winbind causes expired password reset failures
running Solaris 5.8
we recently had a request to add winbind to our /etc/nsswitch.conf file
passwd: files winbind
to allow authentication for samba via an NT server (winbind)
However, now when a local (/etc/passwd, /etc/shadow) id expires, we get the following errors:
# passwd -f usera
# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
login: usera
Password:
Choose a new password.
New Password:
Re-enter new Password:
telnet: System error: repository out of range.
Connection closed by foreign host.
# tail -1 /var/adm/messages
Aug 23 15:29:28 host_a login: [ID 376080 auth.crit] change password failure: System error
The samba documentation talks about adding some libraries to /etc/pam.conf, but when we added them:
login auth sufficient /usr/lib/security/pam_winb
other password sufficient /usr/lib/security/pam_winb
that error condition is replaced by this error condition: (it tries to update a winbind password rather than a local password)
# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
SunOS 5.8
login: usera
Password:
Choose a new password.
New Password:
Changing password for usera
(current) NT password: (this is a local user, that does not exists in the NT domain)
Re-enter new Password:
Enter new NT password:
Retype new NT password:
telnet: System error: repository out of range.
Connection closed by foreign host.
# tail -3 /var/adm/messages
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 467601 auth.error] request failed: NT_STATUS_DOMAIN_CONTROLLE
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 637597 auth.error] internal module error (retval = 4, user = `usera'
Aug 23 15:50:58 host_a login[1485]: [ID 376080 auth.crit] change password failure: System error
This looks to me like something in the /etc/pam.conf is in need of changing, but alas I don't have a clue.
Sun says: "We don't support wibind" and "We don't support samba on 5.8"
And the Experts?
(let me know if you need more information)
we recently had a request to add winbind to our /etc/nsswitch.conf file
passwd: files winbind
to allow authentication for samba via an NT server (winbind)
However, now when a local (/etc/passwd, /etc/shadow) id expires, we get the following errors:
# passwd -f usera
# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
login: usera
Password:
Choose a new password.
New Password:
Re-enter new Password:
telnet: System error: repository out of range.
Connection closed by foreign host.
# tail -1 /var/adm/messages
Aug 23 15:29:28 host_a login: [ID 376080 auth.crit] change password failure: System error
The samba documentation talks about adding some libraries to /etc/pam.conf, but when we added them:
login auth sufficient /usr/lib/security/pam_winb
other password sufficient /usr/lib/security/pam_winb
that error condition is replaced by this error condition: (it tries to update a winbind password rather than a local password)
# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
SunOS 5.8
login: usera
Password:
Choose a new password.
New Password:
Changing password for usera
(current) NT password: (this is a local user, that does not exists in the NT domain)
Re-enter new Password:
Enter new NT password:
Retype new NT password:
telnet: System error: repository out of range.
Connection closed by foreign host.
# tail -3 /var/adm/messages
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 467601 auth.error] request failed: NT_STATUS_DOMAIN_CONTROLLE
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 637597 auth.error] internal module error (retval = 4, user = `usera'
Aug 23 15:50:58 host_a login[1485]: [ID 376080 auth.crit] change password failure: System error
This looks to me like something in the /etc/pam.conf is in need of changing, but alas I don't have a clue.
Sun says: "We don't support wibind" and "We don't support samba on 5.8"
And the Experts?
(let me know if you need more information)
Asked:
Who is Participating?
Please have a look at the following "Solaris-Winbind-HOWTO.txt
http://us3.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt
http://us3.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt
I think we've seen some of those documents ... it seems to be a known problem at Sun, their (weak) defense is the man page for nsswitch.conf
File Formats nsswitch.conf(4)
SunOS 5.8 Last change: 10 Jul 2001 4
Interaction with Password Aging
When password aging is turned on, only a limited set of pos-
sible name services are permitted for the passwd: database
in the /etc/nsswitch.conf file:
passwd:
files
passwd:
files nis
passwd:
files nisplus
passwd:
files ldap
passwd:
compat
passwd_compat:
nisplus
passwd_compat:
ldap
Any other settings will cause the passwd(1) command to fail
when it attempts to change the password after expiration and
will prevent the user from logging in. These are the only
permitted settings when password aging has been turned on.
Otherwise, you can work around incorrect passwd: lines by
using the -r repository argument to the passwd(1) command
and using passwd -r repository to override the nsswitch.conf
settings and specify in which name service you want to
modify your password.
Our resident Sun SE suggested replacing the login command (binary) with one that calls the equivalent of a "passwd -r files" on expired passwords .... anyone got a solaris 8 login.c?
File Formats nsswitch.conf(4)
SunOS 5.8 Last change: 10 Jul 2001 4
Interaction with Password Aging
When password aging is turned on, only a limited set of pos-
sible name services are permitted for the passwd: database
in the /etc/nsswitch.conf file:
passwd:
files
passwd:
files nis
passwd:
files nisplus
passwd:
files ldap
passwd:
compat
passwd_compat:
nisplus
passwd_compat:
ldap
Any other settings will cause the passwd(1) command to fail
when it attempts to change the password after expiration and
will prevent the user from logging in. These are the only
permitted settings when password aging has been turned on.
Otherwise, you can work around incorrect passwd: lines by
using the -r repository argument to the passwd(1) command
and using passwd -r repository to override the nsswitch.conf
settings and specify in which name service you want to
modify your password.
Our resident Sun SE suggested replacing the login command (binary) with one that calls the equivalent of a "passwd -r files" on expired passwords .... anyone got a solaris 8 login.c?
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month6 days, 6 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
http://twiki.org/cgi-bin/view/Codev/TransparentAuthentication
http://geocities.yahoo.com.br/vffzbr/help/winbind.html