search for: pam_sm_acct_mgmt

...v 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): loaded '/home/targetuser/.ssh/id_rsa' from /home/targetuser/.ssh/id_rsa Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to load key from /home/targetuser/.ssh/id_dsa Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: targetuser Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: targetuser Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Checking login.access for user targetuser from host 172.16.1.240 Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt():...

...required (12), NT error was NT_STATUS_PASSWORD_MUST_CHANGE sshd[12345]: pam_winbind(sshd:auth): user 'user2' new password required sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] LEAVE: pam_sm_authenticate returning 0 sshd[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] ENTER: pam_sm_acct_mgmt (flags: 0x0000) sshd[12345]: pam_winbind(sshd:account): user 'user2' OK sshd[12345]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set sshd[12345]: pam_winbind(sshd:account): user 'user2' needs new password sshd[12345]: pam_winbind(sshd:acco...

...e policy says it should expire here 1245880657 (now it's: 1245882598)) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): [pamh: 0x1f06f48] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): [pamh: 0x1f06f48] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): user 'cmthielen' needs new password Jun 24 15:29:58 history-20 sshd[4656]: pam...

...e policy says it should expire here 1245880657 (now it's: 1245882598)) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): [pamh: 0x1f06f48] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): [pamh: 0x1f06f48] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): user 'cmthielen' needs new password Jun 24 15:29:58 history-20 sshd[4656]: pam...

...on has a gaping hole and is at fault. - A PAM module may defer authentication and authorization, in password-change-required situations, to pam_sm_chauthtok(3PAM), but if so it must: a) return PAM_SUCCESS from its pam_sm_authenticate(3PAM) _AND_ b) return PAM_NEW_AUTHTOK_REQD from its pam_sm_acct_mgmt(3PAM). Kerberos V and LDAP BIND type modules typically do this. If it does otherwise then it will either not support password aging or sport a gaping security hole. - Such modules' account modules must be configured as required or requisite or binding. - Care must be...

...-186 su: pam_winbind(su:auth): getting password (0x00000010) May 1 10:27:25 poste161-186 su: pam_winbind(su:auth): pam_get_item returned a password May 1 10:27:25 poste161-186 su: pam_winbind(su:auth): user 'emartel' granted access May 1 10:27:25 poste161-186 su: pam_winbind(su:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set May 1 10:27:25 poste161-186 su: pam_winbind(su:account): user 'emartel' needs new password May 1 10:27:27 poste161-186 su: pam_tcb(su:chauthtok): Credentials for user emartel unknown So access is granted, but for whatever reason the user (a...

...D 467601 auth.error] request failed: Must change password, PAM error was 10, NT error was NT_STATUS_PASSWORD_MUST_CHANGE Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 120530 auth.warning] user `leeraym' new password required Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 990559 auth.warning] pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Feb 1 14:53:29 hermione pam_winbind[1153]: [ID 775411 auth.notice] user 'leeraym' needs new password Feb 1 14:53:32 hermione pam_winbind[1153]: [ID 467601 auth.error] request failed: Must change password, PAM error was 10, NT error was NT_ST...

...M standard insists on password aging being done after account authorization, which comes after user authentication. Kerberos can't authenticate users whose passwords are expired. So PAM_KRB5 implementations tend to return PAM_SUCCESS from pam_krb5:pam_sm_authenticate() and arrange for pam_krb5:pam_sm_acct_mgmt() to return PAM_NEW_AUTHTOK_REQD, as required by PAM even though the user can't be said to be authenticated at that point. The problem with this is that by the time pam_acct_mgmt() is called in OpenSSH userauth has been completed, so kbd-interactive is not used for the password changing and in...

...r the pam-session is started for regular users. As a result, regular users don't have a tty when the pam-session modules are called. Is this intended? Frank For root: Apr 6 09:53:53 garfield2 sshd[16255]: (S 8) Found matching RSA key: ... Apr 6 09:53:53 garfield2 sshd[16255]: pam_log: pam_sm_acct_mgmt Apr 6 09:53:53 garfield2 sshd[16255]: (S 8) Accepted publickey for root from 127.0.0.1 port 47019 Apr 6 09:53:53 garfield2 sshd[16255]: (S 8) channel 0: new: server-session, nchannels open: 1 Apr 6 09:53:53 garfield2 sshd[16255]: pam_log: pam_sm_setcred Apr 6 09:53:53 garfield2 sshd[16257]: pam...

https://bugzilla.mindrot.org/show_bug.cgi?id=2475 Bug ID: 2475 Summary: Login failure when PasswordAuthentication, ChallengeResponseAuthentication, and PermitEmptyPasswords are all enabled Product: Portable OpenSSH Version: 7.1p1 Hardware: ix86 OS: Linux Status: NEW

...Returned user was 'SAMDOM\jgraham' ??? Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:auth): [pamh: 0x55dc18bc2780] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) ??? Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:account): [pamh: 0x55dc18bc2780] ENTER: pam_sm_acct_mgmt (flags: 0x0000) ??? Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:account): user 'SAMDOM\jgraham' granted access ??? Nov 27 09:32:47 terra sshd-session[16687]: pam_winbind(sshd:account): [pamh: 0x55dc18bc2780] LEAVE: pam_sm_acct_mgmt returning 0 (PAM_SUCCESS) ??? Nov 27...

