Description of problem: pam_winbind incorrectly detects password expiration dates. With debugging enabled, pam_winbind reports that password dates past 2038 are 'expired.' As a result, users are prompted to change passwords and are unable to login. Version-Release number of selected component (if applicable): samba-winbind-clients-3.5.3-61.fc13.i686 samba-winbind-3.5.3-61.fc13.i686 pam-1.1.1-4.fc13.i686 How reproducible: Very Steps to Reproduce: 1. Configure F13 for logins via winbind 2. Set password to expire after 2038 3. Try to log in (SSH, GDM, etc) Actual results: Fail. Expected results: Successful login. Additional info: Unfortunately I'm not a domain admin so I have no control over password policies. By default, passwords are set to expire +30 years from when they were last changed. As a result, all passwords are currently set to expire sometime in 2040. I will output from /var/log/security briefly
Created attachment 417287 [details] snippet from /var/log/security snippet from /var/log/security, key lines: May 27 09:31:13 f13 sshd[2210]: pam_winbind(sshd:auth): Password has expired (Password was last set: 1263492838, the policy says it should expire here 2209572838 (now it's: 1274967073)) May 27 10:07:17 f13 sshd[2257]: pam_winbind(sshd:auth): Password has expired (Password was last set: 1273151701, the policy says it should expire here 2219231701 (now it's: 1274969237))
Created attachment 417288 [details] All files from /etc/pam.d All of my PAM files from /etc/pam.d Debugging is still enabled.
Created attachment 417290 [details] samba configuration file I changed the domain/workgroup/realm names for privacy reasons.
I think it's relevant to this bug report. I just recently upgraded to F13. After an upgrade I was unable to login via GDM domain user. However, I was still able to login in text mode. I didn't test with ssh. My password was about to expire in 1 day. I found that /lib/security/pam_winbind.so was crashing. I found related stack traces in /var/log/messages log: Jun 19 14:01:13 emu gdm[15902]: ******************* START ********************************** Jun 19 14:01:13 emu gdm[15902]: [Thread debugging using libthread_db enabled] Jun 19 14:01:13 emu gdm[15902]: 0x00924424 in __kernel_vsyscall () Jun 19 14:01:13 emu gdm[15902]: #0 0x00924424 in __kernel_vsyscall () Jun 19 14:01:13 emu gdm[15902]: #1 0x00fc8293 in __waitpid_nocancel () from /lib/libpthread.so.0 Jun 19 14:01:13 emu gdm[15902]: #2 0x08055b49 in ?? () Jun 19 14:01:13 emu gdm[15902]: #3 0x08055c41 in ?? () Jun 19 14:01:13 emu gdm[15902]: #4 <signal handler called> Jun 19 14:01:13 emu gdm[15902]: #5 0x00924424 in __kernel_vsyscall () Jun 19 14:01:13 emu gdm[15902]: #6 0x003ebd31 in raise () from /lib/libc.so.6 Jun 19 14:01:13 emu gdm[15902]: #7 0x003ed60a in abort () from /lib/libc.so.6 Jun 19 14:01:13 emu gdm[15902]: #8 0x001b8264 in g_assertion_message () from /lib/libglib-2.0.so.0 Jun 19 14:01:13 emu gdm[15902]: #9 0x0804f1bf in ?? () Jun 19 14:01:13 emu gdm[15902]: #10 0x00de2182 in ?? () from /lib/security/pam_winbind.so Jun 19 14:01:13 emu gdm[15902]: #11 0x00de2347 in ?? () from /lib/security/pam_winbind.so Jun 19 14:01:13 emu gdm[15902]: #12 0x00de3343 in ?? () from /lib/security/pam_winbind.so Jun 19 14:01:13 emu gdm[15902]: #13 0x00de34e9 in ?? () from /lib/security/pam_winbind.so Jun 19 14:01:13 emu gdm[15902]: #14 0x00de4f16 in ?? () from /lib/security/pam_winbind.so Jun 19 14:01:13 emu gdm[15902]: #15 0x00de6627 in pam_sm_authenticate () from /lib/security/pam_winbind.so Jun 19 14:01:13 emu gdm[15902]: #16 0x00c8641f in ?? () from /lib/libpam.so.0 Jun 19 14:01:13 emu gdm[15902]: #17 0x00c85c02 in pam_authenticate () from /lib/libpam.so.0 Jun 19 14:01:13 emu gdm[15902]: #18 0x0805198f in ?? () Jun 19 14:01:13 emu gdm[15902]: #19 0x0018e4e2 in ?? () from /lib/libglib-2.0.so.0 Jun 19 14:01:13 emu gdm[15902]: #20 0x00190525 in g_main_context_dispatch () from /lib/libglib-2.0.so.0 Jun 19 14:01:13 emu gdm[15902]: #21 0x00194268 in ?? () from /lib/libglib-2.0.so.0 Jun 19 14:01:13 emu gdm[15902]: #22 0x001947af in g_main_loop_run () from /lib/libglib-2.0.so.0 Jun 19 14:01:13 emu gdm[15902]: #23 0x0804beaf in ?? () Jun 19 14:01:13 emu gdm[15902]: #24 0x003d7cc6 in __libc_start_main () from /lib/libc.so.6 Jun 19 14:01:13 emu gdm[15902]: #25 0x0804bb91 in ?? () Jun 19 14:01:13 emu gdm[15902]: Jun 19 14:01:13 emu gdm[15902]: Thread 1 (Thread 0xb78cb930 (LWP 15874)): Jun 19 14:01:13 emu gdm[15902]: #0 0x00924424 in __kernel_vsyscall () Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #1 0x00fc8293 in __waitpid_nocancel () from /lib/libpthread.so.0 Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #2 0x08055b49 in ?? () Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #3 0x08055c41 in ?? () Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #4 <signal handler called> Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #5 0x00924424 in __kernel_vsyscall () Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #6 0x003ebd31 in raise () from /lib/libc.so.6 Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #7 0x003ed60a in abort () from /lib/libc.so.6 Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #8 0x001b8264 in g_assertion_message () from /lib/libglib-2.0.so.0 Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #9 0x0804f1bf in ?? () Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #10 0x00de2182 in ?? () from /lib/security/pam_winbind.so Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #11 0x00de2347 in ?? () from /lib/security/pam_winbind.so Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #12 