setup: a samba 3.3.2 client using winbind against a windows 2003 domain. pam_winbind is setup in pam to authenticate users. Debug show that password policy has expire= -1 (i.e. never expires) Here the full log of pam with debug: pam_winbind(login:auth): [pamh: 0x8dd7170] ENTER: pam_sm_authenticate (flags: 0x0000) pam_winbind(login:auth): [pamh: 0x8dd7170] STATE: ITEM(PAM_SERVICE) = "login" (0x8dd7228) pam_winbind(login:auth): [pamh: 0x8dd7170] STATE: ITEM(PAM_USER) = "blindaue" (0x8dd7238) pam_winbind(login:auth): [pamh: 0x8dd7170] STATE: ITEM(PAM_TTY) = "tty3" (0x8dde730) pam_winbind(login:auth): [pamh: 0x8dd7170] STATE: ITEM(PAM_USER_PROMPT) = "login: " (0x8dde740) pam_winbind(login:auth): [pamh: 0x8dd7170] STATE: ITEM(PAM_CONV) = 0x8dd7248 pam_winbind(login:auth): getting password (0x00001281) pam_winbind(login:auth): Verify user 'blindaue' pam_winbind(login:auth): enabling krb5 login flag pam_winbind(login:auth): enabling cached login flag pam_winbind(login:auth): request wbcLogonUser succeeded pam_winbind(login:auth): user 'blindaue' granted access pam_winbind(login:auth): Password has expired (Password was last set: 1221643511, the policy says it should expire here 1221643510 (now it's: 1239188640)) pam_winbind(login:auth): [pamh: 0x8dd7170] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) pam_winbind(login:auth): [pamh: 0x8dd7170] STATE: ITEM(PAM_SERVICE) = "login" (0x8dd7228) pam_winbind(login:auth): [pamh: 0x8dd7170] STATE: ITEM(PAM_USER) = "blindaue" (0x8dd7238) pam_winbind(login:auth): [pamh: 0x8dd7170] STATE: ITEM(PAM_TTY) = "tty3" (0x8dde730) pam_winbind(login:auth): [pamh: 0x8dd7170] STATE: ITEM(PAM_AUTHTOK) = 0x8ddfe80 pam_winbind(login:auth): [pamh: 0x8dd7170] STATE: ITEM(PAM_USER_PROMPT) = "login: " (0x8dde740) pam_winbind(login:auth): [pamh: 0x8dd7170] STATE: ITEM(PAM_CONV) = 0x8dd7248 pam_winbind(login:auth): [pamh: 0x8dd7170] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD) = "27" (0x8ddff88) pam_winbind(login:auth): [pamh: 0x8dd7170] STATE: DATA(PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH) = "1" (0x8de0a10) pam_winbind(login:account): [pamh: 0x8dd7170] ENTER: pam_sm_acct_mgmt (flags: 0x0000) pam_winbind(login:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set pam_winbind(login:account): user 'blindaue' needs new password pam_winbind(login:account): [pamh: 0x8dd7170] LEAVE: pam_sm_acct_mgmt returning 12 (PAM_NEW_AUTHTOK_REQD)
Problem found: wbcUserPasswordPolicyInfo defines "expire" as uint64_t "if (policy->expire <=0)" will always be true replace the test by == -1 and the problem is solved.
Created attachment 4056 [details] fix the test to look for negative values
Created attachment 4116 [details] Patch for 3-3-test This is the patch that went into master/v3-4-test
Doesn't this generate a warning on 32-bit boxes? Shouldn't this be an explicit == (uint64_t)-1 ? Volker
no warning seen with gcc 4.3.2 (configure --enable-developer)
I'd still feel better with the explicit cast, but if that isn't possible and the bug is fixed on both 32 and 64 bit, then I'm certainly ok with it. Volker
Yeah, also got not warning, I'll add the explicit typecast and repost 3-3 patches.
Created attachment 4243 [details] revised version of that patch This is the patch that should go into 3.3
*** Bug 6452 has been marked as a duplicate of this bug. ***
Karolin, we missed this one here for 3.3.5 unfortunately. really needs to get into 3.3 and 3.4.
In some AD account I found policy->expire to be 0 and pass_must_change_time vith value in the future (so the account is active) With the suggested patch (passing from <=0 to == -1) accounts like this are not allowed to login since the second time _pam_send_password_expiry_message il called, next_change = info->pass_last_set_time + policy->expire and so the login fail. I don't know the real reason in AD for expire = 0 but I suggest to consider to add to the test also policy->expire == 0
ok, this needs further investigation.
Created attachment 4317 [details] 3-3: final version of the patch This is a very important fix for 3.3
Created attachment 4318 [details] 3-4: final version of the patch
Comment on attachment 4318 [details] 3-4: final version of the patch Look good to me ! Jeremy.
Comment on attachment 4317 [details] 3-3: final version of the patch Looks good to me ! Jeremy.
Ok, Karolin, please push to 3.3 and 3.4. Thanks.
Pushed. Closing out bug report. Thanks!