I'm trying to configure my Solaris 9 pam.conf for CDE login/password
expiration using
ADS security on W2003. If my AD account password is in good standing,=20
my config works great in /etc/pam.conf. However - I'm having trouble
getting it to recognize that my password in AD has expired to ask me
to reset it on the CDE screen. With the config below - it just tells
me "login incorrect". Any ideas?
=20
My /opt/samba/smb.conf file looks like:
=20
[global]
workgroup =3D QACCESST
realm =3D QACCESST.ADTEST.AD.LAB
server string =3D %h server (Samba %v)
security =3D ADS
update encrypted =3D Yes
obey pam restrictions =3D Yes
enable privileges =3D Yes
pam password change =3D Yes
passwd program =3D /bin/passwd %u
username map =3D /etc/samba/smbusers
unix password sync =3D Yes
log level =3D 5
time server =3D Yes
socket options =3D TCP_NODELAY SO_RCVBUF=3D16384 =
SO_SNDBUF=3D16384
preferred master =3D No
local master =3D No
domain master =3D No
dns proxy =3D No
ldap ssl =3D no
idmap uid =3D 500-100000000
idmap gid =3D 500-100000000
template shell =3D /bin/bash
winbind cache time =3D 10
winbind use default domain =3D Yes
winbind trusted domains only =3D Yes
winbind nested groups =3D Yes
=20
[homes]
valid users =3D %S
read only =3D No
browseable =3D No
=20

/etc/nsswitch.conf:
=20
passwd: files winbind
group: files winbind
hosts: files dns winbind
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
# At present there isn't a 'files' backend for netgroup; the system
will
# figure it out pretty quickly, and won't use netgroups at all.
netgroup: files
automount: files
aliases: files
services: files
sendmailvars: files
printers: user files
=20
auth_attr: files
prof_attr: files
project: files
=20
/etc/pam.conf (snipped for the dtlogin section only):
=20
# CDE login and screenlock
dtlogin auth sufficient pam_winbind.so
debug use_first_pass use_authtok
dtlogin auth requisite pam_authtok_get.so.1
debug
dtlogin auth required pam_dhkeys.so.1
debug
#dtlogin auth optional pam_krb5.so
use_first_pass creds debug
dtlogin auth sufficient pam_unix_auth.so.1
debug try_first_pass
#dtlogin auth sufficient
pam_dial_auth.so.1 debug
#dtlogin account requisite pam_roles.so.1
debug
#dtlogin account requisite
pam_projects.so.1 debug
#dtlogin account sufficient
pam_unix_account.so.1 debug
dtlogin account required pam_winbind.so
use_authtok
#dtlogin password sufficient pam_dhkeys.so.1
debug
#dtlogin password requisite
pam_authtok_get.so.1 debug
#dtlogin password requisite
pam_authtok_check.so.1 debug
#dtlogin password sufficient
pam_authtok_store.so.1 debug
dtlogin password required pam_winbind.so
debug use_authtok
dtsession auth sufficient pam_winbind.so
debug try_first_pass
dtsession auth required pam_unix.so.1
=20
Thanks in advance!
Bruce
=20
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba