Bug 567525

Summary: winbind broken with AD/DSFW Domain Authentication
Product: [openSUSE] openSUSE 11.2 Reporter: Casper Pedersen <casper.pedersen>
Component: SambaAssignee: James McDonough <jmcdonough>
Status: RESOLVED WONTFIX QA Contact: The 'Opening Windows to a Wider World' guys <samba-maintainers>
Severity: Major    
Priority: P3 - Medium CC: forgotten_PyStJIRVdE, samba-maintainers
Version: Final   
Target Milestone: ---   
Hardware: i586   
OS: Other   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Casper Pedersen 2009-12-29 11:30:27 UTC 
Setting up winbind to do authentication against an AD or DSFW domain does not work.

To duplicate;

- setup Kerberos to use the realm from the domain (verify with 'kinit <user>@realm)'
- use 'Windows Domain Membership' to insert the computer into the domain
- verify that the computer is in cn=Computers,dc=domain
- verify that users are found (getent passwd)
- if not found add in [global] to smb.conf:
  winbind enum users = yes
  winbind enum groups = yes
- restart winbind or reboot computer

Now when one tries to login with DOMAIN\\user one get

Your password has expired
Changing password for DOMAIN\test
(current) NT password:

And in /var/log/messages:
Dec 29 12:27:34 opensuse sshd[5806]: pam_winbind(sshd:auth): user 'DOMAIN\test' granted access
Dec 29 12:27:34 opensuse sshd[5806]: pam_krb5[5806]: account checks fail for 'SITE\test': user is unknown or account expired (ignoring)
Dec 29 12:27:34 opensuse sshd[5806]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
Dec 29 12:27:34 opensuse sshd[5806]: pam_winbind(sshd:account): user 'SITE\test' needs new password
Dec 29 12:27:34 opensuse sshd[5806]: pam_winbind(sshd:chauthtok): getting password (0x000001a0)


The password is not expired.

This works if one is using SLED10SP2 which is shipping with a different version of winbind (samba-winbind-3.2.7-11.6) vs OpenSuSE 11.2 (samba-winbind-3.4.2-1.1.3.1.i586)
Comment 1 Casper Pedersen 2009-12-30 14:18:54 UTC 
After a bit more research it looks like this is an issue with Password Expiration.

If 'userAccessControl' (user attribute) is set to default which is 0x200 the above happens, but if one set it to 0x10200 which adds the "DONT_EXPIRE_PASSWORD" flag to 'userAccessControl' the user can login with out issues.

It looks like pam_winbind does not handle this correctly.
Comment 2 Bo Yang 2010-02-26 02:34:49 UTC 
reassigning..
Comment 3 James McDonough 2016-05-31 14:33:01 UTC 
Please reopen if this still occurs with 13.2 or 42.1