I'm getting the same issue except I can't log in because login only autorise to get a shell after the pass change. Any idea why PAM_WINBIND_NEW_AUTHTOK_REQD is sent ? (I have this problem since upgrading from 200 to 2003 (mixed mode) and samba-3.0.23a, using security=ads and winbind
Emmanuel Le mardi 1 août 2006 10:27, Michael Gasch a écrit : > hi, > > i just do some tests with a fresh compiled samba 3.0.23a. > trying to authenticate against PAM with pam_winbind gives: > > Aug 1 09:59:21 humevo36 pam_winbind[27853]: pam_winbind: > pam_sm_authenticate (flags: 0x0000) > Aug 1 09:59:23 humevo36 pam_winbind[27853]: Verify user `gasch' > Aug 1 09:59:23 humevo36 pam_winbind[27853]: enabling cached login flag > Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' granted access > Aug 1 09:59:23 humevo36 pam_winbind[27853]: Password has expired > (Password was last set: 1154074953, the policy says it should expire > here 1154074952 (now > it's: 1154419163) > Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' OK > Aug 1 09:59:23 humevo36 pam_winbind[27853]: pam_sm_acct_mgmt success > but PAM_WINBIND_NEW_AUTHTOK_REQD is set > Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new > password Aug 1 09:59:27 humevo36 su: FAILED SU (to gasch) gasch on > /dev/pts/3 > > there´s no password policy on the domain controller (samba 3.0.14a, > debian): > > [EMAIL PROTECTED]:~# pdbedit -d 0 -P "maximum password age" > account policy value for maximum password age is 4294967295 > [EMAIL PROTECTED]:~# pdbedit -d 0 -P "password history" > account policy value for password history is 0 > > some samba-ldap attributes on PDC for user "gasch": > > sambaLogonTime: 1130931254 > sambaPwdMustChange: 2147483647 > sambaPasswordHistory: sambaAcctFlags: [UX ] > sambaKickoffTime: 1204325940 > sambaPwdCanChange: 1154074953 > sambaPwdLastSet: 1154074953 > > i can provide you with a level 10 debug log of winbindd offline (>700kb) > if requested. > > btw: it worked fine with 3.0.20b RPM from SuSE. > any ideas? > > thx in advance! > > > smb.conf > ======== > [global] > workgroup = DOMAIN > server string = Samba v3 > # username map = /etc/samba/username.map > time server = yes > log level = 2 > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 10000 > unix extensions = No > printcap name = cups > os level = 32 > > interfaces = lo eth0 vmnet1 vmnet8 > bind interfaces only = yes > wins server = 192.168.x.y > preferred master = No > local master = No > domain master = No > dns proxy = No > panic action = /usr/share/samba/panic-action %d > idmap backend = idmap_rid:DOMAIN=10000-19999 > idmap uid = 10000-19999 > idmap gid = 10000-19999 > winbind offline logon = yes > winbind separator = '\' > winbind enum users = No > winbind enum groups = No > winbind use default domain = Yes > winbind trusted domains only = no > winbind cache time = 60 > security = domain > allow trusted domains = no > template shell = /bin/bash > template homedir = /home/%U > invalid users = root > > > pam (common-auth) > ================= > auth required pam_env.so > # following also tried without arguments > auth sufficient pam_winbind.so debug try_first_pass cached_login > auth required pam_unix2.so use_first_pass -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
