Bug 3499 - ADS security expired password not working correctly on Solaris platform
Summary: ADS security expired password not working correctly on Solaris platform
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.21b
Hardware: Sparc Solaris
: P3 normal
Target Milestone: none
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-02-10 16:34 UTC by Bruce Speidel
Modified: 2006-08-04 12:02 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bruce Speidel 2006-02-10 16:34:09 UTC
Environment:

Solaris 9 - sparc.

BDB: db-4.3.28.NC
Kerberos: krb5-1.4.2
OpenLDAP: 2.2.26
SASL: 2.1.21
SAMBA: 3.0.21b

Compile options for SAMBA:

                --with-krb5=/usr/local \
                --with-winbindd \
                --with-pam \
                --with-ldap \
                --with-msdfs \
                --with-pam_smbpass \
                --with-acl-support \
                --with-included-popt \
                --localstatedir=/var/lib/samba \
                --with-piddir=/var/run \
                --with-logfilebase=/var/log/samba \
                --with-privatedir=/etc/samba/private \
                --with-configdir=/etc/samba \
                --with-lockdir=/var/lib/samba \
                --with-quotas \
                --enable-developer \

/etc/samba/smb.conf:

# Samba config file created using SWAT
# from 10.2.239.222 (10.2.239.222)
# Date: 2005/12/22 09:58:02

[global]
        workgroup = QACCESST
        realm = QACCESST.ADTEST.AD.LAB
        server string = %h server (Samba %v)
        security = ADS
        update encrypted = Yes
        obey pam restrictions = Yes
        enable privileges = Yes
        pam password change = Yes
        time server = Yes
        log level = 10
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        ldap ssl = no
        idmap uid = 500-100000000
        idmap gid = 500-100000000
        template shell = /bin/bash
        winbind cache time = 10
        winbind use default domain = Yes
        winbind trusted domains only = Yes
        winbind nested groups = Yes

[homes]
        valid users = %S
        read only = No
        browseable = No



Login Failure began at Feb 10, 2006 03:21:24 -- see all logout hence from this point (Yeah - I know - what in the 
were you up at this hour testing?   Answer - couldn't sleep).


What I see on the command line to ask for my password:

10867 bspeide@mccoy {/home/bspeide} ssh hermione
Password: 
Changing password for bspeide
(current) NT password: 
Re-enter new Password: 
Password: 
Password: 
Password: 
Password: 10868 bspeide@mccoy {/home/bspeide} 


/var/log/authlog:


Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 467601 auth.error] request failed: Password expired, PAM error was 18, NT er
ror was NT_STATUS_PASSWORD_EXPIRED
Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 874359 auth.warning] user `bspeide' password expired
Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 990559 auth.warning] pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_RE
QD is set
Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 775411 auth.notice] user 'bspeide' needs new password
Feb 10 03:23:06 hermione pam_winbind[1356]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error
 was NT_STATUS_WRONG_PASSWORD
Feb 10 03:23:06 hermione pam_winbind[1356]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv
alid membership)
Feb 10 03:23:12 hermione pam_winbind[1356]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error
 was NT_STATUS_WRONG_PASSWORD
Feb 10 03:23:12 hermione pam_winbind[1356]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv
alid membership)
Feb 10 03:23:15 hermione sshd[1354]: [ID 800047 auth.crit] fatal: Timeout before authentication for 10.2.239.222
Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 467601 auth.error] request failed: Password expired, PAM error was 18, NT er
ror was NT_STATUS_PASSWORD_EXPIRED
Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 874359 auth.warning] user `bspeide' password expired
Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 990559 auth.warning] pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_RE
QD is set
Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 775411 auth.notice] user 'bspeide' needs new password
Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 467601 auth.error] request failed: Password expired, PAM error was 18, NT er
ror was NT_STATUS_PASSWORD_EXPIRED
Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 874359 auth.warning] user `bspeide' password expired
Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error
 was NT_STATUS_WRONG_PASSWORD
Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv
alid membership)
Feb 10 03:23:38 hermione sshd[1357]: [ID 800047 auth.error] error: PAM: Authentication token manipulation error for bspeide
from sol-zun-qvra02.ad.qintra.com
Feb 10 03:23:42 hermione pam_winbind[1360]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error
 was NT_STATUS_WRONG_PASSWORD
Feb 10 03:23:42 hermione pam_winbind[1360]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv
alid membership)
Feb 10 03:23:42 hermione sshd[1357]: [ID 800047 auth.error] error: PAM: Authentication failed for bspeide from sol-zun-qvra0
2.ad.qintra.com


