Environment: Solaris 9 - sparc. BDB: db-4.3.28.NC Kerberos: krb5-1.4.2 OpenLDAP: 2.2.26 SASL: 2.1.21 SAMBA: 3.0.21b Compile options for SAMBA: --with-krb5=/usr/local \ --with-winbindd \ --with-pam \ --with-ldap \ --with-msdfs \ --with-pam_smbpass \ --with-acl-support \ --with-included-popt \ --localstatedir=/var/lib/samba \ --with-piddir=/var/run \ --with-logfilebase=/var/log/samba \ --with-privatedir=/etc/samba/private \ --with-configdir=/etc/samba \ --with-lockdir=/var/lib/samba \ --with-quotas \ --enable-developer \ /etc/samba/smb.conf: # Samba config file created using SWAT # from 10.2.239.222 (10.2.239.222) # Date: 2005/12/22 09:58:02 [global] workgroup = QACCESST realm = QACCESST.ADTEST.AD.LAB server string = %h server (Samba %v) security = ADS update encrypted = Yes obey pam restrictions = Yes enable privileges = Yes pam password change = Yes time server = Yes log level = 10 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no idmap uid = 500-100000000 idmap gid = 500-100000000 template shell = /bin/bash winbind cache time = 10 winbind use default domain = Yes winbind trusted domains only = Yes winbind nested groups = Yes [homes] valid users = %S read only = No browseable = No Login Failure began at Feb 10, 2006 03:21:24 -- see all logout hence from this point (Yeah - I know - what in the were you up at this hour testing? Answer - couldn't sleep). What I see on the command line to ask for my password: 10867 bspeide@mccoy {/home/bspeide} ssh hermione Password: Changing password for bspeide (current) NT password: Re-enter new Password: Password: Password: Password: Password: 10868 bspeide@mccoy {/home/bspeide} /var/log/authlog: Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 467601 auth.error] request failed: Password expired, PAM error was 18, NT er ror was NT_STATUS_PASSWORD_EXPIRED Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 874359 auth.warning] user `bspeide' password expired Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 990559 auth.warning] pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_RE QD is set Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 775411 auth.notice] user 'bspeide' needs new password Feb 10 03:23:06 hermione pam_winbind[1356]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD Feb 10 03:23:06 hermione pam_winbind[1356]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv alid membership) Feb 10 03:23:12 hermione pam_winbind[1356]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD Feb 10 03:23:12 hermione pam_winbind[1356]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv alid membership) Feb 10 03:23:15 hermione sshd[1354]: [ID 800047 auth.crit] fatal: Timeout before authentication for 10.2.239.222 Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 467601 auth.error] request failed: Password expired, PAM error was 18, NT er ror was NT_STATUS_PASSWORD_EXPIRED Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 874359 auth.warning] user `bspeide' password expired Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 990559 auth.warning] pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_RE QD is set Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 775411 auth.notice] user 'bspeide' needs new password Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 467601 auth.error] request failed: Password expired, PAM error was 18, NT er ror was NT_STATUS_PASSWORD_EXPIRED Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 874359 auth.warning] user `bspeide' password expired Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv alid membership) Feb 10 03:23:38 hermione sshd[1357]: [ID 800047 auth.error] error: PAM: Authentication token manipulation error for bspeide from sol-zun-qvra02.ad.qintra.com Feb 10 03:23:42 hermione pam_winbind[1360]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD Feb 10 03:23:42 hermione pam_winbind[1360]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv alid membership) Feb 10 03:23:42 hermione sshd[1357]: [ID 800047 auth.error] error: PAM: Authentication failed for bspeide from sol-zun-qvra0 2.ad.qintra.com /var/log/authlog.debug: Feb 10 03:20:51 hermione login: [ID 509786 auth.debug] roles pam_sm_authenticate, service = rlogin user = bspeide ruser = bs peide rhost = sol-zun-qvra02.ad.qintra.com Feb 10 03:20:51 hermione login: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt() Feb 10 03:20:51 hermione login: [ID 125108 auth.debug] pam_unix_session: inside pam_sm_open_session() Feb 10 03:21:24 hermione login: [ID 509786 auth.debug] roles pam_sm_authenticate, service = rlogin user = bspeide ruser = bs peide rhost = sol-zun-qvra02.ad.qintra.com Feb 10 03:21:24 hermione login: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt() Feb 10 03:21:24 hermione login: [ID 125108 auth.debug] pam_unix_session: inside pam_sm_open_session() Feb 10 03:22:53 hermione pam_winbind[1356]: [ID 789278 auth.info] Verify