I tried to reproduce the bug in precise, with latest updates (lightdm 1.1.9-0ubuntu1) and found this:
First of all, the unity-greeter does not have anymore an entry to allow login for "other" users than local ones. Since winbind domain users are not listed in /etc/passwd, the only possibility to login for such users is to manually add them to this file, after having obtained the data with "getent passwd".
Then, if I try to login as a domain user with the default PAM configuration set up by the various PAM modules, I obtain this:
1 - ******** (first enter expired password);
2 - "You need to change your password now"
"Enter new Unix password" --> ******** (new password)
3 - "Retype new Unix password" --> ******** (new password)
4 - (login performed, but NT password is not changed)
5 - Subsequent logins are allowed with old NT expired password
(without asking to change it) or with new Unix password
[In this case the content of /etc/pam.d/common-password is this:
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
... ]
If I reverse the order of pam_unix.so and pam_winbind.so, I obtain this:
1 - ******** (first enter expired password);
2 - "You need to change your password now"
"(current) NT password" --> ******** (expired password)
3 - "Enter new Unix password" --> ******** (new password)
4 - "Retype new Unix password" --> ******** (new password)
5 - "Invalid password, please try again"
[ In this case the content of /etc/pam.d/common-password is this:
password [success=2 default=ignore] pam_winbind.so use_authtok
password [success=1 default=ignore] pam_unix.so obscure sha512 try_first_pass
... ]
I tried to reproduce the bug in precise, with latest updates (lightdm 1.1.9-0ubuntu1) and found this:
First of all, the unity-greeter does not have anymore an entry to allow login for "other" users than local ones. Since winbind domain users are not listed in /etc/passwd, the only possibility to login for such users is to manually add them to this file, after having obtained the data with "getent passwd".
Then, if I try to login as a domain user with the default PAM configuration set up by the various PAM modules, I obtain this:
1 - ******** (first enter expired password);
2 - "You need to change your password now"
"Enter new Unix password" --> ******** (new password)
3 - "Retype new Unix password" --> ******** (new password)
4 - (login performed, but NT password is not changed)
5 - Subsequent logins are allowed with old NT expired password
(without asking to change it) or with new Unix password
[In this case the content of /etc/pam. d/common- password is this:
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
... ]
If I reverse the order of pam_unix.so and pam_winbind.so, I obtain this:
1 - ******** (first enter expired password);
2 - "You need to change your password now"
"(current) NT password" --> ******** (expired password)
3 - "Enter new Unix password" --> ******** (new password)
4 - "Retype new Unix password" --> ******** (new password)
5 - "Invalid password, please try again"
[ In this case the content of /etc/pam. d/common- password is this:
password [success=2 default=ignore] pam_winbind.so use_authtok
password [success=1 default=ignore] pam_unix.so obscure sha512 try_first_pass
... ]