/var/log/authlog.debug:

Feb 10 03:20:51 hermione login: [ID 509786 auth.debug] roles pam_sm_authenticate, service = rlogin user = bspeide ruser = bs
peide rhost = sol-zun-qvra02.ad.qintra.com
Feb 10 03:20:51 hermione login: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
Feb 10 03:20:51 hermione login: [ID 125108 auth.debug] pam_unix_session: inside pam_sm_open_session()
Feb 10 03:21:24 hermione login: [ID 509786 auth.debug] roles pam_sm_authenticate, service = rlogin user = bspeide ruser = bs
peide rhost = sol-zun-qvra02.ad.qintra.com
Feb 10 03:21:24 hermione login: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
Feb 10 03:21:24 hermione login: [ID 125108 auth.debug] pam_unix_session: inside pam_sm_open_session()
Feb 10 03:22:53 hermione pam_winbind[1356]: [ID 789278 auth.info] Verify user `bspeide' with password `Qwest2005'
Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 467601 auth.error] request failed: Password expired, PAM error was 18, NT er
ror was NT_STATUS_PASSWORD_EXPIRED
Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 874359 auth.warning] user `bspeide' password expired
Feb 10 03:22:59 hermione sshd[1356]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = bspeide ruser =
 not set rhost = sol-zun-qvra02.ad.qintra.com
Feb 10 03:22:59 hermione sshd[1356]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 990559 auth.warning] pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_RE
QD is set
Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 775411 auth.notice] user 'bspeide' needs new password
Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 743889 auth.debug] username [bspeide] obtained
Feb 10 03:23:06 hermione pam_winbind[1356]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error
 was NT_STATUS_WRONG_PASSWORD
Feb 10 03:23:06 hermione pam_winbind[1356]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv
alid membership)
Feb 10 03:23:06 hermione sshd[1356]: [ID 558286 auth.debug] pam_authtok_check: pam_sm_chauthok called
Feb 10 03:23:06 hermione sshd[1356]: [ID 271931 auth.debug] pam_authtok_check: minimum length from /etc/default/passwd: 6
Feb 10 03:23:06 hermione pam_winbind[1356]: [ID 743889 auth.debug] username [bspeide] obtained
Feb 10 03:23:12 hermione pam_winbind[1356]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error
 was NT_STATUS_WRONG_PASSWORD
Feb 10 03:23:12 hermione pam_winbind[1356]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv
alid membership)
Feb 10 03:23:12 hermione sshd[1356]: [ID 909140 auth.debug] pam_authtok_get: verifying authtok
Feb 10 03:23:15 hermione sshd[1354]: [ID 800047 auth.crit] fatal: Timeout before authentication for 10.2.239.222
Feb 10 03:23:25 hermione pam_winbind[1359]: [ID 789278 auth.info] Verify user `bspeide' with password `Qwest2005'
Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 467601 auth.error] request failed: Password expired, PAM error was 18, NT er
ror was NT_STATUS_PASSWORD_EXPIRED
Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 874359 auth.warning] user `bspeide' password expired
Feb 10 03:23:31 hermione sshd[1359]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = bspeide ruser =
 not set rhost = sol-zun-qvra02.ad.qintra.com
Feb 10 03:23:31 hermione sshd[1359]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 990559 auth.warning] pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_RE
QD is set
Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 775411 auth.notice] user 'bspeide' needs new password
Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 743889 auth.debug] username [bspeide] obtained
Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 467601 auth.error] request failed: Password expired, PAM error was 18, NT er
ror was NT_STATUS_PASSWORD_EXPIRED
Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 874359 auth.warning] user `bspeide' password expired
Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 743889 auth.debug] username [bspeide] obtained
Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error
 was NT_STATUS_WRONG_PASSWORD
Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv
alid membership)
Feb 10 03:23:35 hermione sshd[1359]: [ID 909140 auth.debug] pam_authtok_get: verifying authtok
Feb 10 03:23:38 hermione sshd[1357]: [ID 800047 auth.error] error: PAM: Authentication token manipulation error for bspeide
from sol-zun-qvra02.ad.qintra.com
Feb 10 03:23:42 hermione pam_winbind[1360]: [ID 789278 auth.info] Verify user `bspeide' with password `Bruce01'
Feb 10 03:23:42 hermione pam_winbind[1360]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error
 was NT_STATUS_WRONG_PASSWORD
Feb 10 03:23:42 hermione pam_winbind[1360]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv
alid membership)
Feb 10 03:23:42 hermione sshd[1360]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
Feb 10 03:23:42 hermione sshd[1360]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Feb 10 03:23:42 hermione sshd[1357]: [ID 800047 auth.error] error: PAM: Authentication failed for bspeide from sol-zun-qvra0
2.ad.qintra.com
Feb 10 03:25:50 hermione su: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
Feb 10 03:25:55 hermione su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Feb 10 03:25:55 hermione su: [ID 509786 auth.debug] roles pam_sm_authenticate, service = su user = root ruser = not set rhos
t = hermione
Feb 10 03:25:55 hermione su: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
Comment 1 Guenther Deschner 2006-02-10 16:58:43 UTC
Ok, Bruce, what I still need are the same logs just with the "debug" option set in your pam configuration. Speaking of that, please also post your PAM configuration options for the ssh service on hermione.
Comment 2 Bruce Speidel 2006-02-10 18:58:38 UTC
PAM sshd config:

