pam_winbind - invalid return code and offline authentication.

Rodrigo Fernandez-Vizarra Rodrigo.Fernandez-Vizarra at Sun.COM
Mon Jun 13 14:46:31 GMT 2005 

Hello,

I'm working in project that requires that a linux box can authenticate 
to a windows system based in an Active Directory domain.

I'm using pam_winbind to authenticate the user. I'm using samba 3.0.14

Everything works right until the password of the users expires. In that 
moment pam_winbind returns an invalid pam error code 
(PAM_AUTHTOK_EXPIRED) in pam_sm_authenticate()

As described in 
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-3.html#ss3.2
PAM_AUTHOK_EXPIRED is not a valid return code for this function. A 
PAM_SUCCESS should be returned and after that in the account management 
the expired password should be handled.

This means that the user will not be able to login in the system. I didn't

I would like to know if this is done on purpose or if it's a bug.

I would also like to work on providing off line authentication in 
pam_winbind. The idea is that the winbind daemon can not contact the 
password server a set of cached credentials will be used. Those 
credentials will be updated every time a user successfully logins and 
they will be deleted if the account is disabled. This feature could be 
enabled/disabled using one argument in the pam line, something like:

auth required pam_winbind.so try_first_pass offline


What do you think about this feature? is anyone already working on this? 
Will you accept a patch that implements this feature?

Finally, in order to improve the integration with the printing system, 
as now it's supported to use kerberos tickets to print I would also like 
to add a feature to pam_winbind to obtain a kerberos ticket for the user 
if configured to do so. I know that this can be done with pam_krb5 but 
if you work in an off line environment having two Spam modules trying to 
communicate with the password server will introduce a long delay in the 
login process.

The idea again is to have an extra parameter in the pam line to 
enable/disable this feature

auth required pam_winbind.so try_first_pass offline aquire_ticket


Do you have any comments or suggestions?

Best regards,
Rodrigo

More information about the samba-technical mailing list