我遇到了一个问题,最近创建的用户无法登录,即使他们已被添加到正确的组中。查看错误日志时,我收到以下错误:
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User name_of_the_user!
[2012/05/25 13:32:08.435697, 0] auth/pampass.c:586(smb_pam_account)
smb_pam_account: PAM: UNKNOWN PAM ERROR (12) during Account Management for User: name_of_the_user
[2012/05/25 13:32:08.435763, 0] auth/pampass.c:794(smb_pam_accountcheck)
我运行的系统是一台装有 Samba 3.5.6 的 Debian 稳定机器。
知道是什么原因造成的,或者有什么方法可以从 samba 中获取更多信息(考虑到“未知的 PAM 错误”是相当神秘的)。
编辑:正如评论中所述,我添加了其他日志(日志级别 3)。记录的内容还有很多,不过我发现的这些看起来可能很有趣:
[2012/05/25 15:28:13.682595, 3] auth/auth.c:265(check_ntlm_password)
check_ntlm_password: sam authentication for user [name_of_user] succeeded
[2012/05/25 15:28:13.682650, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/05/25 15:28:13.682696, 3] smbd/uid.c:429(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/05/25 15:28:13.682740, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/05/25 15:28:13.685803, 0] auth/pampass.c:586(smb_pam_account)
smb_pam_account: PAM: UNKNOWN PAM ERROR (12) during Account Management for User: name_of_user
[2012/05/25 15:28:13.685868, 2] auth/pampass.c:77(smb_pam_error_handler)
smb_pam_error_handler: PAM: Account Check Failed : Authentication token is no longer valid; new one required
[2012/05/25 15:28:13.685935, 0] auth/pampass.c:794(smb_pam_accountcheck)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User name_of_user!
[2012/05/25 15:28:13.686099, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/05/25 15:28:13.686174, 3] auth/auth.c:294(check_ntlm_password)
check_ntlm_password: PAM Account for user [name_of_user] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE
[2012/05/25 15:28:13.686352, 3] smbd/error.c:80(error_packet_set)
error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX) NT_STATUS_PASSWORD_MUST_CHANGE
[2012/05/25 15:28:13.687912, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/05/25 15:28:13.687992, 3] smbd/connection.c:31(yield_connection)
Yielding connection to
[2012/05/25 15:28:13.688098, 3] smbd/server.c:906(exit_server_common)
Server exit (failed to receive smb request)
我尝试更改出现此问题的用户的密码,但没有任何变化(仍然报告相同的问题)。
答案1
事实证明,设置的“shadowMax”属性导致了 NT_STATUS_PASSWORD_MUST_CHANGE 错误。通过删除出现问题的特定用户的 LDAP 对象中提到的属性,这些用户就可以登录。
答案2
查看您的错误跟踪似乎表明这些用户的密码已过期;
PAM: UNKNOWN PAM ERROR (12) during Account Management for User: name_of_user
PAM: Account Check Failed : Authentication token is no longer valid; new one required
PAM: Account Validation Failed - Rejecting User name_of_user!
PAM Account for user [name_of_user] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE
(SMBsesssetupX) NT_STATUS_PASSWORD_MUST_CHANGE
因此,您可能需要在用户和组策略管理器中设置更长的有效期,或者如果用户无法自己更改密码,则完全禁用密码有效期。
(您是否使用 openLDAP 或活动目录来存储用户?)
您的用户是否设置为在首次登录时要求更改密码?如果 samba pam 模块不支持此功能,您可能需要禁用此功能。