# OpenSSH
sshd            auth            sufficient      pam_winbind.so          debug
sshd            auth            requisite       pam_authtok_get.so.1    debug   try_first_pass
sshd            auth            required        pam_dhkeys.so.1         debug   try_first_pass
sshd            auth            sufficient      pam_unix_auth.so.1      debug   try_first_pass
sshd            account         requisite       pam_roles.so.1          debug
sshd            account         required        pam_projects.so.1       debug
sshd            account         required        pam_unix_account.so.1   debug
sshd            account         required        pam_winbind.so          debug
sshd            password        sufficient      pam_winbind.so          debug   use_authtok
#sshd           password        required        pam_dhkeys.so.1         debug
sshd            password        requisite       pam_authtok_get.so.1    debug
sshd            password        requisite       pam_authtok_check.so.1  debug
sshd            password        required        pam_authtok_store.so.1  debug
sshd            session         sufficient      pam_winbind.so          debug
sshd            session         required        pam_unix.so.1           debug

As you can see Guenther - I had the debug option in PAM already turned on!
Comment 3 Guenther Deschner 2006-02-10 19:47:06 UTC
Ok, read your logs. Your configuration seems to be correct; just a stupid question: You are absolutely sure that you type the same password when you get:

"Password:" for the first time and then *again* when the "(current) NT password: " prompt is given, right?
Comment 4 Bruce Speidel 2006-02-11 11:07:39 UTC
Guenther,

Yes to answer your question - and I just tried it again.  

Password: 
Changing password for bspeide
(current) NT password: 
Re-enter new Password: 
Password:
Password:
Password:

I type "Qwest2005" for the first "Password:" question.
I type "Qwest2005" for the question: "(current) NT password: 
I type "Bruce2005" for the "Re-enter new Password". 
I type "Bruce2005" for the "Password:" and it will just loop to the same question over and over again and not authenticate. 

This third question seems misleading - because it didn't even ask me for a new password to begin with - just to retype a "new" password.  You would expect to be asked for a New AD password - and then retype a New AD password, correct?  Also - the 2nd question is a little misleading - because it refers to "NT".  I am using ADS security - perhaps you should code it based on the response of the version from the domain controller (ours is W2003 ADS schema 1).  If I were going to release this to production - I would prefer it would ask "AD password"....instead of "NT password". 

(Our Domain policy is setup to expire passwords every 90 days - and if you fatfinger your password more than 5 times in less than 60 seconds - then your password is locked for 30 minutes - which we have to call our help desk to have it unlocked if you cannot wait for the 30 minutes)

Just as an FYI - our shadow file looks like (forcing users to use winbind):

bspeide:ABCDEFGHIJKLMN:::::::

I see that you are coding some kind of cached winbind - is this to authenticate users using ADS security when no domain controllers are available?  If you are - that would be awesome for disaster recovery on the live network - or in the case when you are coming in from a VPN and do not have a network estabilished to the DC's before login - then you could have credentials stored locally from previous good authentications that would allow you to login.  I believe that this is the way XP-pro using ADS security works.  That would be consistant between Windows and Unix authentication offnetwork.
Comment 5 Guenther Deschner 2006-06-14 06:27:26 UTC
Bruce, could you please check if your issue is resolved with samba 3.0.23rc2 ?
Comment 6 Gerald (Jerry) Carter (dead mail address) 2006-08-04 12:02:15 UTC
closing.  no response from poster.