I'm trying to configure my Solaris 9 pam.conf for CDE login/password expiration using ADS security on W2003. If my AD account password is in good standing, my config works great in /etc/pam.conf. However - I'm having trouble getting it to recognize that my password in AD has expired to ask me to reset it on the CDE screen. With the config below - it just tells me "login incorrect". Any ideas? My /opt/samba/smb.conf file looks like: [global] workgroup = QACCESST realm = QACCESST.ADTEST.AD.LAB server string = %h server (Samba %v) security = ADS update encrypted = Yes obey pam restrictions = Yes enable privileges = Yes pam password change = Yes passwd program = /bin/passwd %u username map = /etc/samba/smbusers unix password sync = Yes log level = 5 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no idmap uid = 500-100000000 idmap gid = 500-100000000 template shell = /bin/bash winbind cache time = 10 winbind use default domain = Yes winbind trusted domains only = Yes winbind nested groups = Yes [homes] valid users = %S read only = No browseable = No
/etc/nsswitch.conf: passwd: files winbind group: files winbind hosts: files dns winbind ipnodes: files networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; the system will # figure it out pretty quickly, and won't use netgroups at all. netgroup: files automount: files aliases: files services: files sendmailvars: files printers: user files auth_attr: files prof_attr: files project: files /etc/pam.conf (snipped for the dtlogin section only): # CDE login and screenlock dtlogin auth sufficient pam_winbind.so debug use_first_pass use_authtok dtlogin auth requisite pam_authtok_get.so.1 debug dtlogin auth required pam_dhkeys.so.1 debug #dtlogin auth optional pam_krb5.so use_first_pass creds debug dtlogin auth sufficient pam_unix_auth.so.1 debug try_first_pass #dtlogin auth sufficient pam_dial_auth.so.1 debug #dtlogin account requisite pam_roles.so.1 debug #dtlogin account requisite pam_projects.so.1 debug #dtlogin account sufficient pam_unix_account.so.1 debug dtlogin account required pam_winbind.so use_authtok #dtlogin password sufficient pam_dhkeys.so.1 debug #dtlogin password requisite pam_authtok_get.so.1 debug #dtlogin password requisite pam_authtok_check.so.1 debug #dtlogin password sufficient pam_authtok_store.so.1 debug dtlogin password required pam_winbind.so debug use_authtok dtsession auth sufficient pam_winbind.so debug try_first_pass dtsession auth required pam_unix.so.1 Thanks in advance! Bruce -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba