Winbind/Expired password

Материал из ALT Linux Wiki

Настройка и отладка реакции на устаревание пароля пользователя в Active Directory для машины, введённой в Active Directory через winbind.

Проверка устаревания пароля на сервере

Выставляем дату в прошлом на контроллере домена:

date -s 20231201
# samba-tool user create ex_test4
New Password: 
Retype Password: 
User 'ex_test4' added successfully

Создаём и применяем PSO для пользователя:

# samba-tool domain passwordsettings pso create 1day_expired 1 --max-pwd-age=2 --min-pwd-age=1
Not all password policy options have been specified.
For unspecified options, the current domain password settings will be used as the default values.
PSO successfully created: CN=1day_expired,CN=Password Settings Container,CN=System,DC=test,DC=alt
Password information for PSO '1day_expired'

Precedence (lowest is best): 1
Password complexity: off
Store plaintext passwords: off
Password history length: 24
Minimum password length: 1
Minimum password age (days): 1
Maximum password age (days): 2
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
# samba-tool domain passwordsettings pso apply 1day_expired ex_test4
PSO '1day_expired' applied to 'ex_test4'

Проверяем дату устаревания пароля для пользователя ex_test4:

# rpcclient -c "lookupnames ex_test4" -P c253.test.alt | sed 's/^.*-\([0-9]\+\) .*$/\1/'
1233
# rpcclient -c "queryuser 1233" -P c253.test.alt | grep -E 'User Name|Password must change Time'
        User Name   :   ex_test4
        Password must change Time:      Вс, 03 дек 2023 16:11:12 MSK

Возвращаем актуальную дату:

ntpdate pool.ntp.org

Проверка среды

В качестве примера используется система Альт Рабочая станция 10.1, полностью обновлённая на 26 января 2024 года.

Установка:

apt-get install task-auth-ad-winbind

Проверка версии пакета:

# rpm -q samba-winbind
samba-winbind-4.17.12-alt4.x86_64
Внимание! Полноценная смена пароля при устаревании доступна с samba-winbind-4.17.


Ввод в домен через winbind

# system-auth write ad test.alt host-209 test Administrator 'Pa$$word' --winbind --gpo
Using short domain name -- TEST
Joined 'HOST-209' to dns domain 'test.alt'

Настройка pam_winbind

. shell-ini-config
export shell_ini_config_prefix=
ini_config_set /etc/security/pam_winbind.conf global debug yes
ini_config_set /etc/security/pam_winbind.conf global silent no
ini_config_set /etc/security/pam_winbind.conf global pwd_change_prompt yes

Проверка содержимого файла:

# grep '^[a-z\[]' /etc/security/pam_winbind.conf
[global]
cached_login = yes
krb5_auth = yes
krb5_ccache_type = KEYRING
silent = no
debug = yes
pwd_change_prompt = yes

После ввода в домен и изменения файла перезагрузите компьютер.

Порядок смены пароля в lightdm

После ввода имени доменного пользователя и его текущего домена ему будет предложено заменить пароль, указав повторно текущий пароль:

Winbind-password-expiration-1.png

Затем дважды укажите новый пароль. Он не должен совпадать с последними паролями этого пользователя.

Winbind-password-expiration-2.png

Winbind-password-expiration-3.png

Журнал входа

# journalctl -g pam_winbind | cut -f4- -d:
-- Boot aca50047241941a795b4743e27407d72 --
 pam_winbind(lightdm:auth): [pamh: 0x55b8cfc0db80] ENTER: pam_sm_authenticate (flags: 0x0000)
 pam_winbind(lightdm:auth): getting password (0x00010381)
 pam_winbind(lightdm:auth): Verify user 'ex_test4'
 pam_winbind(lightdm:auth): CONFIG file: krb5_ccache_type 'KEYRING'
 pam_winbind(lightdm:auth): enabling krb5 login flag
 pam_winbind(lightdm:auth): enabling cached login flag
 pam_winbind(lightdm:auth): enabling request for a KEYRING krb5 ccache
 pam_winbind(lightdm:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHTOK_EXPIRED (27), NTSTATUS: NT_STATUS_PASSWORD_EXPIRED, Error message was: The user account password has expired.
 pam_winbind(lightdm:auth): user 'ex_test4' password expired
 pam_winbind(lightdm:auth): [pamh: 0x55b8cfc0db80] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
 pam_winbind(lightdm:account): [pamh: 0x55b8cfc0db80] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
 pam_winbind(lightdm:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
 pam_winbind(lightdm:account): user 'ex_test4' needs new password
 pam_winbind(lightdm:account): [pamh: 0x55b8cfc0db80] LEAVE: pam_sm_acct_mgmt returning 12 (PAM_NEW_AUTHTOK_REQD)
 pam_winbind(lightdm:chauthtok): [pamh: 0x55b8cfc0db80] ENTER: pam_sm_chauthtok (flags: 0x4020)
 pam_winbind(lightdm:chauthtok): username [ex_test4] obtained
 pam_winbind(lightdm:chauthtok): getting password (0x000101a1)
 pam_winbind(lightdm:chauthtok): enabling krb5 login flag
 pam_winbind(lightdm:chauthtok): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHTOK_EXPIRED (27), NTSTATUS: NT_STATUS_PASSWORD_EXPIRED, Error message was: The user account password has expired.
 pam_winbind(lightdm:chauthtok): user 'ex_test4' password expired
 pam_winbind(lightdm:chauthtok): [pamh: 0x55b8cfc0db80] LEAVE: pam_sm_chauthtok returning 0 (PAM_SUCCESS)
 pam_winbind(lightdm:chauthtok): [pamh: 0x55b8cfc0db80] ENTER: pam_sm_chauthtok (flags: 0x2020)
 pam_winbind(lightdm:chauthtok): username [ex_test4] obtained
 pam_winbind(lightdm:chauthtok): getting password (0x00010181)
 pam_winbind(lightdm:chauthtok): request wbcChangeUserPasswordEx succeeded
 pam_winbind(lightdm:chauthtok): user 'ex_test4' OK
 pam_winbind(lightdm:chauthtok): user 'ex_test4' password changed
 pam_winbind(lightdm:chauthtok): CONFIG file: krb5_ccache_type 'KEYRING'
 pam_winbind(lightdm:chauthtok): enabling krb5 login flag
 pam_winbind(lightdm:chauthtok): enabling cached login flag
 pam_winbind(lightdm:chauthtok): enabling request for a KEYRING krb5 ccache
 pam_winbind(lightdm:chauthtok): request wbcLogonUser succeeded
 pam_winbind(lightdm:chauthtok): user 'ex_test4' granted access
 pam_winbind(lightdm:chauthtok): Returned user was 'ex_test4'
 pam_winbind(lightdm:chauthtok): [pamh: 0x55b8cfc0db80] LEAVE: pam_sm_chauthtok returning 0 (PAM_SUCCESS)
 pam_winbind(lightdm:setcred): [pamh: 0x55b8cfc0db80] ENTER: pam_sm_setcred (flags: 0x0002)
 pam_winbind(lightdm:setcred): PAM_ESTABLISH_CRED not implemented
 pam_winbind(lightdm:setcred): [pamh: 0x55b8cfc0db80] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
 pam_winbind(lightdm:session): [pamh: 0x55b8cfc0db80] ENTER: pam_sm_open_session (flags: 0x0000)
 pam_winbind(lightdm:session): [pamh: 0x55b8cfc0db80] LEAVE: pam_sm_open_session returning 0 (PAM_SUCCESS)