Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Solved
winbind causes expired password reset failures
Posted on 2004-08-23
running Solaris 5.8
we recently had a request to add winbind to our /etc/nsswitch.conf file
passwd: files winbind
to allow authentication for samba via an NT server (winbind)
However, now when a local (/etc/passwd, /etc/shadow) id expires, we get the following errors:
# passwd -f usera
# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
login: usera
Password:
Choose a new password.
New Password:
Re-enter new Password:
telnet: System error: repository out of range.
Connection closed by foreign host.
# tail -1 /var/adm/messages
Aug 23 15:29:28 host_a login: [ID 376080 auth.crit] change password failure: System error
The samba documentation talks about adding some libraries to /etc/pam.conf, but when we added them:
login auth sufficient /usr/lib/security/pam_winb
other password sufficient /usr/lib/security/pam_winb
that error condition is replaced by this error condition: (it tries to update a winbind password rather than a local password)
# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
SunOS 5.8
login: usera
Password:
Choose a new password.
New Password:
Changing password for usera
(current) NT password: (this is a local user, that does not exists in the NT domain)
Re-enter new Password:
Enter new NT password:
Retype new NT password:
telnet: System error: repository out of range.
Connection closed by foreign host.
# tail -3 /var/adm/messages
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 467601 auth.error] request failed: NT_STATUS_DOMAIN_CONTROLLE
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 637597 auth.error] internal module error (retval = 4, user = `usera'
Aug 23 15:50:58 host_a login[1485]: [ID 376080 auth.crit] change password failure: System error
This looks to me like something in the /etc/pam.conf is in need of changing, but alas I don't have a clue.
Sun says: "We don't support wibind" and "We don't support samba on 5.8"
And the Experts?
(let me know if you need more information)
we recently had a request to add winbind to our /etc/nsswitch.conf file
passwd: files winbind
to allow authentication for samba via an NT server (winbind)
However, now when a local (/etc/passwd, /etc/shadow) id expires, we get the following errors:
# passwd -f usera
# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
login: usera
Password:
Choose a new password.
New Password:
Re-enter new Password:
telnet: System error: repository out of range.
Connection closed by foreign host.
# tail -1 /var/adm/messages
Aug 23 15:29:28 host_a login: [ID 376080 auth.crit] change password failure: System error
The samba documentation talks about adding some libraries to /etc/pam.conf, but when we added them:
login auth sufficient /usr/lib/security/pam_winb
other password sufficient /usr/lib/security/pam_winb
that error condition is replaced by this error condition: (it tries to update a winbind password rather than a local password)
# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
SunOS 5.8
login: usera
Password:
Choose a new password.
New Password:
Changing password for usera
(current) NT password: (this is a local user, that does not exists in the NT domain)
Re-enter new Password:
Enter new NT password:
Retype new NT password:
telnet: System error: repository out of range.
Connection closed by foreign host.
# tail -3 /var/adm/messages
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 467601 auth.error] request failed: NT_STATUS_DOMAIN_CONTROLLE
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 637597 auth.error] internal module error (retval = 4, user = `usera'
Aug 23 15:50:58 host_a login[1485]: [ID 376080 auth.crit] change password failure: System error
This looks to me like something in the /etc/pam.conf is in need of changing, but alas I don't have a clue.
Sun says: "We don't support wibind" and "We don't support samba on 5.8"
And the Experts?
(let me know if you need more information)
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2
3 Comments
Please have a look at the following "Solaris-Winbind-HOWTO.txt
http://us3.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt
http://us3.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt
And :"Transparent Authentication":
http://twiki.org/cgi-bin/view/Codev/TransparentAuthentication
http://geocities.yahoo.com.br/vffzbr/help/winbind.html
http://twiki.org/cgi-bin/view/Codev/TransparentAuthentication
http://geocities.yahoo.com.br/vffzbr/help/winbind.html
I think we've seen some of those documents ... it seems to be a known problem at Sun, their (weak) defense is the man page for nsswitch.conf
File Formats nsswitch.conf(4)
SunOS 5.8 Last change: 10 Jul 2001 4
Interaction with Password Aging
When password aging is turned on, only a limited set of pos-
sible name services are permitted for the passwd: database
in the /etc/nsswitch.conf file:
passwd:
files
passwd:
files nis
passwd:
files nisplus
passwd:
files ldap
passwd:
compat
passwd_compat:
nisplus
passwd_compat:
ldap
Any other settings will cause the passwd(1) command to fail
when it attempts to change the password after expiration and
will prevent the user from logging in. These are the only
permitted settings when password aging has been turned on.
Otherwise, you can work around incorrect passwd: lines by
using the -r repository argument to the passwd(1) command
and using passwd -r repository to override the nsswitch.conf
settings and specify in which name service you want to
modify your password.
Our resident Sun SE suggested replacing the login command (binary) with one that calls the equivalent of a "passwd -r files" on expired passwords .... anyone got a solaris 8 login.c?
File Formats nsswitch.conf(4)
SunOS 5.8 Last change: 10 Jul 2001 4
Interaction with Password Aging
When password aging is turned on, only a limited set of pos-
sible name services are permitted for the passwd: database
in the /etc/nsswitch.conf file:
passwd:
files
passwd:
files nis
passwd:
files nisplus
passwd:
files ldap
passwd:
compat
passwd_compat:
nisplus
passwd_compat:
ldap
Any other settings will cause the passwd(1) command to fail
when it attempts to change the password after expiration and
will prevent the user from logging in. These are the only
permitted settings when password aging has been turned on.
Otherwise, you can work around incorrect passwd: lines by
using the -r repository argument to the passwd(1) command
and using passwd -r repository to override the nsswitch.conf
settings and specify in which name service you want to
modify your password.
Our resident Sun SE suggested replacing the login command (binary) with one that calls the equivalent of a "passwd -r files" on expired passwords .... anyone got a solaris 8 login.c?
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Learn how to navigate the file tree with the shell.
Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses
Course of the Month11 days, 17 hours left to enroll
730 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.