[root@host-209 pam.d]# wbinfo -a 'newbie%Pa$$word' plaintext password authentication failed Could not authenticate user newbie%Pa$$word with plaintext password challenge/response password authentication failed wbcAuthenticateUserEx(TEST\newbie): error code was NT_STATUS_ACCOUNT_EXPIRED (0xc0000193, authoritative=1) error message was: The user account has expired. Could not authenticate user newbie with challenge/response # grep auth.*pam_winbind.so system-auth-winbind-only auth required pam_winbind.so krb5_auth pwd_change_prompt debug сен 14 12:55:24 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): Verify user 'newbie' сен 14 12:55:24 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): CONFIG file: krb5_ccache_type 'KEYRING' сен 14 12:55:24 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): enabling krb5 login flag сен 14 12:55:24 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): enabling cached login flag сен 14 12:55:24 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): enabling request for a KEYRING krb5 ccache сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested. сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'newbie') сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): [pamh: 0x555766219bc0] LEAVE: pam_sm_authenticate returning 11 (PAM_MAXTRIES) сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): [pamh: 0x555766219bc0] STATE: ITEM(PAM_SERVICE) = "lightdm" (0x555766212480) сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): [pamh: 0x555766219bc0] STATE: ITEM(PAM_USER) = "newbie" (0x555766219d50) сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): [pamh: 0x555766219bc0] STATE: ITEM(PAM_TTY) = ":0" (0x55576621e7e0) сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): [pamh: 0x555766219bc0] STATE: ITEM(PAM_AUTHTOK) = 0x55576623f150 сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): [pamh: 0x555766219bc0] STATE: ITEM(PAM_CONV) = 0x555766219d70 Видно, что стек PAM вместо PAM_ACCT_EXPIRED и диалога смены пароля возвращает PAM_MAXTRIES. Даже если до этого пользователь удачно заходил.
wbcCtxLogonUser возвращает ошибку 11 вместо 27 (PAM_AUTHTOK_EXPIRED).
Исправлено в samba-winbind-clients-4.17.12-alt2