Bugzilla – Bug 567525
winbind broken with AD/DSFW Domain Authentication
Last modified: 2016-05-31 14:33:01 UTC
Setting up winbind to do authentication against an AD or DSFW domain does not work. To duplicate; - setup Kerberos to use the realm from the domain (verify with 'kinit <user>@realm)' - use 'Windows Domain Membership' to insert the computer into the domain - verify that the computer is in cn=Computers,dc=domain - verify that users are found (getent passwd) - if not found add in [global] to smb.conf: winbind enum users = yes winbind enum groups = yes - restart winbind or reboot computer Now when one tries to login with DOMAIN\\user one get Your password has expired Changing password for DOMAIN\test (current) NT password: And in /var/log/messages: Dec 29 12:27:34 opensuse sshd[5806]: pam_winbind(sshd:auth): user 'DOMAIN\test' granted access Dec 29 12:27:34 opensuse sshd[5806]: pam_krb5[5806]: account checks fail for 'SITE\test': user is unknown or account expired (ignoring) Dec 29 12:27:34 opensuse sshd[5806]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Dec 29 12:27:34 opensuse sshd[5806]: pam_winbind(sshd:account): user 'SITE\test' needs new password Dec 29 12:27:34 opensuse sshd[5806]: pam_winbind(sshd:chauthtok): getting password (0x000001a0) The password is not expired. This works if one is using SLED10SP2 which is shipping with a different version of winbind (samba-winbind-3.2.7-11.6) vs OpenSuSE 11.2 (samba-winbind-3.4.2-1.1.3.1.i586)
After a bit more research it looks like this is an issue with Password Expiration. If 'userAccessControl' (user attribute) is set to default which is 0x200 the above happens, but if one set it to 0x10200 which adds the "DONT_EXPIRE_PASSWORD" flag to 'userAccessControl' the user can login with out issues. It looks like pam_winbind does not handle this correctly.
reassigning..
Please reopen if this still occurs with 13.2 or 42.1