Solved

winbind causes expired password reset failures

Posted on 2004-08-23
3
2,231 Views
Last Modified: 2013-12-27
running Solaris 5.8

we recently had a request to add winbind to our /etc/nsswitch.conf file

passwd:     files winbind

to allow authentication for samba via an NT server (winbind)

However, now when a local (/etc/passwd, /etc/shadow) id expires, we get the following errors:
# passwd -f usera
# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
login: usera
Password:
Choose a new password.
New Password:
Re-enter new Password:
telnet: System error: repository out of range.
Connection closed by foreign host.
# tail -1 /var/adm/messages
Aug 23 15:29:28 host_a login: [ID 376080 auth.crit] change password failure: System error

The samba documentation talks about adding some libraries to /etc/pam.conf, but when we added them:

login auth sufficient         /usr/lib/security/pam_winbind.so.1
other password sufficient             /usr/lib/security/pam_winbind.so.1

 that error condition is replaced by this error condition: (it tries to update a winbind password rather than a local password)
# telnet 0              
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.


SunOS 5.8

login: usera
Password:
Choose a new password.
New Password:
Changing password for usera
(current) NT password:                                        (this is a local user, that does not exists in the NT domain)
Re-enter new Password:
Enter new NT password:
Retype new NT password:
telnet: System error: repository out of range.
Connection closed by foreign host.

# tail -3 /var/adm/messages
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 467601 auth.error] request failed: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM error was 4, NT error was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 637597 auth.error] internal module error (retval = 4, user = `usera'
Aug 23 15:50:58 host_a login[1485]: [ID 376080 auth.crit] change password failure: System error

This looks to me like something in the /etc/pam.conf is in need of changing, but alas I don't have a clue.

Sun says: "We don't support wibind" and "We don't support samba on 5.8"

And the Experts?

(let me know if you need more information)

0
Comment
Question by:dtkerns
  • 2
3 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 11877466
Please have a look at the following "Solaris-Winbind-HOWTO.txt":

http://us3.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt
0
 
LVL 38

Accepted Solution

by:
yuzh earned 500 total points
ID: 11877648
0
 
LVL 3

Author Comment

by:dtkerns
ID: 11888045
I think we've seen some of those documents ... it seems to be a known problem at Sun, their (weak) defense is the man page for nsswitch.conf

File Formats                                     nsswitch.conf(4)
SunOS 5.8           Last change: 10 Jul 2001                    4

Interaction with Password Aging
     When password aging is turned on, only a limited set of pos-
     sible  name  services are permitted for the passwd: database
     in the /etc/nsswitch.conf file:

     passwd:
           files

     passwd:
           files nis

     passwd:
           files nisplus

     passwd:
           files ldap

     passwd:
           compat

     passwd_compat:
           nisplus

     passwd_compat:
           ldap

     Any other settings will cause the passwd(1) command to  fail
     when it attempts to change the password after expiration and
     will prevent the user from logging in. These  are  the  only
     permitted  settings  when password aging has been turned on.
     Otherwise, you can work around incorrect  passwd:  lines  by
     using  the  -r  repository argument to the passwd(1) command
     and using passwd -r repository to override the nsswitch.conf
     settings  and  specify  in  which  name  service you want to
     modify your password.


Our resident Sun SE suggested replacing the login command (binary) with one that calls the equivalent of a "passwd -r files" on expired passwords .... anyone got a solaris 8 login.c?


0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now