Solved

winbind causes expired password reset failures

Posted on 2004-08-23
3
2,279 Views
Last Modified: 2013-12-27
running Solaris 5.8

we recently had a request to add winbind to our /etc/nsswitch.conf file

passwd:     files winbind

to allow authentication for samba via an NT server (winbind)

However, now when a local (/etc/passwd, /etc/shadow) id expires, we get the following errors:
# passwd -f usera
# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
login: usera
Password:
Choose a new password.
New Password:
Re-enter new Password:
telnet: System error: repository out of range.
Connection closed by foreign host.
# tail -1 /var/adm/messages
Aug 23 15:29:28 host_a login: [ID 376080 auth.crit] change password failure: System error

The samba documentation talks about adding some libraries to /etc/pam.conf, but when we added them:

login auth sufficient         /usr/lib/security/pam_winbind.so.1
other password sufficient             /usr/lib/security/pam_winbind.so.1

 that error condition is replaced by this error condition: (it tries to update a winbind password rather than a local password)
# telnet 0              
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.


SunOS 5.8

login: usera
Password:
Choose a new password.
New Password:
Changing password for usera
(current) NT password:                                        (this is a local user, that does not exists in the NT domain)
Re-enter new Password:
Enter new NT password:
Retype new NT password:
telnet: System error: repository out of range.
Connection closed by foreign host.

# tail -3 /var/adm/messages
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 467601 auth.error] request failed: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM error was 4, NT error was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 637597 auth.error] internal module error (retval = 4, user = `usera'
Aug 23 15:50:58 host_a login[1485]: [ID 376080 auth.crit] change password failure: System error

This looks to me like something in the /etc/pam.conf is in need of changing, but alas I don't have a clue.

Sun says: "We don't support wibind" and "We don't support samba on 5.8"

And the Experts?

(let me know if you need more information)

0
Comment
Question by:dtkerns
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 11877466
Please have a look at the following "Solaris-Winbind-HOWTO.txt":

http://us3.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt
0
 
LVL 38

Accepted Solution

by:
yuzh earned 500 total points
ID: 11877648
0
 
LVL 3

Author Comment

by:dtkerns
ID: 11888045
I think we've seen some of those documents ... it seems to be a known problem at Sun, their (weak) defense is the man page for nsswitch.conf

File Formats                                     nsswitch.conf(4)
SunOS 5.8           Last change: 10 Jul 2001                    4

Interaction with Password Aging
     When password aging is turned on, only a limited set of pos-
     sible  name  services are permitted for the passwd: database
     in the /etc/nsswitch.conf file:

     passwd:
           files

     passwd:
           files nis

     passwd:
           files nisplus

     passwd:
           files ldap

     passwd:
           compat

     passwd_compat:
           nisplus

     passwd_compat:
           ldap

     Any other settings will cause the passwd(1) command to  fail
     when it attempts to change the password after expiration and
     will prevent the user from logging in. These  are  the  only
     permitted  settings  when password aging has been turned on.
     Otherwise, you can work around incorrect  passwd:  lines  by
     using  the  -r  repository argument to the passwd(1) command
     and using passwd -r repository to override the nsswitch.conf
     settings  and  specify  in  which  name  service you want to
     modify your password.


Our resident Sun SE suggested replacing the login command (binary) with one that calls the equivalent of a "passwd -r files" on expired passwords .... anyone got a solaris 8 login.c?


0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question