Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 596830 - pam_winbind fails to authenticate with AD (32bit vs 64bit time issue?)
pam_winbind fails to authenticate with AD (32bit vs 64bit time issue?)
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: samba (Show other bugs)
14
i686 Linux
low Severity high
: ---
: ---
Assigned To: Guenther Deschner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-27 11:16 EDT by JYundt
Modified: 2011-03-19 06:30 EDT (History)
4 users (show)

See Also:
Fixed In Version: samba-3.5.8-74.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-03-19 06:30:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
snippet from /var/log/security (8.31 KB, text/plain)
2010-05-27 11:29 EDT, JYundt
no flags Details
All files from /etc/pam.d (2.96 KB, application/x-bzip)
2010-05-27 11:35 EDT, JYundt
no flags Details
samba configuration file (11.70 KB, application/octet-stream)
2010-05-27 11:42 EDT, JYundt
no flags Details
:0-slave.log (6.49 KB, text/plain)
2010-11-25 07:41 EST, Kazimieras Vaina
no flags Details

  None (edit)
Description JYundt 2010-05-27 11:16:18 EDT
Description of problem:
pam_winbind incorrectly detects password expiration dates.  With debugging enabled, pam_winbind reports that password dates past 2038 are 'expired.' As a result, users are prompted to change passwords and are unable to login.

Version-Release number of selected component (if applicable):

samba-winbind-clients-3.5.3-61.fc13.i686
samba-winbind-3.5.3-61.fc13.i686
pam-1.1.1-4.fc13.i686

How reproducible:
Very

Steps to Reproduce:
1. Configure F13 for logins via winbind
2. Set password to expire after 2038
3. Try to log in (SSH, GDM, etc)
  
Actual results:
Fail.

Expected results:
Successful login.

Additional info:
Unfortunately I'm not a domain admin so I have no control over password policies.  By default, passwords are set to expire +30 years from when they were last changed.  As a result, all passwords are currently set to expire sometime in 2040.

I will output from /var/log/security briefly
Comment 1 JYundt 2010-05-27 11:29:30 EDT
Created attachment 417287 [details]
snippet from /var/log/security

snippet from /var/log/security, key lines:

May 27 09:31:13 f13 sshd[2210]: pam_winbind(sshd:auth): Password has expired (Password was last set: 1263492838, the policy says it should expire here 2209572838 (now it's: 1274967073))
May 27 10:07:17 f13 sshd[2257]: pam_winbind(sshd:auth): Password has expired (Password was last set: 1273151701, the policy says it should expire here 2219231701 (now it's: 1274969237))
Comment 2 JYundt 2010-05-27 11:35:13 EDT
Created attachment 417288 [details]
All files from /etc/pam.d

All of my PAM files from /etc/pam.d

Debugging is still enabled.
Comment 3 JYundt 2010-05-27 11:42:35 EDT
Created attachment 417290 [details]
samba configuration file

I changed the domain/workgroup/realm names for privacy reasons.
Comment 4 Kazimieras Vaina 2010-06-19 09:28:19 EDT
I think it's relevant to this bug report. I just recently upgraded to F13. After an upgrade I was unable to login via GDM domain user. However, I was still able to login in text mode. I didn't test with ssh. My password was about to expire in 1 day. 

