The Samba-Bugzilla – Bug 3205
pam_winbind account module does not manage correctly an expired password
Last modified: 2006-01-13 04:12:19 UTC
This module works well in auth and password fields. There are problems in the
account management. A bug is still reported for this problem for the 3.0.4
In that bug report (n. 1524), Scott Barker says: "When authenticating a user for
login, if a new password is required, pam_authenticate should return
PAM_SUCCESS, and pam_acct_mgmt should return PAM_NEW_AUTHTOK_REQD".
In my tests (version 3.0.20b), when a password is expired on AD Domain
Controller, pam_sm_authenticate returns "4" (logging "internal module error")
and pam_sm_acct_mgmt is never called.
I tried patch "972" but login always succeded, while whith patch "1436" is
If it is possible for you, please re-test with the pam_winbind module that is now in trunk. It should be fixed there.
Fixed in Subversion, please reopen if it is still an issue for you.