我遇到了一个问题,即最近创build的用户无法login,即使他们已被添加到正确的组。 查看错误日志时,我收到这些错误:
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User name_of_the_user! [2012/05/25 13:32:08.435697, 0] auth/pampass.c:586(smb_pam_account) smb_pam_account: PAM: UNKNOWN PAM ERROR (12) during Account Management for User: name_of_the_user [2012/05/25 13:32:08.435763, 0] auth/pampass.c:794(smb_pam_accountcheck) 我正在运行的系统是具有Samba 3.5.6的Debian稳定机器。
任何想法可能会导致这种或任何方式从桑巴获得更多的信息(考虑到“UKNOWN PAM错误”是相当神秘)。
编辑:正如在评论中所讨论的,我已经添加了额外的日志(日志级别3)。 还有更多logging,虽然这是我发现它看起来可能是有趣的:
[2012/05/25 15:28:13.682595, 3] auth/auth.c:265(check_ntlm_password) check_ntlm_password: sam authentication for user [name_of_user] succeeded [2012/05/25 15:28:13.682650, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/05/25 15:28:13.682696, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/05/25 15:28:13.682740, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/05/25 15:28:13.685803, 0] auth/pampass.c:586(smb_pam_account) smb_pam_account: PAM: UNKNOWN PAM ERROR (12) during Account Management for User: name_of_user [2012/05/25 15:28:13.685868, 2] auth/pampass.c:77(smb_pam_error_handler) smb_pam_error_handler: PAM: Account Check Failed : Authentication token is no longer valid; new one required [2012/05/25 15:28:13.685935, 0] auth/pampass.c:794(smb_pam_accountcheck) smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User name_of_user! [2012/05/25 15:28:13.686099, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/05/25 15:28:13.686174, 3] auth/auth.c:294(check_ntlm_password) check_ntlm_password: PAM Account for user [name_of_user] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE [2012/05/25 15:28:13.686352, 3] smbd/error.c:80(error_packet_set) error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX) NT_STATUS_PASSWORD_MUST_CHANGE [2012/05/25 15:28:13.687912, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/05/25 15:28:13.687992, 3] smbd/connection.c:31(yield_connection) Yielding connection to [2012/05/25 15:28:13.688098, 3] smbd/server.c:906(exit_server_common) Server exit (failed to receive smb request)
我已经尝试更改用户的密码与问题,但没有任何区别(同样的问题仍然报告)。
原来设置的“shadowMax”属性导致了NT_STATUS_PASSWORD_MUST_CHANGE错误。 通过删除具有该问题的特定用户的LDAP对象中提到的属性,这些用户能够login。
看着你的错误跟踪似乎表明,这些用户的密码已过期;
PAM: UNKNOWN PAM ERROR (12) during Account Management for User: name_of_user PAM: Account Check Failed : Authentication token is no longer valid; new one required PAM: Account Validation Failed - Rejecting User name_of_user! PAM Account for user [name_of_user] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE (SMBsesssetupX) NT_STATUS_PASSWORD_MUST_CHANGE
因此,如果用户无法自行更改密码,则可能需要在用户和组策略pipe理器中设置较长的到期时间,或者完全禁用密码到期。
(您是使用openLDAP还是和Active Directory来存储用户?)
你的用户是否设置为在首次login时需要更改密码?,如果samba pam模块不支持,你可能想禁用它。