[Samba] winbind forced password change requires interactive shell - Samba

This is a discussion on [Samba] winbind forced password change requires interactive shell - Samba ; We've discovered that although Winbind supports password changes when the account password is expired, this only works with *interactive* shells. This is a major problem for us. Use case 1: SSH tunnels: $ ssh user2@localhost -N -L 4711:localhost:22 user2@localhost's password: ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [Samba] winbind forced password change requires interactive shell

  1. [Samba] winbind forced password change requires interactive shell


    We've discovered that although Winbind supports password changes when the
    account password is expired, this only works with *interactive* shells.
    This is a major problem for us. Use case 1: SSH tunnels:

    $ ssh user2@localhost -N -L 4711:localhost:22
    user2@localhost's password:

    channel 2: open failed: administratively prohibited: open failed

    As you can see, in this case, the user gets no hint whatsoever that the
    password has expired. Use case 2: Executing a command:

    $ ssh user2@localhost /usr/bin/env
    user2@localhost's password:
    WARNING: Your password has expired.
    Password change required but no TTY available.

    Here you will at least know what's going on, but you have no chance of
    changing the password.

    Is this really the intended behaviour? To me, it looks like the password
    changing is done too late; when starting an interactive session, rather
    than in the authentication phase. Why? With the SSH keyboard-interactive
    authentication, a password change interaction with the user should be
    possible.

    I've tried with samba-3.0.25b-1.el5_1.4 on RHEL5, but also
    samba-3.0.23c-2. Of course, this might be something specific to Red Hat,
    but I'm fairly sure we have seen this on SLED10 as well.

    I've also tried running pam_winbind with debugging. When logging in
    non-interactively, I'll get:

    sshd[12345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain user=user2
    sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] ENTER: pam_sm_authenticate (flags: 0x0001)
    sshd[12345]: pam_winbind(sshd:auth): getting password (0x00000011)
    sshd[12345]: pam_winbind(sshd:auth): pam_get_item returned a password
    sshd[12345]: pam_winbind(sshd:auth): Verify user 'user2'
    sshd[12345]: pam_winbind(sshd:auth): request failed: Must change password, PAM error was Authentication token is no longer valid; new one required (12), NT error was NT_STATUS_PASSWORD_MUST_CHANGE
    sshd[12345]: pam_winbind(sshd:auth): user 'user2' new password required
    sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] LEAVE: pam_sm_authenticate returning 0
    sshd[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
    sshd[12345]: pam_winbind(sshd:account): user 'user2' OK
    sshd[12345]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
    sshd[12345]: pam_winbind(sshd:account): user 'user2' needs new password
    sshd[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] LEAVE: pam_sm_acct_mgmt returning 12
    sshd[12345]: Accepted password for user2 from 127.0.0.1 port 4711 ssh2
    sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0002)
    sshd[12345]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
    sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0
    sshd[12345]: pam_unix(sshd:session): session opened for user user2 by (uid=0)
    sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0008)
    sshd[12346]: pam_winbind(sshd:setcred): PAM_REINITIALIZE_CRED not implemented
    sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0

    When interactive, I'll get:

    sshd[12345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain user=user2
    sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] ENTER: pam_sm_authenticate (flags: 0x0001)
    sshd[12345]: pam_winbind(sshd:auth): getting password (0x00000011)
    sshd[12345]: pam_winbind(sshd:auth): pam_get_item returned a password
    sshd[12345]: pam_winbind(sshd:auth): Verify user 'user2'
    sshd[12345]: pam_winbind(sshd:auth): request failed: Must change password, PAM error was Authentication token is no longer valid; new one required (12), NT error was NT_STATUS_PASSWORD_MUST_CHANGE
    sshd[12345]: pam_winbind(sshd:auth): user 'user2' new password required
    sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] LEAVE: pam_sm_authenticate returning 0
    sshd[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
    sshd[12345]: pam_winbind(sshd:account): user 'user2' OK
    sshd[12345]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
    sshd[12345]: pam_winbind(sshd:account): user 'user2' needs new password
    sshd[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] LEAVE: pam_sm_acct_mgmt returning 12
    sshd[12345]: Accepted password for user2 from 127.0.0.1 port 4711 ssh2
    sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0002)
    sshd[12345]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
    sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0
    sshd[12345]: pam_unix(sshd:session): session opened for user user2 by (uid=0)
    sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0008)
    sshd[12346]: pam_winbind(sshd:setcred): PAM_REINITIALIZE_CRED not implemented
    sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0
    passwd: pam_winbind(passwd:chauthtok): [pamh: 0x09fc4b10] ENTER: pam_sm_chauthtok (flags: 0x4000)
    passwd: pam_winbind(passwd:chauthtok): username [user2] obtained
    passwd: pam_winbind(passwd:chauthtok): user 'user2' OK
    passwd: pam_winbind(passwd:chauthtok): getting password (0x00000021)
    passwd: pam_winbind(passwd:chauthtok): request failed: Must change password, PAM error was Authentication token is no longer valid; new one required (12), NT error was NT_STATUS_PASSWORD_MUST_CHANGE
    passwd: pam_winbind(passwd:chauthtok): user 'user2' new password required
    passwd: pam_winbind(passwd:chauthtok): [pamh: 0x09fc4b10] LEAVE: pam_sm_chauthtok returning 0
    passwd: pam_winbind(passwd:chauthtok): [pamh: 0x09fc4b10] ENTER: pam_sm_chauthtok (flags: 0x2000)
    passwd: pam_winbind(passwd:chauthtok): username [user2] obtained
    passwd: pam_winbind(passwd:chauthtok): user 'user2' OK
    passwd: pam_winbind(passwd:chauthtok): getting password (0x00000001)
    sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0004)
    sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_close_session (flags: 0x0004)
    sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_close_session returning 0
    sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0
    sshd[12345]: pam_unix(sshd:session): session closed for user user2


    (pids and adresses normalized). A "diff" indicates that the only
    difference is that the interactive session does
    "pam_winbind(passwd:chauthtok)"; this never happens when running a
    command or just using tunnels. Any ideas?


    Best regards,
    ---
    Peter Åstrand ThinLinc Chief Developer
    Cendio AB http://www.cendio.se
    Wallenbergs gata 4
    583 30 Linköping Phone: +46-13-21 46 00
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. [Samba] Re: winbind forced password change requires interactive shell

    On Sun, 20 Jan 2008, Peter Åstrand wrote:

    > We've discovered that although Winbind supports password changes when the
    > account password is expired, this only works with *interactive* shells.


    It turns out that I had forgotten to configure SSH for
    "keyboard-interactive". With this setting, things works as intended, at
    least on the RHEL5 system I'm testing now.

    Rgds,
    ---
    Peter Åstrand ThinLinc Chief Developer
    Cendio AB http://www.cendio.se
    Wallenbergs gata 4
    583 30 Linköping Phone: +46-13-21 46 00
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread