--with-pam questions...

Andrew Bartlett abartlet at pcug.org.au
Mon May 14 22:04:39 GMT 2001 

Toomas Soome wrote:
> 
> at first - PAM_NEW_AUTHTOK_REQD response is handled as default, why not as
> like PAM_AUTHTOK_EXPIRED ? fix:

becouse it should be handled with NT_STATUS_PASSWORD_MUST_CHANGE, see
below:

> 
> Index: pampass.c
> ===================================================================
> RCS file: /cvsroot/samba/source/passdb/pampass.c,v
> retrieving revision 1.1.2.25
> diff -u -r1.1.2.25 pampass.c
> --- pampass.c   9 May 2001 21:14:42 -0000       1.1.2.25
> +++ pampass.c   14 May 2001 18:16:42 -0000
> @@ -445,6 +445,7 @@
>         DEBUG(4,("smb_pam_account: PAM: Account Management for User:
> %s\n", user));
>         pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account
> enabled? */
>         switch( pam_error ) {
> +               case PAM_NEW_AUTHTOK_REQD:
>                 case PAM_AUTHTOK_EXPIRED:
>                         DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user));
>                         nt_status = NT_STATUS_PASSWORD_EXPIRED;
> 
> another problem -- am I correct that NT_STATUS_PASSWORD_EXPIRED will cause
> login to be denied? I had chance to try smbclient, but not any other
> client... if so, how bad idea is to enable logins with
> NT_STATUS_PASSWORD_EXPIRED (with smb.conf option?)?
> 

Yes, anything but NT_STATUS_NOPROBLEMO will cause the login to be
denied.  But if NT_STATUS_PASSWORD_MUST_CHANGE is sent to NT during a
domain logon, NT will prompt the user to change their password there and
then.

I really don't see the point allowing logins when the password is
expired.  If you wan't to do things like that, configure the PAM module,
or just don't use PAM.  We do however need to ensure that we don't lock
out the resulting password change...  (And thats the ONLY thing that we
don't lock out).  

Other than that, see my patch at
http://samba.org/samba-patches?findid=407 for an attempt to handle all
the PAM errors correctly.  (I'll need to finish the missing constants
sometime, but this catches all the ones we do already, plus a few more).

Andrew Bartlett
-- 
Andrew Bartlett
abartlet at pcug.org.au

More information about the samba-technical mailing list