Solved

winbind causes expired password reset failures

Posted on 2004-08-23
3
2,258 Views
Last Modified: 2013-12-27
running Solaris 5.8

we recently had a request to add winbind to our /etc/nsswitch.conf file

passwd:     files winbind

to allow authentication for samba via an NT server (winbind)

However, now when a local (/etc/passwd, /etc/shadow) id expires, we get the following errors:
# passwd -f usera
# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
login: usera
Password:
Choose a new password.
New Password:
Re-enter new Password:
telnet: System error: repository out of range.
Connection closed by foreign host.
# tail -1 /var/adm/messages
Aug 23 15:29:28 host_a login: [ID 376080 auth.crit] change password failure: System error

The samba documentation talks about adding some libraries to /etc/pam.conf, but when we added them:

login auth sufficient         /usr/lib/security/pam_winbind.so.1
other password sufficient             /usr/lib/security/pam_winbind.so.1

 that error condition is replaced by this error condition: (it tries to update a winbind password rather than a local password)
# telnet 0              
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.


SunOS 5.8

login: usera
Password:
Choose a new password.
New Password:
Changing password for usera
(current) NT password:                                        (this is a local user, that does not exists in the NT domain)
Re-enter new Password:
Enter new NT password:
Retype new NT password:
telnet: System error: repository out of range.
Connection closed by foreign host.

# tail -3 /var/adm/messages
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 467601 auth.error] request failed: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM error was 4, NT error was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 637597 auth.error] internal module error (retval = 4, user = `usera'
Aug 23 15:50:58 host_a login[1485]: [ID 376080 auth.crit] change password failure: System error

This looks to me like something in the /etc/pam.conf is in need of changing, but alas I don't have a clue.

Sun says: "We don't support wibind" and "We don't support samba on 5.8"

And the Experts?

(let me know if you need more information)

0
Comment
Question by:dtkerns
  • 2
3 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 11877466
Please have a look at the following "Solaris-Winbind-HOWTO.txt":

http://us3.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt
0
 
LVL 38

Accepted Solution

by:
yuzh earned 500 total points
ID: 11877648
0
 
LVL 3

Author Comment

by:dtkerns
ID: 11888045
I think we've seen some of those documents ... it seems to be a known problem at Sun, their (weak) defense is the man page for nsswitch.conf

File Formats                                     nsswitch.conf(4)
SunOS 5.8           Last change: 10 Jul 2001                    4

Interaction with Password Aging
     When password aging is turned on, only a limited set of pos-
     sible  name  services are permitted for the passwd: database
     in the /etc/nsswitch.conf file:

     passwd:
           files

     passwd:
           files nis

     passwd:
           files nisplus

     passwd:
           files ldap

     passwd:
           compat

     passwd_compat:
           nisplus

     passwd_compat:
           ldap

     Any other settings will cause the passwd(1) command to  fail
     when it attempts to change the password after expiration and
     will prevent the user from logging in. These  are  the  only
     permitted  settings  when password aging has been turned on.
     Otherwise, you can work around incorrect  passwd:  lines  by
     using  the  -r  repository argument to the passwd(1) command
     and using passwd -r repository to override the nsswitch.conf
     settings  and  specify  in  which  name  service you want to
     modify your password.


Our resident Sun SE suggested replacing the login command (binary) with one that calls the equivalent of a "passwd -r files" on expired passwords .... anyone got a solaris 8 login.c?


0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question