the problem is fixed in 3.0.22. We tested briefly today in a small maintenance window that presented itself out of immediate need, and everything worked as expected. However, I have a feeling that 3.0.23rc1 would work even better (i.e. warnings about expiring passwords before they're gone, etc). Still, since a stable version addressed the immediate need, I'll wait until 3.0.23 is released before upgrading yet again. Thanks for the help tho! :) Gerald (Jerry) Carter wrote:> On Sun, 28 May 2006, Diego Rivera wrote: > > >I'll try. However, I'm currently thinking of trying 3.0.22, which (from > >looking at the code) appears to also be fixed in this respect (at least, > >it appears to handle expired tokens more smartly). It'll be easier to > >sell a test that one rather than a beta (or RC). > > >Is there an ETA on the release 3.0.23? > > > Soon hopefully. Another few weeks I expect. > > > > > cheers, jerry> > ====================================================================> Samba ------- http://www.samba.org > Centeris ----------- http://www.centeris.com > "What man is a man who does not make the world better?" --Balian-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba/attachments/20060529/cc406c73/signature.bin