The Samba-Bugzilla – Bug 3969
3.0.23a all AD accounts password expired
Last modified: 2011-03-20 22:06:10 UTC
Since installing 3.0.23a all AD accounts are expired when using winbind on solaris 10.
The same behaviour is observed on FreeBSD x86
Guenther, please take a look at this. Thanks,
*** Bug 3975 has been marked as a duplicate of this bug. ***
(In reply to comment #3)
> *** Bug 3975 has been marked as a duplicate of this bug. ***
In our Win2k3 AD environment password expire is not used.
We found that a good work-around was to set a password expiration of 365 days (any will work, as long as it's greater than 0).
We concluded that Samba interprets the "Never expire" group policy as already expired. Apparently the group policy for "Never expire" actually sets it to expire in 0 days, which Samba reads as "expire immediately".
Created attachment 2088 [details]
pam_winbind expiry hotfix
This is not the final fix but should work for now.
Now pam_winbind permits login even if the user types wrong password, i.e. anyone can login to the system without knowing the correct password.
However, "password expired" message has gone.
Created attachment 2100 [details]
Fix bad time comparison
Fix the unsigned time_t values
Fixing for 3.0.23c