thr3ads.net - samba - [Samba] PAM_WINBIND problem with sambaPwdMustChange [Mar 2009]

If this information is useful, please help other people find it:
Share via:

Eduardo Sachs

2009-Mar-13 01:21 UTC

[Samba] PAM_WINBIND problem with sambaPwdMustChange

Hi People!

	I use pam_winbind for authentication in my computer workstation using
Debian Lenny 5.0, Stable Version.

	I configure my user with this option "sambaPwdMustChange: 0", and I
logon in GDM without asking to change password. Who knows what can be?

	I use Samba PDC with Heimdal Kerberos, but, I configure PAM with only
pam_winbind for tests...

	Client versions:
	ii  libwbclient0                         2:3.2.5-4
client library for interfacing with winbind service
	ii  samba                                2:3.2.5-4                  a
LanManager-like file and printer server for Unix
	ii  samba-common                         2:3.2.5-4
Samba common files used by both the server and the client
	ii  winbind                              2:3.2.5-4
service to resolve user and group information from Windows NT

	Server versions:
	ii  samba                             	 2:3.2.5-4             a
LanManager-like file and printer server for Unix

	My configuration of PAM is simple:
	auth    	sufficient      pam_winbind.so debug
	auth    	required        pam_unix.so nullok_secure use_first_pass
	account 	sufficient      pam_unix.so
	account 	sufficient      pam_winbind.so
	account 	required        pam_deny.so
	password  	sufficient   	pam_unix.so nullok obscure md5
	password  	required     	pam_winbind.so
	session      	optional      	pam_unix.so
	session      	optional      	pam_winbind.so
	session      	optional      	pam_mkhomedir.so skel=/etc/skel/ umask=077

	Debug PAM:
	pam_winbind(gdm:auth): [pamh: 0x88bcf70] ENTER: pam_sm_authenticate
(flags: 0x0000)
	pam_winbind(gdm:auth): getting password (0x00000181)
	pam_winbind(gdm:auth): Verify user 'sachs'
	pam_winbind(gdm:auth): CONFIG file: krb5_ccache_type 'FILE'
	pam_winbind(gdm:auth): enabling krb5 login flag
	pam_winbind(gdm:auth): enabling request for a FILE krb5 ccache
	pam_winbind(gdm:auth): user 'sachs' granted access
	pam_winbind(gdm:auth): Returned user was 'sachs'
	pam_winbind(gdm:auth): [pamh: 0x88bcf70] LEAVE: pam_sm_authenticate returning 0
	pam_winbind(gdm:account): user 'sachs' OK
	pam_winbind(gdm:account): user 'sachs' granted access
	pam_winbind(gdm:setcred): [pamh: 0x88bcf70] ENTER: pam_sm_setcred
(flags: 0x0002)
	pam_winbind(gdm:setcred): PAM_ESTABLISH_CRED not implemented
	pam_winbind(gdm:setcred): [pamh: 0x88bcf70] LEAVE: pam_sm_setcred returning 0

	Some configurations:
	1 - Nsswitch configure with LDAP, its work fine.
	
	2 - smb.conf

	[global]
	        workgroup = _LOCAL_
	        netbios name = debian-x11
	        realm = LOCAL.INT.BR
	        security = domain
	        wins server = 10.111.222.100
		use kerberos keytab = yes
		client use spnego = yes
		client NTLMv2 auth = yes
		
		bind interfaces only = yes
		interfaces = eth0 10.111.222.103, lo 127.0.0.1
		hosts allow = 10.111.222.0/24, 127.0.0.1
	
		debug level = 2
		log file = /var/log/samba/%m.log
		max log size = 50
		log level = 1
		syslog = 0	
		utmp = Yes

	        idmap uid = 10000-15000
	        idmap gid = 10000-15000
	        template shell = /bin/bash
	        template homedir = /home/users/%U
	        winbind separator = +
	        winbind enum users = yes
	        winbind enum groups = yes
	        winbind use default domain = yes

		encrypt passwords = yes
	        invalid users = root
		socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	        local master = no
		domain master = no
		dns proxy = no
        	
		preserve case = yes
		short preserve case = no
		default case = lower
        	case sensitive = no
        	
        	dos charset = cp850
        	unix charset = iso8859-1
        	display charset = LOCALE
        	restrict anonymous = 0

	Thanks!

Eduardo Sachs

2009-Mar-13 11:26 UTC

head link

[Samba] PAM_WINBIND problem with sambaPwdMustChange

Hi Friends...

Now is working.

When I use the command: smbldap-usermod sachs -B 1

Smbldap-tools change only sambaPwdMustChange to 0, I will report this
for IDEALX and to group Debian.

Thanks!

2009/3/13 David Markey <dmarkey@comp.dit.ie>:> sambaPwdMustChange is depreciated.
>
> Its now calculated dynamically. sambaPwdLastSet + sambaMaxPwdAge
>
> If you want to force a password change set sambaPwdLastSet to 0.
>
>
>
>
>
>
> Eduardo Sachs wrote:
>> Hi People!
>>
>> ? ? ? I use pam_winbind for authentication in my computer workstation
using
>> Debian Lenny 5.0, Stable Version.
>>
>> ? ? ? I configure my user with this option "sambaPwdMustChange:
0", and I
>> logon in GDM without asking to change password. Who knows what can be?
>>
>> ? ? ? I use Samba PDC with Heimdal Kerberos, but, I configure PAM with
only
>> pam_winbind for tests...
>>
>> ? ? ? Client versions:
>> ? ? ? ii ?libwbclient0 ? ? ? ? ? ? ? ? ? ? ? ? 2:3.2.5-4
>> client library for interfacing with winbind service
>> ? ? ? ii ?samba ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?2:3.2.5-4 ? ? ? ? ? ? ?
? ?a
>> LanManager-like file and printer server for Unix
>> ? ? ? ii ?samba-common ? ? ? ? ? ? ? ? ? ? ? ? 2:3.2.5-4
>> Samba common files used by both the server and the client
>> ? ? ? ii ?winbind ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?2:3.2.5-4
>> service to resolve user and group information from Windows NT
>>
>> ? ? ? Server versions:
>> ? ? ? ii ?samba ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?2:3.2.5-4 ? ? ? ? ? ? a
>> LanManager-like file and printer server for Unix
>>
>> ? ? ? My configuration of PAM is simple:
>> ? ? ? auth ? ? ? ? ? ?sufficient ? ? ?pam_winbind.so debug
>> ? ? ? auth ? ? ? ? ? ?required ? ? ? ?pam_unix.so nullok_secure
use_first_pass
>> ? ? ? account ? ? ? ? sufficient ? ? ?pam_unix.so
>> ? ? ? account ? ? ? ? sufficient ? ? ?pam_winbind.so
>> ? ? ? account ? ? ? ? required ? ? ? ?pam_deny.so
>> ? ? ? password ? ? ? ?sufficient ? ? ?pam_unix.so nullok obscure md5
>> ? ? ? password ? ? ? ?required ? ? ? ?pam_winbind.so
>> ? ? ? session ? ? ? ? optional ? ? ? ?pam_unix.so
>> ? ? ? session ? ? ? ? optional ? ? ? ?pam_winbind.so
>> ? ? ? session ? ? ? ? optional ? ? ? ?pam_mkhomedir.so skel=/etc/skel/
umask=077
>>
>> ? ? ? Debug PAM:
>> ? ? ? pam_winbind(gdm:auth): [pamh: 0x88bcf70] ENTER:
pam_sm_authenticate
>> (flags: 0x0000)
>> ? ? ? pam_winbind(gdm:auth): getting password (0x00000181)
>> ? ? ? pam_winbind(gdm:auth): Verify user 'sachs'
>> ? ? ? pam_winbind(gdm:auth): CONFIG file: krb5_ccache_type
'FILE'
>> ? ? ? pam_winbind(gdm:auth): enabling krb5 login flag
