Samba4/winbind passwd issues

[jethro]

I am very new to FreeBSD but not new to *nix. I am trying to set up winbind/Active Directory integration with my FreeBSD 9.1 install and everything is working other than passwd. I can change passwords for user accounts with kpasswd but if a user account has an expired password they are unable to log in without the removal of the password expired flag.

Here is was happens when a user with an expired password tries to log in via SSH.

login as: bbunny
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
You need to change your password now
Old Password:
Access denied
Using keyboard-interactive authentication.

Or via the login command from another user:

$ login bbunny
Password:
You need to change your password now
Old Password:
Login incorrect

If I remove the expire I am able to log in but I am unable to run passwd.

$ passwd
passwd: Sorry, `passwd' can only change passwords for local or NIS users.

kpasswd works correctly and I have no issues that I have seen with anything other than passwd.

FreeBSD 9.1
Samba 4.0.7

The DC is on the box that I am using. This is a test before deploying AD integration to more computers on my LAN.

Any help would be appreciated.

 

[igorino]

A user with an expired password should change it, that's the normal behaviour. After changing the password the user still cannot login or can he? Maybe you just want to change the password expire time (something like samba-tool setexpiry <username> --noexpiry), don't you?

 

[jethro]

I could set the passwords to not expire at all. And at the moment that is how it is configured. However normal behavior to my knowledge should be that it asks you to set a new password and that password should not be the same as your old password. When an entire account is marked expired or disabled it should not allow the user to log in but just a password expiration should be able to resolved without an admin unlocking the account.

The issue I believe lies with the way passwd is configured. I did find one forum on a website with the same issue (I don't have the link on hand) but they resolved the issue by editing passwd.c and recompiling passwd. Many other tutorials for other *nix's state that it should work out of the box once PAM is correctly configured.

Again thanks for the help.

I have pam_winbind.so symlinked in /usr/lib rather than pointing to /usr/local/lib.

/etc/pam.d/system

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_winbind.so          try_first_pass
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass n                                                                                        ullok

# account
#account        required        pam_krb5.so
account         sufficient      pam_winbind.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_mkhomedir.so
session         required        pam_lastlog.so          no_fail

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

/etc/pam.d/passwd

# password
#password       requisite       pam_passwdqc.so         enforce=users
password        sufficient      pam_winbind.so
password        required        pam_unix.so             no_warn try_first_pass nullok