Hi!
I've been trying to get password changes to work from a SuSE machine to
an AD server. Authentication works fine in AD mode, so at least that bit
is correct.
When trying to change the password, I get PAM error 4 back. Checking in
the logs, I see that winbind fails with the error
NT_STATUS_PASSWRD_RESTRICTIN.
From Microsoft's documentation, I can read that this means that there
is some password policy that's rejecting the new password. But I cannot
find any such policy on the server, so I'm wondering if this can be
caused by something else?
I'm also a bit confused as to how I can get NT error codes in AD mode.
Isn't it supposed to talk kerberos?

Hi,

Mon, May 15, 2006 at 10:46:47AM +0200, Pierre wrote:
Hi!

I've been trying to get password changes to work from a SuSE machine to
an AD server. Authentication works fine in AD mode, so at least that bit
is correct.

When trying to change the password, I get PAM error 4 back. Checking in
the logs, I see that winbind fails with the error
NT_STATUS_PASSWRD_RESTRICTIN.

From Microsoft's documentation, I can read that this means that there
is some password policy that's rejecting the new password. But I cannot
find any such policy on the server, so I'm wondering if this can be
caused by something else?

No, there will be a default policy in place.

If you'd try a recent samba release for one of the SUSE products, the user
attemptimg to change a password would get delivered with the same amount
of information (explaining why the password change has failed) as you
would get on Windows XP.

Look for the 3.0.22 or 3.0.23pre1 download links on:
http://en.opensuse.org/Samba

I'm also a bit confused as to how I can get NT error codes in AD mode.
Isn't it supposed to talk kerberos?

No, as Windows workstations change a user password using MSRPC protocolls
as well.

Guenther

Le Lundi 15 Mai 2006 10:46, Pierre a *:
I'm also a bit confused as to how I can get NT error codes in AD mode.
Isn't it supposed to talk kerberos?
if you're using passwd and pam is configured to use winbind, you'll make
MSRPC call.

Using kpassword, you should be able to change your password (but default
policy for password are applied)
But you'll have to set up correctly kerberos configuration on your unix
computer

Emmanuel

Guenther Deschner wrote:

If you'd try a recent samba release for one of the SUSE products, the user
attemptimg to change a password would get delivered with the same amount
of information (explaining why the password change has failed) as you
would get on Windows XP.

Look for the 3.0.22 or 3.0.23pre1 download links on:
http://en.opensuse.org/Samba

Thanks, that gave me some error messages. Unfortunately, they only make
me more confused. I get:

Your password must be at least 4 characters; cannot repeat any of the
your previous 0 passwords. Please type a different password. Type a
password which meets these requirements in both text boxes.

The password is 8 characters and I type new ones at random and still get
the same message. To make things more bizarre, I was able to change the
pass once (from a 8-char lower case to another 8-char lower case).

Ideas?

Pierre wrote:
Guenther Deschner wrote:
>>
>If you'd try a recent samba release for one of the SUSE products, the
>user
>attemptimg to change a password would get delivered with the same amount
>of information (explaining why the password change has failed) as you
>would get on Windows XP.
>>
>Look for the 3.0.22 or 3.0.23pre1 download links on:
>http://en.opensuse.org/Samba
>>

Thanks, that gave me some error messages. Unfortunately, they only make
me more confused. I get:

More funkyness. Somewhere in pam_winbind (or something it calls),
exit_group(101) gets called, killing of my application. Known issue?

Mon, May 15, 2006 at 03:36:27PM +0200, Pierre wrote:
Guenther Deschner wrote:
>
>If you'd try a recent samba release for one of the SUSE products, the user
>attemptimg to change a password would get delivered with the same amount
>of information (explaining why the password change has failed) as you
>would get on Windows XP.
>
>Look for the 3.0.22 or 3.0.23pre1 download links on:
>http://en.opensuse.org/Samba
>

Thanks, that gave me some error messages. Unfortunately, they only make
me more confused. I get:

Your password must be at least 4 characters; cannot repeat any of the
your previous 0 passwords. Please type a different password. Type a
password which meets these requirements in both text boxes.

The password is 8 characters and I type new ones at random and still get
the same message. To make things more bizarre, I was able to change the
pass once (from a 8-char lower case to another 8-char lower case).

Sounds like a minimum password age that is in effect. There is a fix for
that in subversion but in any released samba version.

Guenther

Mon, May 15, 2006 at 03:49:06PM +0200, Pierre wrote:
Pierre wrote:
>Guenther Deschner wrote:
>>
>>If you'd try a recent samba release for one of the SUSE products, the
>>user
>>attemptimg to change a password would get delivered with the same amount
>>of information (explaining why the password change has failed) as you
>>would get on Windows XP.
>>
>>Look for the 3.0.22 or 3.0.23pre1 download links on:
>>http://en.opensuse.org/Samba
>>
>
>Thanks, that gave me some error messages. Unfortunately, they only make
>me more confused. I get:
>

More funkyness. Somewhere in pam_winbind (or something it calls),
exit_group(101) gets called, killing of my application. Known issue?

No, there is no such call in winbindd or pam_winbind.

Guenther

Guenther Deschner wrote:
Mon, May 15, 2006 at 03:49:06PM +0200, Pierre wrote:
>More funkyness. Somewhere in pam_winbind (or something it calls),
>exit_group(101) gets called, killing of my application. Known issue?

No, there is no such call in winbindd or pam_winbind.

Doing some gdb:ing, I got this backtrace:

#0 0x4005d146 in exit () from /lib/tls/libc.so.6
#1 0x080488f9 in ? ()
#2 0x00000065 in ? ()
#3 0x08048c23 in _I ()
#4 0x0804e180 in ? ()
#5 0x0804e180 in ? ()
#6 0x0804e245 in ? ()
#7 0x00000003 in ? ()
#8 0x00000003 in ? ()
#9 0x4002b8df in pam_get_item () from /lib/libpam.so.0
#10 0x400202d4 in _get_ntstatus_error_string ()
from /lib/security/pam_winbind.so
#11 0x40020329 in _get_ntstatus_error_string ()
from /lib/security/pam_winbind.so
#12 0x400203ac in _get_ntstatus_error_string ()
from /lib/security/pam_winbind.so
#13 0x4002247a in pam_sm_chauthtok () from /lib/security/pam_winbind.so
#14 0x4002cf1a in _pam_dispatch () from /lib/libpam.so.0
#15 0x4002f2a3 in pam_chauthtok () from /lib/libpam.so.0
#16 0x08048aa3 in ? ()

As libpam is the last offender, I probably should throw the ball their
way. But could you have a quick look to make sure you're in the clear
with regard to the samba functions in the backtrace?