samba - Aug 2006 - [HELP] Samba 3.0.23a pam_winbind says password expired

hi,

i just do some tests with a fresh compiled samba 3.0.23a.
trying to authenticate against PAM with pam_winbind gives:

Aug  1 09:59:21 humevo36 pam_winbind[27853]: pam_winbind: 
pam_sm_authenticate (flags: 0x0000)
Aug  1 09:59:23 humevo36 pam_winbind[27853]: Verify user `gasch'
Aug  1 09:59:23 humevo36 pam_winbind[27853]: enabling cached login flag
Aug  1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' granted access
Aug  1 09:59:23 humevo36 pam_winbind[27853]: Password has expired 
(Password was last set: 1154074953, the policy says it should expire 
here 1154074952 (now
it's: 1154419163)
Aug  1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' OK
Aug  1 09:59:23 humevo36 pam_winbind[27853]: pam_sm_acct_mgmt success 
but PAM_WINBIND_NEW_AUTHTOK_REQD is set
Aug  1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new
password
Aug  1 09:59:27 humevo36 su: FAILED SU (to gasch) gasch on /dev/pts/3

there?s no password policy on the domain controller (samba 3.0.14a, debian):

root@PDC:~# pdbedit -d 0 -P "maximum password age"
account policy value for maximum password age is 4294967295
root@PDC:~# pdbedit -d 0 -P "password history"
account policy value for password history is 0

some samba-ldap attributes on PDC for user "gasch":

sambaLogonTime: 1130931254
sambaPwdMustChange: 2147483647
sambaPasswordHistory: sambaAcctFlags: [UX         ]
sambaKickoffTime: 1204325940
sambaPwdCanChange: 1154074953
sambaPwdLastSet: 1154074953

i can provide you with a level 10 debug log of winbindd offline (>700kb) 
if requested.

btw: it worked fine with 3.0.20b RPM from SuSE.
any ideas?

thx in advance!


smb.conf
=======[global]
         workgroup = DOMAIN
         server string = Samba v3
#       username map = /etc/samba/username.map
         time server = yes
         log level = 2
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 10000
         unix extensions = No
         printcap name = cups
         os level = 32

         interfaces = lo eth0 vmnet1 vmnet8
         bind interfaces only = yes
         wins server = 192.168.x.y
         preferred master = No
         local master = No
         domain master = No
         dns proxy = No
         panic action = /usr/share/samba/panic-action %d
         idmap backend = idmap_rid:DOMAIN=10000-19999
         idmap uid = 10000-19999
         idmap gid = 10000-19999
         winbind offline logon = yes
         winbind separator = '\'
         winbind enum users = No
         winbind enum groups = No
         winbind use default domain = Yes
         winbind trusted domains only = no
         winbind cache time = 60
         security = domain
         allow trusted domains = no
         template shell = /bin/bash
         template homedir = /home/%U
         invalid users = root


pam (common-auth)
================auth    required        pam_env.so
# following also tried without arguments
auth    sufficient      pam_winbind.so debug try_first_pass cached_login
auth    required        pam_unix2.so use_first_pass

Hello,

> i just do some tests with a fresh compiled samba 3.0.23a.
> trying to authenticate against PAM with pam_winbind gives:
> 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new 
> password Aug  1 09:59:27 humevo36 su: FAILED SU (to gasch) 
> gasch on /dev/pts/3
It seems to me that I have similar problem. However, su succeeds and just
writes to the console 
"Your password has expired"



With best regards,
P. Trifonov

I'm getting the same issue except I can't log in because login only
autorise
to get a shell after the pass change.
Any idea why PAM_WINBIND_NEW_AUTHTOK_REQD  is sent ?
(I have this problem since upgrading from 200 to 2003 (mixed mode) and 
samba-3.0.23a, using security=ads and winbind 

Emmanuel

Le mardi 1 ao?t 2006 10:27, Michael Gasch a ?crit?:
> hi,
>
> i just do some tests with a fresh compiled samba 3.0.23a.
> trying to authenticate against PAM with pam_winbind gives:
>
> Aug  1 09:59:21 humevo36 pam_winbind[27853]: pam_winbind:
> pam_sm_authenticate (flags: 0x0000)
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: Verify user `gasch'
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: enabling cached login flag
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' granted
access
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: Password has expired
> (Password was last set: 1154074953, the policy says it should expire
> here 1154074952 (now
> it's: 1154419163)
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' OK
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: pam_sm_acct_mgmt success
> but PAM_WINBIND_NEW_AUTHTOK_REQD is set
> Aug  1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new
> password Aug  1 09:59:27 humevo36 su: FAILED SU (to gasch) gasch on
> /dev/pts/3
>
> there?s no password policy on the domain controller (samba 3.0.14a,
> debian):
>
> root@PDC:~# pdbedit -d 0 -P "maximum password age"
> account policy value for maximum password age is 4294967295
> root@PDC:~# pdbedit -d 0 -P "password history"
> account policy value for password history is 0
>
> some samba-ldap attributes on PDC for user "gasch":
>
> sambaLogonTime: 1130931254
> sambaPwdMustChange: 2147483647
> sambaPasswordHistory: sambaAcctFlags: [UX         ]
> sambaKickoffTime: 1204325940
> sambaPwdCanChange: 1154074953
> sambaPwdLastSet: 1154074953
>
> i can provide you with a level 10 debug log of winbindd offline (>700kb)
> if requested.
>
> btw: it worked fine with 3.0.20b RPM from SuSE.
> any ideas?
>
> thx in advance!
>
>
> smb.conf
> =======> [global]
>          workgroup = DOMAIN
>          server string = Samba v3
> #       username map = /etc/samba/username.map
>          time server = yes
>          log level = 2
>          syslog = 0
>          log file = /var/log/samba/log.%m
>          max log size = 10000
>          unix extensions = No
>          printcap name = cups
>          os level = 32
>
>          interfaces = lo eth0 vmnet1 vmnet8
>          bind interfaces only = yes
>          wins server = 192.168.x.y
>          preferred master = No
>          local master = No
>          domain master = No
>          dns proxy = No
>          panic action = /usr/share/samba/panic-action %d
>          idmap backend = idmap_rid:DOMAIN=10000-19999
>          idmap uid = 10000-19999
>          idmap gid = 10000-19999
>          winbind offline logon = yes
>          winbind separator = '\'
>          winbind enum users = No
>          winbind enum groups = No
>          winbind use default domain = Yes
>          winbind trusted domains only = no
>          winbind cache time = 60
>          security = domain
>          allow trusted domains = no
>          template shell = /bin/bash
>          template homedir = /home/%U
>          invalid users = root
>
>
> pam (common-auth)
> ================> auth    required        pam_env.so
> # following also tried without arguments
> auth    sufficient      pam_winbind.so debug try_first_pass cached_login
> auth    required        pam_unix2.so use_first_pass