Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2343: pam_winbind core dumps with "expiring passwords"

12 April,16 at 11:09 AM

Applies to: All versions of Centrify DirectControl-enabled Samba.
 
Question:
 
Using a small wrapper program in C, it is noticed pam_winbind.so (or libpam.so) will core dump/segfault under the following circumstances:
 
1) When the user's account password is about to expire, but has not actually expired. It's in the period where the warnings are issued.
 
2) The host is a RHEL 6.2 server, which is joined to a Windows AD, and is a domain member.
 
3) The password expiry timeout is coming from the Microsoft AD Group policies.
 
4) When using pam_winbind.so to perform the authentication and also filtering using the "require_membership_of" to filter to specific AD groups, for services on the host.  
 
5) If the user's password is changed, the problem instantly goes away, but it re-appears when the account password is going to expire again. 
 
Below is the gdb output from running the test program, with the PAM service file (see below)
 
Program received signal SIGSEGV, Segmentation fault.
0x0013d521 in pam_sm_authenticate () from /lib/security/pam_winbind.so
(gdb) bt
#0  0x0013d521 in pam_sm_authenticate () from /lib/security/pam_winbind.so
#1  0x00ba543f in ?? () from /lib/libpam.so.0
#2  0x00ba4c22 in pam_authenticate () from /lib/libpam.so.0
#3  0x08048770 in main (argc=3, argv=0xbffff0d4) at main.c:44
(gdb)
 
Service file/etc/pam.d/test contains:
 
auth        required      pam_env.so debug
auth        sufficient    pam_unix.so nullok try_first_pass debug
auth        requisite     pam_succeed_if.so uid >= 500 quiet debug
auth        sufficient    pam_winbind.so use_first_pass warn_pwd_expire=0 require_membership_of=S-1-5-21-1550212391-918360395-1544898942-18827 debug
auth        required      pam_deny.so debug
 
Using the 'warn_pwd_expire=0'  seems to force the core dump. If this is left out, the following message appears: 
 
"Your password will expire in 10 days. erroneous conversation (5)"
 
Is there any reason?

 
Answer:
 
pam_winbind is a PAM module that can authenticate users against the local domain by talking to the winbind daemon. Since Centrify is NOT in the PAM stack, it is suggested to post the same in Samba forums. And it was verified stock Samba will experience the same with above scenarios. 
 
Following samba's Bugzilla fixed the bug "password expiration in pam_winbind which wasn't getting handled correctly from Active Directory".
 
https://bugzilla.samba.org/show_bug.cgi?id=6253 
(Link provided as a courtesy)

Related Articles

 articleKB-1634: How to analyze core dump using GDB / DBX / MDB debugger articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-0188: SSH login dumps core with f-secure articleKB-11068: Direct Audit and Direct Control Core Dump Files are Generated When an Older Version of glibc is Used