[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_unix password expiry



On Wed, Jul 16, 2003 at 12:37:52PM +1000, John Newbigin wrote:
> I have a setup where I have both shadow passwords and smbpasswd 
> passwords.  system-auth is below.

> I have a problem with forcing password changes on login.  From what I 
> can tell, account pam_unix is requesting the password change with 
> PAM_NEW_AUTHTOK_REQD.  From there though, the password change procedure 
> is not the same as when passwd is launched from the command line.  Then 
> end result is that the SMB password is not updated when the password is 
> changed on login.

> Any ideas anyone?

Until recently, pam_smbpass would look at the 'expired' flag being
passed by PAM and, if the Samba password was not expired, it would not
effect a password change.  However, since most people have password
synchronization specifically in mind when stacking password modules,
I've decided to ignore this flag -- upgrading pam_smbpass to a more
recent version (e.g., 2.2.8a) should fix this problem for you.  You
should be able to upgrade pam_smbpass without affecting the rest of the
Samba installation.

-- 
Steve Langasek
postmodern programmer


> -- a normal password change
> $ passwd
> Changing password for jnewbigin
> Current SMB password:
> New LINUX password:
> Retype new LINUX password:
> passwd: all authentication tokens updated successfully
> $
> 
> -- a change on login
> $ ssh jnewbigin mercury
> jnewbigin mercury's password:
> You are required to change your password immediately (root enforced)
> Warning: Your password has expired, please change it now
> Changing password for jnewbigin
> (current) UNIX password:
> New LINUX password:
> Retype new LINUX password:
> $
> 
> 
> It is a redhat 7.2 box.  Here is /etc/system-auth:
> 
> auth        required      /lib/security/pam_env.so
> auth        requisite     /lib/security/pam_unix.so likeauth nullok
> auth        optional      /lib/security/pam_smbpass.so migrate
> 
> account     required      /lib/security/pam_unix.so
> 
> password    required      /lib/security/pam_cracklib.so retry=3 type=LINUX
> password    required      /lib/security/pam_smbpass2.so use_authtok 
> try_first_pass migrate
> password    requisite     /lib/security/pam_unix.so use_authtok md5 
> shadow try_first_pass
> 
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so

Attachment: pgp00009.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]