In the meantime someone gets a better idea, I compiled pam_winbind.so
from Samaba 3.3.4 sources with the following modifications to pam_winbind.c:
--- samba-3.3.4/source/nsswitch/pam_winbind.c 2009-04-28
02:46:16.000000000 -0400
+++ samba-3.3.4.modified/source/nsswitch/pam_winbind.c 2009-05-01
11:57:37.000000000 -0400
@@ -821,6 +821,9
@@
int
warn_pwd_expire,
bool
*already_expired)
{
+ // Added by Eric Martel: avoid faulty expiry
message
+ return
false;
+
int days 0;
struct tm tm_now, tm_next_change;
@@ -2703,14 +2706,16 @@
case PAM_AUTHTOK_EXPIRED:
/* fall through, since new token is
required in this case */
case PAM_NEW_AUTHTOK_REQD:
- _pam_log(ctx, LOG_WARNING,
+ // commented by Eric Martel to prevent
faulty logon rejection
+ /*_pam_log(ctx, LOG_WARNING,
"pam_sm_acct_mgmt success but
%s is set",
PAM_WINBIND_NEW_AUTHTOK_REQD);
_pam_log(ctx, LOG_NOTICE,
"user '%s' needs new
password",
username);
/* PAM_AUTHTOKEN_REQD does not exist,
but is documented in the manpage */
- ret = PAM_NEW_AUTHTOK_REQD;
+ //ret = PAM_NEW_AUTHTOK_REQD;
+ ret = PAM_SUCCESS;
goto out;
default:
_pam_log(ctx, LOG_WARNING,
This is a very ugly dirty fix, but at least it works and my users can
login without a glitch now. Still hoping to hear from Samba gurus out
there! :)
Eric a ?crit :> Hi,
>
> I just upgraded from Mandriva 2009.0 (Samba 3.2.3) to Mandriva 2009.1
> (Samba 3.3.2), keeping all the same config files I had before. I use
> pam_winbind to authenticate users against MS Active Directory.
> Everything was working perfectly prior to the upgrade, and now
> everything seems to be fine except for one thing: no user can have
> access due to the following errors (taken from auth.log):
>
> May 1 10:27:25 poste161-186 su: pam_winbind(su:auth): getting password
> (0x00000010)
> May 1 10:27:25 poste161-186 su: pam_winbind(su:auth): pam_get_item
> returned a password
> May 1 10:27:25 poste161-186 su: pam_winbind(su:auth): user
'emartel'
> granted access
> May 1 10:27:25 poste161-186 su: pam_winbind(su:account):
> pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
> May 1 10:27:25 poste161-186 su: pam_winbind(su:account): user
'emartel'
> needs new password
> May 1 10:27:27 poste161-186 su: pam_tcb(su:chauthtok): Credentials for
> user emartel unknown
>
> So access is granted, but for whatever reason the user (any user) is
> informed by the console that his password has expired and he needs to
> change it. If he tries to change it at the console as proposed, not only
> he still doesn't get access but the password is not changed whatsoever.
> I googled this, but all I found were old infos regarding a bug in Samba
> 3.0.2x; has this bug returned? Am I missing something? Is that a
> Mandriva issue? Is there any workaround that doesn't involve playing
> with AD settings?
>
> Thanks!
>
> Eric Martel
> Qu?bec, Canada
>