Solved

winbind causes expired password reset failures

Posted on 2004-08-23
3
2,220 Views
Last Modified: 2013-12-27
running Solaris 5.8

we recently had a request to add winbind to our /etc/nsswitch.conf file

passwd:     files winbind

to allow authentication for samba via an NT server (winbind)

However, now when a local (/etc/passwd, /etc/shadow) id expires, we get the following errors:
# passwd -f usera
# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
login: usera
Password:
Choose a new password.
New Password:
Re-enter new Password:
telnet: System error: repository out of range.
Connection closed by foreign host.
# tail -1 /var/adm/messages
Aug 23 15:29:28 host_a login: [ID 376080 auth.crit] change password failure: System error

The samba documentation talks about adding some libraries to /etc/pam.conf, but when we added them:

login auth sufficient         /usr/lib/security/pam_winbind.so.1
other password sufficient             /usr/lib/security/pam_winbind.so.1

 that error condition is replaced by this error condition: (it tries to update a winbind password rather than a local password)
# telnet 0              
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.


SunOS 5.8

login: usera
Password:
Choose a new password.
New Password:
Changing password for usera
(current) NT password:                                        (this is a local user, that does not exists in the NT domain)
Re-enter new Password:
Enter new NT password:
Retype new NT password:
telnet: System error: repository out of range.
Connection closed by foreign host.

# tail -3 /var/adm/messages
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 467601 auth.error] request failed: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM error was 4, NT error was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
Aug 23 15:50:58 host_a pam_winbind[1485]: [ID 637597 auth.error] internal module error (retval = 4, user = `usera'
Aug 23 15:50:58 host_a login[1485]: [ID 376080 auth.crit] change password failure: System error

This looks to me like something in the /etc/pam.conf is in need of changing, but alas I don't have a clue.

Sun says: "We don't support wibind" and "We don't support samba on 5.8"

And the Experts?

(let me know if you need more information)

0
Comment
Question by:dtkerns
  • 2
3 Comments
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
Please have a look at the following "Solaris-Winbind-HOWTO.txt":

http://us3.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt
0
 
LVL 38

Accepted Solution

by:
yuzh earned 500 total points
Comment Utility
0
 
LVL 3

Author Comment

by:dtkerns
Comment Utility
I think we've seen some of those documents ... it seems to be a known problem at Sun, their (weak) defense is the man page for nsswitch.conf

File Formats                                     nsswitch.conf(4)
SunOS 5.8           Last change: 10 Jul 2001                    4

Interaction with Password Aging
     When password aging is turned on, only a limited set of pos-
     sible  name  services are permitted for the passwd: database
     in the /etc/nsswitch.conf file:

     passwd:
           files

     passwd:
           files nis

     passwd:
           files nisplus

     passwd:
           files ldap

     passwd:
           compat

     passwd_compat:
           nisplus

     passwd_compat:
           ldap

     Any other settings will cause the passwd(1) command to  fail
     when it attempts to change the password after expiration and
     will prevent the user from logging in. These  are  the  only
     permitted  settings  when password aging has been turned on.
     Otherwise, you can work around incorrect  passwd:  lines  by
     using  the  -r  repository argument to the passwd(1) command
     and using passwd -r repository to override the nsswitch.conf
     settings  and  specify  in  which  name  service you want to
     modify your password.


Our resident Sun SE suggested replacing the login command (binary) with one that calls the equivalent of a "passwd -r files" on expired passwords .... anyone got a solaris 8 login.c?


0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now