>> ? ? ? pam_winbind(gdm:auth): enabling request for a FILE krb5 ccache
>> ? ? ? pam_winbind(gdm:auth): user 'sachs' granted access
>> ? ? ? pam_winbind(gdm:auth): Returned user was 'sachs'
>> ? ? ? pam_winbind(gdm:auth): [pamh: 0x88bcf70] LEAVE:
pam_sm_authenticate returning 0
>> ? ? ? pam_winbind(gdm:account): user 'sachs' OK
>> ? ? ? pam_winbind(gdm:account): user 'sachs' granted access
>> ? ? ? pam_winbind(gdm:setcred): [pamh: 0x88bcf70] ENTER: pam_sm_setcred
>> (flags: 0x0002)
>> ? ? ? pam_winbind(gdm:setcred): PAM_ESTABLISH_CRED not implemented
>> ? ? ? pam_winbind(gdm:setcred): [pamh: 0x88bcf70] LEAVE: pam_sm_setcred
returning 0
>>
>> ? ? ? Some configurations:
>> ? ? ? 1 - Nsswitch configure with LDAP, its work fine.
>>
>> ? ? ? 2 - smb.conf
>>
>> ? ? ? [global]
>> ? ? ? ? ? ? ? workgroup = _LOCAL_
>> ? ? ? ? ? ? ? netbios name = debian-x11
>> ? ? ? ? ? ? ? realm = LOCAL.INT.BR
>> ? ? ? ? ? ? ? security = domain
>> ? ? ? ? ? ? ? wins server = 10.111.222.100
>> ? ? ? ? ? ? ? use kerberos keytab = yes
>> ? ? ? ? ? ? ? client use spnego = yes
>> ? ? ? ? ? ? ? client NTLMv2 auth = yes
>>
>> ? ? ? ? ? ? ? bind interfaces only = yes
>> ? ? ? ? ? ? ? interfaces = eth0 10.111.222.103, lo 127.0.0.1
>> ? ? ? ? ? ? ? hosts allow = 10.111.222.0/24, 127.0.0.1
>>
>> ? ? ? ? ? ? ? debug level = 2
>> ? ? ? ? ? ? ? log file = /var/log/samba/%m.log
>> ? ? ? ? ? ? ? max log size = 50
>> ? ? ? ? ? ? ? log level = 1
>> ? ? ? ? ? ? ? syslog = 0
>> ? ? ? ? ? ? ? utmp = Yes
>>
>> ? ? ? ? ? ? ? idmap uid = 10000-15000
>> ? ? ? ? ? ? ? idmap gid = 10000-15000
>> ? ? ? ? ? ? ? template shell = /bin/bash
>> ? ? ? ? ? ? ? template homedir = /home/users/%U
>> ? ? ? ? ? ? ? winbind separator = +
>> ? ? ? ? ? ? ? winbind enum users = yes
>> ? ? ? ? ? ? ? winbind enum groups = yes
>> ? ? ? ? ? ? ? winbind use default domain = yes
>>
>> ? ? ? ? ? ? ? encrypt passwords = yes
>> ? ? ? ? ? ? ? invalid users = root
>> ? ? ? ? ? ? ? socket options = TCP_NODELAY IPTOS_LOWDELAY
SO_RCVBUF=8192 SO_SNDBUF=8192
>> ? ? ? ? ? ? ? local master = no
>> ? ? ? ? ? ? ? domain master = no
>> ? ? ? ? ? ? ? dns proxy = no
>>
>> ? ? ? ? ? ? ? preserve case = yes
>> ? ? ? ? ? ? ? short preserve case = no
>> ? ? ? ? ? ? ? default case = lower
>> ? ? ? ? ? ? ? case sensitive = no
>>
>> ? ? ? ? ? ? ? dos charset = cp850
>> ? ? ? ? ? ? ? unix charset = iso8859-1
>> ? ? ? ? ? ? ? display charset = LOCALE
>> ? ? ? ? ? ? ? restrict anonymous = 0
>>
>> ? ? ? Thanks!
>>
>
>

Reasonably Related Threads

Search for more maybe matching threads

samba - Mar 2009 - PAM_WINBIND problem with sambaPwdMustChange

[Samba] PAM_WINBIND problem with sambaPwdMustChange

[Samba] PAM_WINBIND problem with sambaPwdMustChange

Reasonably Related Threads