I found that  /lib/security/pam_winbind.so was crashing. I found related stack traces in /var/log/messages log:
Jun 19 14:01:13 emu gdm[15902]: ******************* START **********************************
Jun 19 14:01:13 emu gdm[15902]: [Thread debugging using libthread_db enabled]
Jun 19 14:01:13 emu gdm[15902]: 0x00924424 in __kernel_vsyscall ()
Jun 19 14:01:13 emu gdm[15902]: #0  0x00924424 in __kernel_vsyscall ()
Jun 19 14:01:13 emu gdm[15902]: #1  0x00fc8293 in __waitpid_nocancel () from /lib/libpthread.so.0
Jun 19 14:01:13 emu gdm[15902]: #2  0x08055b49 in ?? ()
Jun 19 14:01:13 emu gdm[15902]: #3  0x08055c41 in ?? ()
Jun 19 14:01:13 emu gdm[15902]: #4  <signal handler called>
Jun 19 14:01:13 emu gdm[15902]: #5  0x00924424 in __kernel_vsyscall ()
Jun 19 14:01:13 emu gdm[15902]: #6  0x003ebd31 in raise () from /lib/libc.so.6
Jun 19 14:01:13 emu gdm[15902]: #7  0x003ed60a in abort () from /lib/libc.so.6
Jun 19 14:01:13 emu gdm[15902]: #8  0x001b8264 in g_assertion_message () from /lib/libglib-2.0.so.0
Jun 19 14:01:13 emu gdm[15902]: #9  0x0804f1bf in ?? ()
Jun 19 14:01:13 emu gdm[15902]: #10 0x00de2182 in ?? () from /lib/security/pam_winbind.so
Jun 19 14:01:13 emu gdm[15902]: #11 0x00de2347 in ?? () from /lib/security/pam_winbind.so
Jun 19 14:01:13 emu gdm[15902]: #12 0x00de3343 in ?? () from /lib/security/pam_winbind.so
Jun 19 14:01:13 emu gdm[15902]: #13 0x00de34e9 in ?? () from /lib/security/pam_winbind.so
Jun 19 14:01:13 emu gdm[15902]: #14 0x00de4f16 in ?? () from /lib/security/pam_winbind.so
Jun 19 14:01:13 emu gdm[15902]: #15 0x00de6627 in pam_sm_authenticate () from /lib/security/pam_winbind.so
Jun 19 14:01:13 emu gdm[15902]: #16 0x00c8641f in ?? () from /lib/libpam.so.0
Jun 19 14:01:13 emu gdm[15902]: #17 0x00c85c02 in pam_authenticate () from /lib/libpam.so.0
Jun 19 14:01:13 emu gdm[15902]: #18 0x0805198f in ?? ()
Jun 19 14:01:13 emu gdm[15902]: #19 0x0018e4e2 in ?? () from /lib/libglib-2.0.so.0
Jun 19 14:01:13 emu gdm[15902]: #20 0x00190525 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
Jun 19 14:01:13 emu gdm[15902]: #21 0x00194268 in ?? () from /lib/libglib-2.0.so.0
Jun 19 14:01:13 emu gdm[15902]: #22 0x001947af in g_main_loop_run () from /lib/libglib-2.0.so.0
Jun 19 14:01:13 emu gdm[15902]: #23 0x0804beaf in ?? ()
Jun 19 14:01:13 emu gdm[15902]: #24 0x003d7cc6 in __libc_start_main () from /lib/libc.so.6
Jun 19 14:01:13 emu gdm[15902]: #25 0x0804bb91 in ?? ()
Jun 19 14:01:13 emu gdm[15902]: 
Jun 19 14:01:13 emu gdm[15902]: Thread 1 (Thread 0xb78cb930 (LWP 15874)):
Jun 19 14:01:13 emu gdm[15902]: #0  0x00924424 in __kernel_vsyscall ()
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #1  0x00fc8293 in __waitpid_nocancel () from /lib/libpthread.so.0
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #2  0x08055b49 in ?? ()
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #3  0x08055c41 in ?? ()
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #4  <signal handler called>
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #5  0x00924424 in __kernel_vsyscall ()
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #6  0x003ebd31 in raise () from /lib/libc.so.6
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #7  0x003ed60a in abort () from /lib/libc.so.6
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #8  0x001b8264 in g_assertion_message () from /lib/libglib-2.0.so.0
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #9  0x0804f1bf in ?? ()
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #10 0x00de2182 in ?? () from /lib/security/pam_winbind.so
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #11 0x00de2347 in ?? () from /lib/security/pam_winbind.so
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #12 0x00de3343 in ?? () from /lib/security/pam_winbind.so
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #13 0x00de34e9 in ?? () from /lib/security/pam_winbind.so
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #14 0x00de4f16 in ?? () from /lib/security/pam_winbind.so
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #15 0x00de6627 in pam_sm_authenticate () from /lib/security/pam_winbind.so
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #16 0x00c8641f in ?? () from /lib/libpam.so.0
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #17 0x00c85c02 in pam_authenticate () from /lib/libpam.so.0
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #18 0x0805198f in ?? ()
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #19 0x0018e4e2 in ?? () from /lib/libglib-2.0.so.0
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #20 0x00190525 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #21 0x00194268 in ?? () from /lib/libglib-2.0.so.0
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #22 0x001947af in g_main_loop_run () from /lib/libglib-2.0.so.0
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #23 0x0804beaf in ?? ()
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #24 0x003d7cc6 in __libc_start_main () from /lib/libc.so.6
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: #25 0x0804bb91 in ?? ()
Jun 19 14:01:13 emu gdm[15902]: No symbol table info available.
Jun 19 14:01:13 emu gdm[15902]: A debugging session is active.
Jun 19 14:01:13 emu gdm[15902]: 
Jun 19 14:01:13 emu gdm[15902]: #011Inferior 1 [process 15874] will be detached.
Jun 19 14:01:13 emu gdm[15902]: 
Jun 19 14:01:13 emu gdm[15902]: Quit anyway? (y or n) [answered Y; input not from terminal]
Jun 19 14:01:13 emu gdm[15902]: ******************* END **********************************