0x00de3343 in ?? () from /lib/security/pam_winbind.so Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #13 0x00de34e9 in ?? () from /lib/security/pam_winbind.so Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #14 0x00de4f16 in ?? () from /lib/security/pam_winbind.so Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #15 0x00de6627 in pam_sm_authenticate () from /lib/security/pam_winbind.so Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #16 0x00c8641f in ?? () from /lib/libpam.so.0 Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #17 0x00c85c02 in pam_authenticate () from /lib/libpam.so.0 Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #18 0x0805198f in ?? () Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #19 0x0018e4e2 in ?? () from /lib/libglib-2.0.so.0 Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #20 0x00190525 in g_main_context_dispatch () from /lib/libglib-2.0.so.0 Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #21 0x00194268 in ?? () from /lib/libglib-2.0.so.0 Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #22 0x001947af in g_main_loop_run () from /lib/libglib-2.0.so.0 Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #23 0x0804beaf in ?? () Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #24 0x003d7cc6 in __libc_start_main () from /lib/libc.so.6 Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: #25 0x0804bb91 in ?? () Jun 19 14:01:13 emu gdm[15902]: No symbol table info available. Jun 19 14:01:13 emu gdm[15902]: A debugging session is active. Jun 19 14:01:13 emu gdm[15902]: Jun 19 14:01:13 emu gdm[15902]: #011Inferior 1 [process 15874] will be detached. Jun 19 14:01:13 emu gdm[15902]: Jun 19 14:01:13 emu gdm[15902]: Quit anyway? (y or n) [answered Y; input not from terminal] Jun 19 14:01:13 emu gdm[15902]: ******************* END ********************************** I was able to workaround this problem by downgrading samba* packages from F12 updates.
Still having the same issue with the following samba/winbind packages: samba-common-3.5.4-62.fc13.i686 samba-winbind-3.5.4-62.fc13.i686 samba-winbind-clients-3.5.4-62.fc13.i686 Jul 2 08:23:01 f13 sshd[1676]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1 user=1xxxx-acct\yundtj Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): [pamh: 0x163d0e8] ENTER: pam_sm_authenticate (flags: 0x0001) Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): getting password (0x00000211) Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): pam_get_item returned a password Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): Verify user '1xxxx-acct\yundtj' Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): enabling cached login flag Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): request wbcLogonUser succeeded Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): user '1xxxx-acct\yundtj' granted access Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): Password has expired (Password was last set: 1263492838, the policy says it should expire here 2209572838 (now it's: 1278073381)) Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): [pamh: 0x163d0e8] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:account): [pamh: 0x163d0e8] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:account): user '1xxxx-acct\yundtj' needs new password Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:account): [pamh: 0x163d0e8] LEAVE: pam_sm_acct_mgmt returning 12 (PAM_NEW_AUTHTOK_REQD) Jul 2 08:23:01 f13 sshd[1676]: Accepted password for 1xxxx-acct\\yundtj from 192.168.122.1 port 57981 ssh2 Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:setcred): [pamh: 0x163d0e8] ENTER: pam_sm_setcred (flags: 0x0002) Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented Jul 2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:setcred): [pamh: 0x163d0e8] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Jul 2 08:23:01 f13 sshd[1676]: pam_unix(sshd:session): session opened for user 1xxxx-acct\yundtj by (uid=0) Jul 2 08:23:01 f13 sshd[1678]: pam_winbind(sshd:setcred): [pamh: 0x163d0e8] ENTER: pam_sm_setcred (flags: 0x0002) Jul 2 08:23:01 f13 sshd[1678]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented Jul 2 08:23:01 f13 sshd[1678]: pam_winbind(sshd:setcred): [pamh: 0x163d0e8] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Jul 2 08:23:01 f13 passwd: pam_unix(passwd:chauthtok): user "1xxxx-ACCT\yundtj" does not exist in /etc/passwd Jul 2 08:23:01 f13 passwd: pam_winbind(passwd:chauthtok): [pamh: 0x8c990e0] ENTER: pam_sm_chauthtok (flags: 0x4000) Jul 2 08:23:01 f13 passwd: pam_winbind(passwd:chauthtok): username [1xxxx-ACCT\yundtj] obtained Jul 2 08:23:01 f13 passwd: pam_winbind(passwd:chauthtok): getting password (0x00000023)
Works fine for me with samba version 3.5.4-63.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Created attachment 462883 [details] :0-slave.log I reproduced this bug on F14. It only appears for me when GDM tries to display password expiration message. However I was able to login using text console. After I changed password using the smbpasswd -r <passworkd server> -U <user name> I was able to login with GDM as well.
I'm still having this issue in fedora 14 with the samba 3.5.6-71. Trying to log in via ssh still prompts me to erroneously change my password. Please let me know if logs, winbind configs or pam configs are needed from my F14 environment.
samba-3.5.8-74.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/samba-3.5.8-74.fc14
samba-3.5.8-74.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.