similar to: pam_winbind: user needs new password

hi, i just do some tests with a fresh compiled samba 3.0.23a. trying to authenticate against PAM with pam_winbind gives: Aug 1 09:59:21 humevo36 pam_winbind[27853]: pam_winbind: pam_sm_authenticate (flags: 0x0000) Aug 1 09:59:23 humevo36 pam_winbind[27853]: Verify user `gasch' Aug 1 09:59:23 humevo36 pam_winbind[27853]: enabling cached login flag Aug 1 09:59:23 humevo36

Hello all, I have a pretty large DC and am using winbind for our linux workstations and im having a preculiar issue. Not all accounts but some...including mine are recieving the pam error to change password. example... ... WARNING: Your password has expired. You must change your password now and login again! Changing password for user msellers. Changing password for msellers (current) NT

Ok, so, things are complicated. The PAM standard insists on password aging being done after account authorization, which comes after user authentication. Kerberos can't authenticate users whose passwords are expired. So PAM_KRB5 implementations tend to return PAM_SUCCESS from pam_krb5:pam_sm_authenticate() and arrange for pam_krb5:pam_sm_acct_mgmt() to return PAM_NEW_AUTHTOK_REQD, as

openssh-unix-dev at mindrot.org kerberos at ncsa.uiuc.edu We believe there is a security flaw in either OpenSSH and/or RedHat's pam_krb5 module. When a Kerberos principal has the REQUIRES_PWCHANGE (+needchange) flag set, OpenSSH+pam_krb5 will still successfully authenticate the user. Local 'su' and 'login' fail in this case which leads us to believe it's at least

Hi all, I am having a problem with pam_winbind.so. Is there any documentation that tells exactly what each module with pam_winbind.so does? In other words, what does the auth section do, what does the account section do??? When I try to authenticate, the auth section in login pam seems to pass successfully, but the account section seems to fail. Here is my login module auth required

Greetings, Still trying to get Samba 3.0.15pre2 built on a Solaris 9 box with PAM support. I am using gcc 3.3.2 and I have openldap-2.2.24, krb5-1.4, and Cyrus SASL 2.1.20 installed. I have found other posting by people with problems building on Solaris as well as asking about the "_pam_macros.h" file that seems to be missing on Solaris. Posting about problems, but not with

Sorry for the repost, but I've not gotten any response and the problem persists. Does anyone have any idea how to fix? =================================== I read a few posts in the archives about this problem and that it was to be fixed in 3.0.23c. Currently I'm running 3.0.23d-2+b1 on a debian system and am getting the following: $ ssh -l testuser fileserver Password: Your password

I read a few posts in the archives about this problem and that it was to be fixed in 3.0.23c. Currently I'm running 3.0.23d-2+b1 on a debian system and am getting the following: $ ssh -l testuser fileserver Password: Your password has expired Here's what auth.log shows: Jan 4 11:46:26 tmcsamba1 pam_winbind[14309]: user 'DOMAIN1+testuser' OK Jan 4 11:46:26 tmcsamba1

>Okay, this appears to be a problem with pam_unix.so - the code in >pam_sm_open_session is written with the assumption that the tty name is of >the form "/dev/" + something else on the end. I'm not sure why the pam_sm_open_session in pam_unix on Solaris now does this: /* report error if ttyn or rhost are not set */ if ((ttyn == NULL) || (rhost == NULL))

A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba/attachments/20060525/a6a8d41f/signature.bin

Greetings, I'm running Fedora 11 (Samba 3.3.2) and am trying to configure winbind authentication against a Windows 2003 server. I've run kinit and net join successfully, and can wbinfo -u, -g, and -t successfully, as well as getent passwd and getent group successfully. I can even use passwd to change domain user passwords. However, when I try to log in via gdm, ssh, or even su, I do not

Hi Chris, Were you able to solve this. Regards, David. Greetings, I'm running Fedora 11 (Samba 3.3.2) and am trying to configure winbind authentication against a Windows 2003 server. I've run kinit and net join successfully, and can wbinfo -u, -g, and -t successfully, as well as getent passwd and getent group successfully. I can even use passwd to change domain user passwords. However,

http://bugzilla.mindrot.org/show_bug.cgi?id=1188 Summary: keyboard-interactive should not allow retry after pam_acct_mgmt fails Product: Portable OpenSSH Version: -current Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: PAM support

Hello in the new Openssh 3.5p1 is the sam Bug as in the 3.4p1 :-( When a User try to login with a expired Passwort, SSH denys the Acces to the System fbeckman at zvadmxz:/home/fbeckman # ssh -v fbeckman at xy OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted.

We just started using NDS for Solaris to authenticate users on our SOlaris 2.6 boxes. Works great with OpenSSH except for one thing. When a user's password is expired, sshd won't allow them access, while telnetd reports the number of grace logins left, and asks to change the user's password. Seems to be an interaction with the PAM account module, but I'm not familiar enough

Greetings, Still no progress trying to get Samba 3.5.6 built on Solaris 10, using gcc 3.4.6. Maybe fresh eyes will see something? Been having issues building samba since 3.4.9 (and anything greater than 3.2.15 on Solaris 9 where samba will build, but winbind will not work properly for user authentication.) techops$ make Using CFLAGS = -I/opt/local/kerberos5/include -O -I.

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page:

We've discovered that although Winbind supports password changes when the account password is expired, this only works with *interactive* shells. This is a major problem for us. Use case 1: SSH tunnels: $ ssh user2@localhost -N -L 4711:localhost:22 user2@localhost's password: <trying to use the tunnel> channel 2: open failed: administratively prohibited: open failed As you can

All, The SAMBA version 3.0.21b expired password pam_winbind.so section perhaps might still have an issue. It seems to just be in some kind of loop and never completes the section in pam_winbind.c of pam_sm_chauthtok. See ssh (Solaris 4.2.p1 ssh) sequence below: ssh hermione Password: Changing password for leeraym (current) NT password: Re-enter new Password: Password: Password:

Greetings, ***Warning: New to compiling and use RPMs whenever I can :-)*** When trying to compile I get the above error. It is preceded by: ======= . . . Compiling nsswitch/pam_winbind.c with -fPIC nsswitch/pam_winbind.c:60: parse error before `*' nsswitch/pam_winbind.c: In function `converse': nsswitch/pam_winbind.c:67: `pamh' undeclared (first use in this function)