I was able to workaround this problem by downgrading samba* packages from F12 updates.
Comment 5 JYundt 2010-07-02 08:24:54 EDT
Still having the same issue with the following samba/winbind packages:

samba-common-3.5.4-62.fc13.i686
samba-winbind-3.5.4-62.fc13.i686
samba-winbind-clients-3.5.4-62.fc13.i686


Jul  2 08:23:01 f13 sshd[1676]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1  user=1xxxx-acct\yundtj
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): [pamh: 0x163d0e8] ENTER: pam_sm_authenticate (flags: 0x0001)
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): getting password (0x00000211)
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): pam_get_item returned a password
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): Verify user '1xxxx-acct\yundtj'
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): enabling cached login flag
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): request wbcLogonUser succeeded
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): user '1xxxx-acct\yundtj' granted access
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): Password has expired (Password was last set: 1263492838, the policy says it should expire here 2209572838 (now it's: 1278073381))
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:auth): [pamh: 0x163d0e8] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:account): [pamh: 0x163d0e8] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:account): user '1xxxx-acct\yundtj' needs new password
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:account): [pamh: 0x163d0e8] LEAVE: pam_sm_acct_mgmt returning 12 (PAM_NEW_AUTHTOK_REQD)
Jul  2 08:23:01 f13 sshd[1676]: Accepted password for 1xxxx-acct\\yundtj from 192.168.122.1 port 57981 ssh2
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:setcred): [pamh: 0x163d0e8] ENTER: pam_sm_setcred (flags: 0x0002)
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
Jul  2 08:23:01 f13 sshd[1676]: pam_winbind(sshd:setcred): [pamh: 0x163d0e8] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Jul  2 08:23:01 f13 sshd[1676]: pam_unix(sshd:session): session opened for user 1xxxx-acct\yundtj by (uid=0)
Jul  2 08:23:01 f13 sshd[1678]: pam_winbind(sshd:setcred): [pamh: 0x163d0e8] ENTER: pam_sm_setcred (flags: 0x0002)
Jul  2 08:23:01 f13 sshd[1678]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
Jul  2 08:23:01 f13 sshd[1678]: pam_winbind(sshd:setcred): [pamh: 0x163d0e8] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Jul  2 08:23:01 f13 passwd: pam_unix(passwd:chauthtok): user "1xxxx-ACCT\yundtj" does not exist in /etc/passwd
Jul  2 08:23:01 f13 passwd: pam_winbind(passwd:chauthtok): [pamh: 0x8c990e0] ENTER: pam_sm_chauthtok (flags: 0x4000)
Jul  2 08:23:01 f13 passwd: pam_winbind(passwd:chauthtok): username [1xxxx-ACCT\yundtj] obtained
Jul  2 08:23:01 f13 passwd: pam_winbind(passwd:chauthtok): getting password (0x00000023)
Comment 6 Kazimieras Vaina 2010-08-23 02:23:45 EDT
Works fine for me with samba version 3.5.4-63.
Comment 7 Fedora Admin XMLRPC Client 2010-10-08 10:43:24 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Kazimieras Vaina 2010-11-25 07:41:01 EST
Created attachment 462883 [details]
:0-slave.log

I reproduced this bug on F14. It only appears for me when GDM tries to display password expiration message. 
However I was able to login using text console.
After I changed password using the smbpasswd -r <passworkd server> -U <user name> I was able to login with GDM as well.
Comment 9 JYundt 2011-01-21 14:31:13 EST
I'm still having this issue in fedora 14 with the samba 3.5.6-71.  Trying to log in via ssh still prompts me to erroneously change my password.  Please let me know if logs, winbind configs or pam configs are needed from my F14 environment.
Comment 10 Fedora Update System 2011-03-11 07:02:46 EST
samba-3.5.8-74.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/samba-3.5.8-74.fc14
Comment 11 Fedora Update System 2011-03-19 06:30:16 EDT
samba-3.5.8-74.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.