Samba + LDAP: Newly created users cannot log in

Question

I'm having a problem where users which recently were created are unable to log in, even though they have been added to the correct groups. When viewing the error logs, I'm getting these errors:

  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User name_of_the_user!
[2012/05/25 13:32:08.435697,  0] auth/pampass.c:586(smb_pam_account)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (12) during Account Management for User: name_of_the_user
[2012/05/25 13:32:08.435763,  0] auth/pampass.c:794(smb_pam_accountcheck)

The system I'm running is a Debian stable machine with Samba 3.5.6.

Any idea what might be causing this or any way of getting more information out of samba (considering that "UKNOWN PAM ERROR" is rather cryptic).

Edit: As discussed in the comment, I've added additional logs (log level 3). There were lots more logged, though this is what I found which looked like it could be interesting:

[2012/05/25 15:28:13.682595,  3] auth/auth.c:265(check_ntlm_password)
 check_ntlm_password: sam authentication for user [name_of_user] succeeded
[2012/05/25 15:28:13.682650,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/05/25 15:28:13.682696,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/05/25 15:28:13.682740,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/05/25 15:28:13.685803,  0] auth/pampass.c:586(smb_pam_account)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (12) during Account Management for User: name_of_user
[2012/05/25 15:28:13.685868,  2] auth/pampass.c:77(smb_pam_error_handler)
  smb_pam_error_handler: PAM: Account Check Failed : Authentication token is no longer valid; new one required
[2012/05/25 15:28:13.685935,  0] auth/pampass.c:794(smb_pam_accountcheck)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User name_of_user!
[2012/05/25 15:28:13.686099,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/05/25 15:28:13.686174,  3] auth/auth.c:294(check_ntlm_password)
  check_ntlm_password:  PAM Account for user [name_of_user] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE
[2012/05/25 15:28:13.686352,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX) NT_STATUS_PASSWORD_MUST_CHANGE
[2012/05/25 15:28:13.687912,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/05/25 15:28:13.687992,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to 
[2012/05/25 15:28:13.688098,  3] smbd/server.c:906(exit_server_common)
  Server exit (failed to receive smb request)

I've tried changing the password of the user with the issue, but that didn't do any difference (the same issue is still reported).

Answer 1

Turns out the "shadowMax"-attribute being set was causing the NT_STATUS_PASSWORD_MUST_CHANGE error. By removing the mentioned attribute in the LDAP objects of the specific users having the problem, those users were able to log in.

Answer 2

looking at your error trace seems to indicate that these users passwords have expired;

PAM: UNKNOWN PAM ERROR (12) during Account Management for User: name_of_user
PAM: Account Check Failed : Authentication token is no longer valid; new one required
PAM: Account Validation Failed - Rejecting User name_of_user!
PAM Account for user [name_of_user] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE
(SMBsesssetupX) NT_STATUS_PASSWORD_MUST_CHANGE

Hence, you probably want to set a longer expiry in the Users & group policy manager, or disable the password expiry altogether if you users cannot change their passwords themselves.

(are you using openLDAP or and active directory for storing the users?)

are your users set to require password change on first login?, you might want to disable that if the samba pam module is not supporting that.