--with-pam questions...

Toomas Soome tsoome at ut.ee
Mon May 14 22:21:10 GMT 2001 

On Tue, 15 May 2001, Andrew Bartlett wrote:

> Toomas Soome wrote:
> >
> > at first - PAM_NEW_AUTHTOK_REQD response is handled as default, why not as
> > like PAM_AUTHTOK_EXPIRED ? fix:
>
> becouse it should be handled with NT_STATUS_PASSWORD_MUST_CHANGE, see
> below:

yeah, this came into my head after pressing send button:) anyway, then the
right code should be  used:)

> > another problem -- am I correct that NT_STATUS_PASSWORD_EXPIRED will cause
> > login to be denied? I had chance to try smbclient, but not any other
> > client... if so, how bad idea is to enable logins with
> > NT_STATUS_PASSWORD_EXPIRED (with smb.conf option?)?
> >
>
> Yes, anything but NT_STATUS_NOPROBLEMO will cause the login to be
> denied.  But if NT_STATUS_PASSWORD_MUST_CHANGE is sent to NT during a
> domain logon, NT will prompt the user to change their password there and
> then.
>
> I really don't see the point allowing logins when the password is
> expired.  If you wan't to do things like that, configure the PAM module,
> or just don't use PAM.  We do however need to ensure that we don't lock
> out the resulting password change...  (And thats the ONLY thing that we

thats a good question. currently, all password changes via samba are done
as root, right? this is because, we do not have an old password. well,
this is not exactly an good solution regarding to secure rpc secret keys
etc... so, until I have enough time to implement "store" for old
passwords, we have blocked password changed from windows systems and we
allow this from unix systems only.

of course, I can always patch samba as I like to, but I suspect, this kind
of feature may be useful for other people as well.

we still are useing pam account test to check account expirations etc (we
have had it since 2.0.6, as matter of fact), so take it all or leave it
all is not really an option:) -- at least not until all fields from
smbpasswd or sam password tables are fully functional.

toomas
-- 
The heaviest object in the world is the
body of the woman you have ceased to love.
		-- Marquis de Lac de Clapiers Vauvenargues

More information about the samba-technical mailing list