[Samba] pam_winbind.so user expired password config for Solaris /etc/pam.conf
I'm trying to configure my Solaris 9 pam.conf for CDE login/password expiration using ADS security on W2003. If my AD account password is in good standing, my config works great in /etc/pam.conf. However - I'm having trouble getting it to recognize that my password in AD has expired to ask me to reset it on the CDE screen. With the config below - it just tells me login incorrect. Any ideas? My /opt/samba/smb.conf file looks like: [global] workgroup = QACCESST realm = QACCESST.ADTEST.AD.LAB server string = %h server (Samba %v) security = ADS update encrypted = Yes obey pam restrictions = Yes enable privileges = Yes pam password change = Yes passwd program = /bin/passwd %u username map = /etc/samba/smbusers unix password sync = Yes log level = 5 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no idmap uid = 500-1 idmap gid = 500-1 template shell = /bin/bash winbind cache time = 10 winbind use default domain = Yes winbind trusted domains only = Yes winbind nested groups = Yes [homes] valid users = %S read only = No browseable = No /etc/nsswitch.conf: passwd: files winbind group: files winbind hosts: files dns winbind ipnodes:files networks: files protocols: files rpc:files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; the system will # figure it out pretty quickly, and won't use netgroups at all. netgroup: files automount: files aliases:files services: files sendmailvars: files printers: user files auth_attr: files prof_attr: files project:files /etc/pam.conf (snipped for the dtlogin section only): # CDE login and screenlock dtlogin authsufficient pam_winbind.so debug use_first_pass use_authtok dtlogin authrequisite pam_authtok_get.so.1 debug dtlogin authrequiredpam_dhkeys.so.1 debug #dtloginauthoptionalpam_krb5.so use_first_pass creds debug dtlogin authsufficient pam_unix_auth.so.1 debug try_first_pass #dtloginauthsufficient pam_dial_auth.so.1 debug #dtloginaccount requisite pam_roles.so.1 debug #dtloginaccount requisite pam_projects.so.1 debug #dtloginaccount sufficient pam_unix_account.so.1 debug dtlogin account requiredpam_winbind.so use_authtok #dtloginpasswordsufficient pam_dhkeys.so.1 debug #dtloginpasswordrequisite pam_authtok_get.so.1debug #dtloginpasswordrequisite pam_authtok_check.so.1 debug #dtloginpasswordsufficient pam_authtok_store.so.1 debug dtlogin passwordrequiredpam_winbind.so debug use_authtok dtsession authsufficient pam_winbind.so debug try_first_pass dtsession authrequiredpam_unix.so.1 Thanks in advance! Bruce -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pam_winbind.so user expired password config for Solaris /etc/pam.conf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Speidel, Bruce wrote: I'm trying to configure my Solaris 9 pam.conf for CDE login/password expiration using ADS security on W2003. If my AD account password is in good standing, my config works great in /etc/pam.conf. However - I'm having trouble getting it to recognize that my password in AD has expired to ask me to reset it on the CDE screen. With the config below - it just tells me login incorrect. Any ideas? This is fixed in 3.0.21b based on what I understand from Guenther. cheers, jerry = I live in a Reply-to-All world--- Samba--- http://www.samba.org Centeris --- http://www.centeris.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD2Y3uIR7qMdg1EfYRAj+0AKCP5QlLy4rCuZLxtiVr9tA0LZ4sJQCg4XNS oMWMWtwdoH/MbKk33O2gaok= =JdyO -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pam_winbind.so user expired password config for Solaris/etc/pam.conf
Jerry, That is the version I compiled just last week and found this problem. It also fails on 3.0.20b as well. I don't think I've ever been able to get this working. Thanks, Bruce Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Speidel, Bruce wrote: I'm trying to configure my Solaris 9 pam.conf for CDE login/password expiration using ADS security on W2003. If my AD account password is in good standing, my config works great in /etc/pam.conf. However - I'm having trouble getting it to recognize that my password in AD has expired to ask me to reset it on the CDE screen. With the config below - it just tells me login incorrect. Any ideas? This is fixed in 3.0.21b based on what I understand from Guenther. cheers, jerry = I live in a Reply-to-All world--- Samba--- http://www.samba.org Centeris --- http://www.centeris.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD2Y3uIR7qMdg1EfYRAj+0AKCP5QlLy4rCuZLxtiVr9tA0LZ4sJQCg4XNS oMWMWtwdoH/MbKk33O2gaok= =JdyO -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pam_winbind.so user expired password config for Solaris/etc/pam.conf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bruce Speidel +1 303 607-5061 wrote: Jerry, That is the version I compiled just last week and found this problem. It also fails on 3.0.20b as well. I don't think I've ever been able to get this working. WellYou couldn't have compiled 3.0.21b last week since I haven't released it yet. :-) Either tomorrow or Monday. but you can check out the SAMBA_3_0_RELEASE tree right now if you like. cheers, jerry = I live in a Reply-to-All world--- Samba--- http://www.samba.org Centeris --- http://www.centeris.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD2ZD2IR7qMdg1EfYRAqbxAJ9cEI/K7/LBaTTtvj/R2W3yEQ6rYgCgidHO F7dtwThY9gXmwRtWyrU8sLE= =+Bz7 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pam_winbind.so user expired password config for Solaris/etc/pam.conf
Jerry, Doh! 3.0.21a is what I compiled last week! I'll give it a shot in the coming days to see if it has been fixed. Hopefully I will figure out the correct pam.conf. Thanks, Bruce Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bruce Speidel +1 303 607-5061 wrote: Jerry, That is the version I compiled just last week and found this problem. It also fails on 3.0.20b as well. I don't think I've ever been able to get this working. WellYou couldn't have compiled 3.0.21b last week since I haven't released it yet. :-) Either tomorrow or Monday. but you can check out the SAMBA_3_0_RELEASE tree right now if you like. cheers, jerry = I live in a Reply-to-All world--- Samba--- http://www.samba.org Centeris --- http://www.centeris.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD2ZD2IR7qMdg1EfYRAqbxAJ9cEI/K7/LBaTTtvj/R2W3yEQ6rYgCgidHO F7dtwThY9gXmwRtWyrU8sLE= =+Bz7 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba