Solved

winbind causes expired password reset failures

Posted on 2004-08-23
3
2,295 Views
Last Modified: 2013-12-27
running Solaris 5.8

we recently had a request to add winbind to our /etc/nsswitch.conf file

passwd:     files winbind

to allow authentication for samba via an NT server (winbind)

However, now when a local (/etc/passwd, /etc/shadow) id expires, we get the following errors:
# passwd -f usera
# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
login: usera
Password:
Choose a new password.
New Password:
Re-enter new Password:
telnet: System error: repository out of range.
Connection closed by foreign host.
# tail -1 /var/adm/messages
Aug 23 15:29:28 host_a login: [ID 376080 auth.crit] change password failure: System error

The samba documentation talks about adding some libraries to /etc/pam.conf, but when we added them:

login auth sufficient         /usr/lib/security/pam_winbind.so.1
other password sufficient             /usr/lib/security/pam_winbind.so.1

 that error condition is replaced by this error condition: (it tries to update a winbind password rather than a local password)
# telnet 0              
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.


SunOS 5.8

login: usera
Password:
Choose a new password.
New Password:
Changing password for usera
(current) NT password:                                        (this is a local user, that does not exists in the NT domain)
Re-enter new Password:
Enter new NT password:
Retype new NT password:
telnet: System error: repository out of range.
Connection closed by foreign host.

# tail -3 /var/adm/messages
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 467601 auth.error] request failed: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM error was 4, NT error was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 637597 auth.error] internal module error (retval = 4, user = `usera'
Aug 23 15:50:58 host_a login[1485]: [ID 376080 auth.crit] change password failure: System error

This looks to me like something in the /etc/pam.conf is in need of changing, but alas I don't have a clue.

Sun says: "We don't support wibind" and "We don't support samba on 5.8"

And the Experts?

(let me know if you need more information)

0
Comment
Question by:dtkerns
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 11877466
Please have a look at the following "Solaris-Winbind-HOWTO.txt":

http://us3.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt
0
 
LVL 38

Accepted Solution

by:
yuzh earned 500 total points
ID: 11877648
0
 
LVL 3

Author Comment

by:dtkerns
ID: 11888045
I think we've seen some of those documents ... it seems to be a known problem at Sun, their (weak) defense is the man page for nsswitch.conf

File Formats                                     nsswitch.conf(4)
SunOS 5.8           Last change: 10 Jul 2001                    4

Interaction with Password Aging
     When password aging is turned on, only a limited set of pos-
     sible  name  services are permitted for the passwd: database
     in the /etc/nsswitch.conf file:

     passwd:
           files

     passwd:
           files nis

     passwd:
           files nisplus

     passwd:
           files ldap

     passwd:
           compat

     passwd_compat:
           nisplus

     passwd_compat:
           ldap

     Any other settings will cause the passwd(1) command to  fail
     when it attempts to change the password after expiration and
     will prevent the user from logging in. These  are  the  only
     permitted  settings  when password aging has been turned on.
     Otherwise, you can work around incorrect  passwd:  lines  by
     using  the  -r  repository argument to the passwd(1) command
     and using passwd -r repository to override the nsswitch.conf
     settings  and  specify  in  which  name  service you want to
     modify your password.


Our resident Sun SE suggested replacing the login command (binary) with one that calls the equivalent of a "passwd -r files" on expired passwords .... anyone got a solaris 8 login.c?


0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question