Peter Åstrand
2008-Jan-20 15:51 UTC
[Samba] winbind forced password change requires interactive shell
We've discovered that although Winbind supports password changes when the account password is expired, this only works with *interactive* shells. This is a major problem for us. Use case 1: SSH tunnels: $ ssh user2@localhost -N -L 4711:localhost:22 user2@localhost's password: <trying to use the tunnel> channel 2: open failed: administratively prohibited: open failed As you can see, in this case, the user gets no hint whatsoever that the password has expired. Use case 2: Executing a command: $ ssh user2@localhost /usr/bin/env user2@localhost's password: WARNING: Your password has expired. Password change required but no TTY available. Here you will at least know what's going on, but you have no chance of changing the password. Is this really the intended behaviour? To me, it looks like the password changing is done too late; when starting an interactive session, rather than in the authentication phase. Why? With the SSH keyboard-interactive authentication, a password change interaction with the user should be possible. I've tried with samba-3.0.25b-1.el5_1.4 on RHEL5, but also samba-3.0.23c-2. Of course, this might be something specific to Red Hat, but I'm fairly sure we have seen this on SLED10 as well. I've also tried running pam_winbind with debugging. When logging in non-interactively, I'll get: sshd[12345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain user=user2 sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] ENTER: pam_sm_authenticate (flags: 0x0001) sshd[12345]: pam_winbind(sshd:auth): getting password (0x00000011) sshd[12345]: pam_winbind(sshd:auth): pam_get_item returned a password sshd[12345]: pam_winbind(sshd:auth): Verify user 'user2' sshd[12345]: pam_winbind(sshd:auth): request failed: Must change password, PAM error was Authentication token is no longer valid; new one required (12), NT error was NT_STATUS_PASSWORD_MUST_CHANGE sshd[12345]: pam_winbind(sshd:auth): user 'user2' new password required sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] LEAVE: pam_sm_authenticate returning 0 sshd[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] ENTER: pam_sm_acct_mgmt (flags: 0x0000) sshd[12345]: pam_winbind(sshd:account): user 'user2' OK sshd[12345]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set sshd[12345]: pam_winbind(sshd:account): user 'user2' needs new password sshd[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] LEAVE: pam_sm_acct_mgmt returning 12 sshd[12345]: Accepted password for user2 from 127.0.0.1 port 4711 ssh2 sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0002) sshd[12345]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0 sshd[12345]: pam_unix(sshd:session): session opened for user user2 by (uid=0) sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0008) sshd[12346]: pam_winbind(sshd:setcred): PAM_REINITIALIZE_CRED not implemented sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0 When interactive, I'll get: sshd[12345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain user=user2 sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] ENTER: pam_sm_authenticate (flags: 0x0001) sshd[12345]: pam_winbind(sshd:auth): getting password (0x00000011) sshd[12345]: pam_winbind(sshd:auth): pam_get_item returned a password sshd[12345]: pam_winbind(sshd:auth): Verify user 'user2' sshd[12345]: pam_winbind(sshd:auth): request failed: Must change password, PAM error was Authentication token is no longer valid; new one required (12), NT error was NT_STATUS_PASSWORD_MUST_CHANGE sshd[12345]: pam_winbind(sshd:auth): user 'user2' new password required sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] LEAVE: pam_sm_authenticate returning 0 sshd[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] ENTER: pam_sm_acct_mgmt (flags: 0x0000) sshd[12345]: pam_winbind(sshd:account): user 'user2' OK sshd[12345]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set sshd[12345]: pam_winbind(sshd:account): user 'user2' needs new password sshd[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] LEAVE: pam_sm_acct_mgmt returning 12 sshd[12345]: Accepted password for user2 from 127.0.0.1 port 4711 ssh2 sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0002) sshd[12345]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0 sshd[12345]: pam_unix(sshd:session): session opened for user user2 by (uid=0) sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0008) sshd[12346]: pam_winbind(sshd:setcred): PAM_REINITIALIZE_CRED not implemented sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0 passwd: pam_winbind(passwd:chauthtok): [pamh: 0x09fc4b10] ENTER: pam_sm_chauthtok (flags: 0x4000) passwd: pam_winbind(passwd:chauthtok): username [user2] obtained passwd: pam_winbind(passwd:chauthtok): user 'user2' OK passwd: pam_winbind(passwd:chauthtok): getting password (0x00000021) passwd: pam_winbind(passwd:chauthtok): request failed: Must change password, PAM error was Authentication token is no longer valid; new one required (12), NT error was NT_STATUS_PASSWORD_MUST_CHANGE passwd: pam_winbind(passwd:chauthtok): user 'user2' new password required passwd: pam_winbind(passwd:chauthtok): [pamh: 0x09fc4b10] LEAVE: pam_sm_chauthtok returning 0 passwd: pam_winbind(passwd:chauthtok): [pamh: 0x09fc4b10] ENTER: pam_sm_chauthtok (flags: 0x2000) passwd: pam_winbind(passwd:chauthtok): username [user2] obtained passwd: pam_winbind(passwd:chauthtok): user 'user2' OK passwd: pam_winbind(passwd:chauthtok): getting password (0x00000001) sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0004) sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_close_session (flags: 0x0004) sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_close_session returning 0 sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0 sshd[12345]: pam_unix(sshd:session): session closed for user user2 (pids and adresses normalized). A "diff" indicates that the only difference is that the interactive session does "pam_winbind(passwd:chauthtok)"; this never happens when running a command or just using tunnels. Any ideas? Best regards, --- Peter ?strand ThinLinc Chief Developer Cendio AB http://www.cendio.se Wallenbergs gata 4 583 30 Link?ping Phone: +46-13-21 46 00
Peter Åstrand
2008-Jan-21 10:11 UTC
[Samba] Re: winbind forced password change requires interactive shell
On Sun, 20 Jan 2008, Peter ?strand wrote:> We've discovered that although Winbind supports password changes when the > account password is expired, this only works with *interactive* shells.It turns out that I had forgotten to configure SSH for "keyboard-interactive". With this setting, things works as intended, at least on the RHEL5 system I'm testing now. Rgds, --- Peter ?strand ThinLinc Chief Developer Cendio AB http://www.cendio.se Wallenbergs gata 4 583 30 Link?ping Phone: +46-13-21 46 00
Reasonably Related Threads
- winbind authentication mystery
- winbind authentication mystery
- Failed to establish your Kerberos Ticket cache due time differences with the domain controller
- [samba4] Users can't change password from the server
- Winbind fails to refresh Kerberos tickets (3.0.25b - Fedora Core 5) - 2nd Try