Michael Gasch
2006-Aug-01 08:26 UTC
[Samba] [HELP] Samba 3.0.23a pam_winbind says password expired
hi, i just do some tests with a fresh compiled samba 3.0.23a. trying to authenticate against PAM with pam_winbind gives: Aug 1 09:59:21 humevo36 pam_winbind[27853]: pam_winbind: pam_sm_authenticate (flags: 0x0000) Aug 1 09:59:23 humevo36 pam_winbind[27853]: Verify user `gasch' Aug 1 09:59:23 humevo36 pam_winbind[27853]: enabling cached login flag Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' granted access Aug 1 09:59:23 humevo36 pam_winbind[27853]: Password has expired (Password was last set: 1154074953, the policy says it should expire here 1154074952 (now it's: 1154419163) Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' OK Aug 1 09:59:23 humevo36 pam_winbind[27853]: pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new password Aug 1 09:59:27 humevo36 su: FAILED SU (to gasch) gasch on /dev/pts/3 there?s no password policy on the domain controller (samba 3.0.14a, debian): root@PDC:~# pdbedit -d 0 -P "maximum password age" account policy value for maximum password age is 4294967295 root@PDC:~# pdbedit -d 0 -P "password history" account policy value for password history is 0 some samba-ldap attributes on PDC for user "gasch": sambaLogonTime: 1130931254 sambaPwdMustChange: 2147483647 sambaPasswordHistory: sambaAcctFlags: [UX ] sambaKickoffTime: 1204325940 sambaPwdCanChange: 1154074953 sambaPwdLastSet: 1154074953 i can provide you with a level 10 debug log of winbindd offline (>700kb) if requested. btw: it worked fine with 3.0.20b RPM from SuSE. any ideas? thx in advance! smb.conf =======[global] workgroup = DOMAIN server string = Samba v3 # username map = /etc/samba/username.map time server = yes log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 10000 unix extensions = No printcap name = cups os level = 32 interfaces = lo eth0 vmnet1 vmnet8 bind interfaces only = yes wins server = 192.168.x.y preferred master = No local master = No domain master = No dns proxy = No panic action = /usr/share/samba/panic-action %d idmap backend = idmap_rid:DOMAIN=10000-19999 idmap uid = 10000-19999 idmap gid = 10000-19999 winbind offline logon = yes winbind separator = '\' winbind enum users = No winbind enum groups = No winbind use default domain = Yes winbind trusted domains only = no winbind cache time = 60 security = domain allow trusted domains = no template shell = /bin/bash template homedir = /home/%U invalid users = root pam (common-auth) ================auth required pam_env.so # following also tried without arguments auth sufficient pam_winbind.so debug try_first_pass cached_login auth required pam_unix2.so use_first_pass
Peter Trifonov
2006-Aug-01 09:35 UTC
[Samba] [HELP] Samba 3.0.23a pam_winbind says password expired
Hello,> i just do some tests with a fresh compiled samba 3.0.23a. > trying to authenticate against PAM with pam_winbind gives:> 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new > password Aug 1 09:59:27 humevo36 su: FAILED SU (to gasch) > gasch on /dev/pts/3It seems to me that I have similar problem. However, su succeeds and just writes to the console "Your password has expired" With best regards, P. Trifonov
Blindauer Emmanuel
2006-Aug-08 15:47 UTC
[Samba] [HELP] Samba 3.0.23a pam_winbind says password expired
I'm getting the same issue except I can't log in because login only autorise to get a shell after the pass change. Any idea why PAM_WINBIND_NEW_AUTHTOK_REQD is sent ? (I have this problem since upgrading from 200 to 2003 (mixed mode) and samba-3.0.23a, using security=ads and winbind Emmanuel Le mardi 1 ao?t 2006 10:27, Michael Gasch a ?crit?:> hi, > > i just do some tests with a fresh compiled samba 3.0.23a. > trying to authenticate against PAM with pam_winbind gives: > > Aug 1 09:59:21 humevo36 pam_winbind[27853]: pam_winbind: > pam_sm_authenticate (flags: 0x0000) > Aug 1 09:59:23 humevo36 pam_winbind[27853]: Verify user `gasch' > Aug 1 09:59:23 humevo36 pam_winbind[27853]: enabling cached login flag > Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' granted access > Aug 1 09:59:23 humevo36 pam_winbind[27853]: Password has expired > (Password was last set: 1154074953, the policy says it should expire > here 1154074952 (now > it's: 1154419163) > Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' OK > Aug 1 09:59:23 humevo36 pam_winbind[27853]: pam_sm_acct_mgmt success > but PAM_WINBIND_NEW_AUTHTOK_REQD is set > Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new > password Aug 1 09:59:27 humevo36 su: FAILED SU (to gasch) gasch on > /dev/pts/3 > > there?s no password policy on the domain controller (samba 3.0.14a, > debian): > > root@PDC:~# pdbedit -d 0 -P "maximum password age" > account policy value for maximum password age is 4294967295 > root@PDC:~# pdbedit -d 0 -P "password history" > account policy value for password history is 0 > > some samba-ldap attributes on PDC for user "gasch": > > sambaLogonTime: 1130931254 > sambaPwdMustChange: 2147483647 > sambaPasswordHistory: sambaAcctFlags: [UX ] > sambaKickoffTime: 1204325940 > sambaPwdCanChange: 1154074953 > sambaPwdLastSet: 1154074953 > > i can provide you with a level 10 debug log of winbindd offline (>700kb) > if requested. > > btw: it worked fine with 3.0.20b RPM from SuSE. > any ideas? > > thx in advance! > > > smb.conf > =======> [global] > workgroup = DOMAIN > server string = Samba v3 > # username map = /etc/samba/username.map > time server = yes > log level = 2 > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 10000 > unix extensions = No > printcap name = cups > os level = 32 > > interfaces = lo eth0 vmnet1 vmnet8 > bind interfaces only = yes > wins server = 192.168.x.y > preferred master = No > local master = No > domain master = No > dns proxy = No > panic action = /usr/share/samba/panic-action %d > idmap backend = idmap_rid:DOMAIN=10000-19999 > idmap uid = 10000-19999 > idmap gid = 10000-19999 > winbind offline logon = yes > winbind separator = '\' > winbind enum users = No > winbind enum groups = No > winbind use default domain = Yes > winbind trusted domains only = no > winbind cache time = 60 > security = domain > allow trusted domains = no > template shell = /bin/bash > template homedir = /home/%U > invalid users = root > > > pam (common-auth) > ================> auth required pam_env.so > # following also tried without arguments > auth sufficient pam_winbind.so debug try_first_pass cached_login > auth required pam_unix2.so use_first_pass