...------------------and here is the log snippet------ Jul 18 16:29:24 pam_winbind[20827]: Verify user `xxxx+xxxx' Jul 18 16:29:25 pam_winbind[20827]: user 'xxxx+xxxx' granted acces Jul 18 16:15:36 pam_winbind[20781]: user `xxxx+xxxx' not found Jul 18 16:29:25 login[20827]: pam_unix2: pam_sm_acct_mgmt() called Jul 18 16:29:27 login[20827]: pam_unix2: pam_ldap returned 10 Jul 18 16:29:27 login[20827]: User not known to the underlying authentication module I know the second pam_winbind.so error above is from the account section because when I comment it out and retry, it disappears. Any ideas??...

...uirement. The user isnt defined on the box in either shadow or passwd, they are only defined in AD, but are successfully able to authenticate as shown in the log below. Some logs below: /var/log/secure Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f6b826837d0) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_USER) = "nathan" (...

...g my password works, but reconnecting results in the same prompt, thus going over and over again. Aug 15 16:02:38 ctilinux2 pam_winbind[1081]: user 'msellers' granted access Aug 15 16:02:38 ctilinux2 pam_winbind[1081]: user 'msellers' OK Aug 15 16:02:38 ctilinux2 pam_winbind[1081]: pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Aug 15 16:02:38 ctilinux2 pam_winbind[1081]: user 'msellers' needs new password Im never able to login with this account. Ive looked at debug 10 of winbind and cant see anything exciting. Ive seen a few posts in the past but no resolutions....

...ix_account.so does an explicit check for *LK* so it is now safe to call pam_acct_mgmt() if pam_authenticate() wasn't called. I would say that this is a bug in pam_unix.so on Solaris 2.6 onwards, you should log a call with Sun Enterprise Services. I would recommend stating the bug as follows: pam_sm_acct_mgmt() in pam_unix.so.1 does not check for the users password being the lockstring (*LK*). This has already been fixed in Solaris 9 pam_unix_account.so and I would like a similar fix applied to pam_unix.so.1 for Solaris 7 onwards. -- Darren J Moffat

...ccess Aug 1 09:59:23 humevo36 pam_winbind[27853]: Password has expired (Password was last set: 1154074953, the policy says it should expire here 1154074952 (now it's: 1154419163) Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' OK Aug 1 09:59:23 humevo36 pam_winbind[27853]: pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new password Aug 1 09:59:27 humevo36 su: FAILED SU (to gasch) gasch on /dev/pts/3 there?s no password policy on the domain controller (samba 3.0.14a, debian): root@PDC:~# pdbe...

...nd I did not get the warning message which I should. I enabled the DEBUG level to 3 and I can see that sshd did received the warning message but It is not displayed from login session. Information from DEBUG : Jul 13 17:05:31 tatiana sshd[25599]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt() Jul 13 17:05:31 tatiana sshd[25599]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(n113839), flags = 0 Jul 13 17:05:31 tatiana sshd[25599]: [ID 800047 auth.debug] debug3: PAM: sshpam_thread_conv entering, 1 messages Jul 13 17:05:31 tatiana sshd[25599]: [ID 800047 auth.debug] debug3: ssh_msg_send:...

...22 13:12:41 ldap1.udel.edu sshd[21223]: [ID 997726 local4.debug] pam_acct_mgmt() Sep 22 13:12:41 ldap1.udel.edu sshd[21223]: [ID 305314 local4.debug] load_modules: /usr/lib/security/pam_roles.so.1 Sep 22 13:12:41 ldap1.udel.edu sshd[21223]: [ID 265225 local4.debug] load_function: successful load of pam_sm_acct_mgmt Sep 22 13:12:41 ldap1.udel.edu sshd[21223]: [ID 305314 local4.debug] load_modules: /usr/lib/security/pam_projects.so.1 Sep 22 13:12:41 ldap1.udel.edu sshd[21223]: [ID 265225 local4.debug] load_function: successful load of pam_sm_acct_mgmt Sep 22 13:12:41 ldap1.udel.edu sshd[21223]: [ID 305314 local...

...s 'SAMDOM\jgraham' > ??? Nov 27 09:32:47 terra sshd-session[16687]: > pam_winbind(sshd:auth): [pamh: 0x55dc18bc2780] LEAVE: > pam_sm_authenticate returning 0 (PAM_SUCCESS) Nov 27 09:32:47 terra > sshd-session[16687]: pam_winbind(sshd:account): [pamh: > 0x55dc18bc2780] ENTER: pam_sm_acct_mgmt (flags: 0x0000) > ??? Nov 27 09:32:47 terra sshd-session[16687]: > pam_winbind(sshd:account): user 'SAMDOM\jgraham' granted access > ??? Nov 27 09:32:47 terra sshd-session[16687]: > pam_winbind(sshd:account): [pamh: 0x55dc18bc2780] LEAVE: > pam_sm_acct_mgmt returning 0 (...

...ssh (pam is in use) - these users are redirected (via nss module) to a linux user who cannot log in directly to the system so far this is working fine. But now I also want the user to change the password if it has expired. Therefore my PAM module returns the error code PAM_NEW_AUTHTOK_REQD in the pam_sm_acct_mgmt function. The user is then prompted to change the password. Unfortunately, the function of my pam module that I configured in /etc/pam.d/sshd is not used for the password change, but the one that was configured in /etc/pam.d/passwd. In the source code I then saw that the passwd binary is called dir...