similar to: pam_krb5 pam_sm_authenticate question

openssh-unix-dev at mindrot.org kerberos at ncsa.uiuc.edu We believe there is a security flaw in either OpenSSH and/or RedHat's pam_krb5 module. When a Kerberos principal has the REQUIRES_PWCHANGE (+needchange) flag set, OpenSSH+pam_krb5 will still successfully authenticate the user. Local 'su' and 'login' fail in this case which leads us to believe it's at least

Greeting- I have a mixed network of ms-windows, macintosh and freebsd systems. I am setting up a FreeBSD 9.0 system as a PDC using samba. I can from a FreeBSD box attach to the SMB server as a user that is defined on the Samba Server. [wynkoop at dt0 ~]$ smbclient -L hp1 Enter wynkoop's password: Domain=[HARAPARTNERS] OS=[Unix] Server=[Samba 3.6.4] Sharename Type

Ok, so, things are complicated. The PAM standard insists on password aging being done after account authorization, which comes after user authentication. Kerberos can't authenticate users whose passwords are expired. So PAM_KRB5 implementations tend to return PAM_SUCCESS from pam_krb5:pam_sm_authenticate() and arrange for pam_krb5:pam_sm_acct_mgmt() to return PAM_NEW_AUTHTOK_REQD, as

Hello, Prequalify: I'm quite a novice w/ Kerberos, so my terminology and assumptions may be rough. Also, please CC me since I'm not a list subscriber. I'm running a fairly recent -STABLE [1] and have installed the base Heimdal Kerberos implementation via the MAKE_KERBEROS5 knob in /etc/make.conf. I'm having the problem that I don't see a cached credential file being created

I am having problems upgrading samba 3.0.36 to 3.3.7. I have a working installation of Samba 3.0.36 on FreeBSD 7.2 amd64, configured as a domain member in a 2003 AD, running in native mode. Domain controllers have Services for Unix 3.5 installed and I am using idmap backend with SFU schema mode. I have enclosed my configuration files and compile options further down. When I upgrade to version

Hi list, Sorry for the cros-post, I'm not sure which list is better for me as I got a question related to samba, configuration, FreeBSD. I'm trying to configure NT authentication on FreeBSD 5.4 with Samba 3.0.12 (installed form the ports collection). I've folowed the Samba 3 howto I've managed the following : wbinfo -g returns correctly the domain groups wbinfo -u returns all

Hi list, Sorry for the cros-post, I'm not sure which list is better for me as I got a question related to samba, configuration, FreeBSD. I'm trying to configure NT authentication on FreeBSD 5.4 with Samba 3.0.12 (installed form the ports collection). I've folowed the Samba 3 howto I've managed the following : wbinfo -g returns correctly the domain groups wbinfo -u returns all

We've discovered that although Winbind supports password changes when the account password is expired, this only works with *interactive* shells. This is a major problem for us. Use case 1: SSH tunnels: $ ssh user2@localhost -N -L 4711:localhost:22 user2@localhost's password: <trying to use the tunnel> channel 2: open failed: administratively prohibited: open failed As you can

I'm setting up a freebsd server which will authenticate against an Active Directory I mean: the server will NOT have any local users (except mandatory and minimum required for management and configuration) and will authenticate requests for login and access FOR EVERY SERVICE against an Active Directory Server I have configured the samba service and currently I can login to local terminal,

Hi All I installed samba 3.0.23d on the FreeBSD 5.4 through the port tree and join to the Windows 2000 Domain. But I can't su anymore. And the Windows client cannot go into the share folder. I have pam_winbind.so at /usr/lib and /usr/local/lib. The error message shows: Jan 30 18:50:36 BSDSVR01 pam_winbind[26131]: request failed: No such user, PAM error was unknown user (13), NT error was

I've built a domain member. It works pretty good with the exception that I want on-the-fly home directories being built. I'm not sure this is doable with a domain member as everything I've tried isn't even called - as far as I can tell. Using log level 3. If anyone can shed light on how to dynamically create home directories, that'd be great. anyway, here's my

Greetings, I'm running Fedora 11 (Samba 3.3.2) and am trying to configure winbind authentication against a Windows 2003 server. I've run kinit and net join successfully, and can wbinfo -u, -g, and -t successfully, as well as getent passwd and getent group successfully. I can even use passwd to change domain user passwords. However, when I try to log in via gdm, ssh, or even su, I do not

Hi Chris, Were you able to solve this. Regards, David. Greetings, I'm running Fedora 11 (Samba 3.3.2) and am trying to configure winbind authentication against a Windows 2003 server. I've run kinit and net join successfully, and can wbinfo -u, -g, and -t successfully, as well as getent passwd and getent group successfully. I can even use passwd to change domain user passwords. However,

Okay, I guess I?ll be the first to take Colin Percival up in that the following statement applies to me: ?If you find a security problem -- or even if you find something which might possibly be a security problem but you're not certain if it is or not -- then please let us know.? I recently installed pam_radius according to the instructions located at the following address:

I've been trying for a couple of weeks to get FreeBSD + winbindd + PAM working, without success. I'm hoping that someone here has bumped into my problem before and has some advice to give. My current setup is winbindd from Samba 2.8.8a on both FreeBSD 4.8-RELEASE and 5.1-BETA. I've configured Samba with the following options: syslog, nocups, utmp, msdfs, quota, recycle, audit,

I'm running samba 2.5 on a FreeBSD box using winbind to do authentication with my PDC/BDC. I'm able to configure shares that everyone on the NT network can access but when I configure private shares (only 1 or 2 users have access to) the users get prompted for a username and password and are not allowed access. What am I doing wrong? Below I have included a copy of my smb.conf and pam.conf

Hello! I'm trying to configure a freshly built mail/cyrus-imapd22 to work and authenticate accounts -- Kerberos and plain text. The GSSAPI authentication works already. After doing kinit, I can do ``imtest -m GSSAPI hostname'' and it succeeds. Now I'm trying to login with plain text (over SSL). Cyrus' imapd keeps crashing from SIGBUS. According to ktrace, this happens

Hi! Can you attempt to get core dump with debugging symbols with dovecot too? Currently it seems to only contain symbols from kerberos bit, which is not very useful on it's own. Aki > On 12 February 2018 at 17:34 Ben Woods <woodsb02 at gmail.com> wrote: > > > Hi everyone, > > I have a repeatable core dump when running dovecot on FreeBSD in the > specific

Hello All: I am trying to authenticate against an Active Directory using winbind in my /etc/pam.d/sshd configuration (below). If the user is in the local password file, I can authenticate successfully using that user's Active Directory credentials. However, if the user is not in the local password file, I get the following errors. Nov 3 10:07:48 mailnat pam_winbind[29805]: request failed:

I have a shell user who is able to login to his accounts via sshd on FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and .ssh/id_rsa.pub key pair without a password but nullok was not specified, so I think this should be considered a bug. During diagnosis, /etc/pam.d/sshd was configured for authentication using: ------------- auth required pam_ssh.so