RE: [Samba] [HELP] Samba 3.0.23a pam_winbind says password expired

Wed, 02 Aug 2006 01:44:45 -0700 

Hi Michael,


> thx for your response. so what's the difference in our 
> setups? could you please post your samba DC version, pam 
> settings and smb.conf of the member?

> 
> >>>>09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new password
> >>>>Aug  1 09:59:27 humevo36 su: FAILED SU (to gasch) gasch on dev/pts/3
> >>>It seems to me that I have similar problem. However, su
> >>succeeds and just writes to the console "Your password has expired"
> >>what about logins? can you login successfully?
> > Yes, all pam-based services (pop3, su, etc) permit login. 
> > Some of them (like su) inform the user that he needs to  change the
password.

The network has two domain controllers - Win2000 and Win2003 servers.
Samba 3.0.23a is installed on FreeBSD 6.1 box. 


Please see below my smb.conf 


[global]
        dos charset = CP866
        workgroup = RESEARCH
        realm = RESEARCH.DCN
        netbios name = MASTER
        server string = Public file server
        security = ADS
        password server = 
        username map = /usr/local/etc/smbusers
        unix extensions = No
        wins server = 10.0.103.5
        ldap ssl = no
        idmap uid = 20000-30000
        idmap gid = 20000-30000
        template shell = /usr/local/bin/bash
        winbind separator = /
        winbind use default domain = Yes

[shared directory configuration goes below]



It seems that the "password expired" message originates from the following
piece of code in pam_winbind.c

        case 0:
                pam_get_data( pamh, PAM_WINBIND_NEW_AUTHTOK_REQD, (void
**)&tmp);
                if (tmp != NULL) {
                        retval = atoi(tmp);
                        switch (retval) {
                        case PAM_AUTHTOK_EXPIRED:
                                /* fall through, since new token is required
in this case */
                        case PAM_NEW_AUTHTOK_REQD:
                                _pam_log(LOG_WARNING, "pam_sm_acct_mgmt
success but %s is set", 
                                         PAM_WINBIND_NEW_AUTHTOK_REQD);
                                _pam_log(LOG_NOTICE, "user '%s' needs new
password", username);
                                /* PAM_AUTHTOKEN_REQD does not exist, but is
documented in the manpage */
                                return PAM_NEW_AUTHTOK_REQD; 
                        default:
                                _pam_log(LOG_WARNING, "pam_sm_acct_mgmt
success");
                                _pam_log(LOG_NOTICE, "user '%s' granted
access", username);
                                return PAM_SUCCESS;
                        }
                }



With best regards,
P. Trifonov  


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to