user `bspeide' with password `Qwest2005' Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 467601 auth.error] request failed: Password expired, PAM error was 18, NT er ror was NT_STATUS_PASSWORD_EXPIRED Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 874359 auth.warning] user `bspeide' password expired Feb 10 03:22:59 hermione sshd[1356]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = bspeide ruser = not set rhost = sol-zun-qvra02.ad.qintra.com Feb 10 03:22:59 hermione sshd[1356]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt() Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 990559 auth.warning] pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_RE QD is set Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 775411 auth.notice] user 'bspeide' needs new password Feb 10 03:22:59 hermione pam_winbind[1356]: [ID 743889 auth.debug] username [bspeide] obtained Feb 10 03:23:06 hermione pam_winbind[1356]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD Feb 10 03:23:06 hermione pam_winbind[1356]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv alid membership) Feb 10 03:23:06 hermione sshd[1356]: [ID 558286 auth.debug] pam_authtok_check: pam_sm_chauthok called Feb 10 03:23:06 hermione sshd[1356]: [ID 271931 auth.debug] pam_authtok_check: minimum length from /etc/default/passwd: 6 Feb 10 03:23:06 hermione pam_winbind[1356]: [ID 743889 auth.debug] username [bspeide] obtained Feb 10 03:23:12 hermione pam_winbind[1356]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD Feb 10 03:23:12 hermione pam_winbind[1356]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv alid membership) Feb 10 03:23:12 hermione sshd[1356]: [ID 909140 auth.debug] pam_authtok_get: verifying authtok Feb 10 03:23:15 hermione sshd[1354]: [ID 800047 auth.crit] fatal: Timeout before authentication for 10.2.239.222 Feb 10 03:23:25 hermione pam_winbind[1359]: [ID 789278 auth.info] Verify user `bspeide' with password `Qwest2005' Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 467601 auth.error] request failed: Password expired, PAM error was 18, NT er ror was NT_STATUS_PASSWORD_EXPIRED Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 874359 auth.warning] user `bspeide' password expired Feb 10 03:23:31 hermione sshd[1359]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = bspeide ruser = not set rhost = sol-zun-qvra02.ad.qintra.com Feb 10 03:23:31 hermione sshd[1359]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt() Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 990559 auth.warning] pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_RE QD is set Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 775411 auth.notice] user 'bspeide' needs new password Feb 10 03:23:31 hermione pam_winbind[1359]: [ID 743889 auth.debug] username [bspeide] obtained Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 467601 auth.error] request failed: Password expired, PAM error was 18, NT er ror was NT_STATUS_PASSWORD_EXPIRED Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 874359 auth.warning] user `bspeide' password expired Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 743889 auth.debug] username [bspeide] obtained Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD Feb 10 03:23:35 hermione pam_winbind[1359]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv alid membership) Feb 10 03:23:35 hermione sshd[1359]: [ID 909140 auth.debug] pam_authtok_get: verifying authtok Feb 10 03:23:38 hermione sshd[1357]: [ID 800047 auth.error] error: PAM: Authentication token manipulation error for bspeide from sol-zun-qvra02.ad.qintra.com Feb 10 03:23:42 hermione pam_winbind[1360]: [ID 789278 auth.info] Verify user `bspeide' with password `Bruce01' Feb 10 03:23:42 hermione pam_winbind[1360]: [ID 467601 auth.error] request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD Feb 10 03:23:42 hermione pam_winbind[1360]: [ID 678512 auth.warning] user `bspeide' denied access (incorrect password or inv alid membership) Feb 10 03:23:42 hermione sshd[1360]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1 Feb 10 03:23:42 hermione sshd[1360]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Feb 10 03:23:42 hermione sshd[1357]: [ID 800047 auth.error] error: PAM: Authentication failed for bspeide from sol-zun-qvra0 2.ad.qintra.com Feb 10 03:25:50 hermione su: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0 Feb 10 03:25:55 hermione su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Feb 10 03:25:55 hermione su: [ID 509786 auth.debug] roles pam_sm_authenticate, service = su user = root ruser = not set rhos t = hermione Feb 10 03:25:55 hermione su: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
Ok, Bruce, what I still need are the same logs just with the "debug" option set in your pam configuration. Speaking of that, please also post your PAM configuration options for the ssh service on hermione.
PAM sshd config: # OpenSSH sshd auth sufficient pam_winbind.so debug sshd auth requisite pam_authtok_get.so.1 debug try_first_pass sshd auth required pam_dhkeys.so.1 debug try_first_pass sshd auth sufficient pam_unix_auth.so.1 debug try_first_pass sshd account requisite pam_roles.so.1 debug sshd account required pam_projects.so.1 debug sshd account required pam_unix_account.so.1 debug sshd account required pam_winbind.so debug sshd password sufficient pam_winbind.so debug use_authtok #sshd password required pam_dhkeys.so.1 debug sshd password requisite pam_authtok_get.so.1 debug sshd password requisite pam_authtok_check.so.1 debug sshd password required pam_authtok_store.so.1 debug sshd session sufficient pam_winbind.so debug sshd session required pam_unix.so.1 debug As you can see Guenther - I had the debug option in PAM already turned on!
Ok, read your logs. Your configuration seems to be correct; just a stupid question: You are absolutely sure that you type the same password when you get: "Password:" for the first time and then *again* when the "(current) NT password: " prompt is given, right?
Guenther, Yes to answer your question - and I just tried it again. Password: Changing password for bspeide (current) NT password: Re-enter new Password: Password: Password: Password: I type "Qwest2005" for the first "Password:" question. I type "Qwest2005" for the question: "(current) NT password: I type "Bruce2005" for the "Re-enter new Password". I type "Bruce2005" for the "Password:" and it will just loop to the same question over and over again and not authenticate. This third question seems misleading - because it didn't even ask me for a new password to begin with - just to retype a "new" password. You would expect to be asked for a New AD password - and then retype a New AD password, correct? Also - the 2nd question is a little misleading - because it refers to "NT". I am using ADS security - perhaps you should code it based on the response of the version from the domain controller (ours is W2003 ADS schema 1). If I were going to release this to production - I would prefer it would ask "AD password"....instead of "NT password". (Our Domain policy is setup to expire passwords every 90 days - and if you fatfinger your password more than 5 times in less than 60 seconds - then your password is locked for 30 minutes - which we have to call our help desk to have it unlocked if you cannot wait for the 30 minutes) Just as an FYI - our shadow file looks like (forcing users to use winbind): bspeide:ABCDEFGHIJKLMN::::::: I see that you are coding some kind of cached winbind - is this to authenticate users using ADS security when no domain controllers are available? If you are - that would be awesome for disaster recovery on the live network - or in the case when you are coming in from a VPN and do not have a network estabilished to the DC's before login - then you could have credentials stored locally from previous good authentications that would allow you to login. I believe that this is the way XP-pro using ADS security works. That would be consistant between Windows and Unix authentication offnetwork.
Bruce, could you please check if your issue is resolved with samba 3.0.23rc2 ?
closing. no response from poster.