pam_winbind - invalid return code and offline authentication.
Rodrigo.Fernandez-Vizarra at Sun.COM
Mon Jun 13 14:46:31 GMT 2005
I'm working in project that requires that a linux box can authenticate
to a windows system based in an Active Directory domain.
I'm using pam_winbind to authenticate the user. I'm using samba 3.0.14
Everything works right until the password of the users expires. In that
moment pam_winbind returns an invalid pam error code
(PAM_AUTHTOK_EXPIRED) in pam_sm_authenticate()
As described in
PAM_AUTHOK_EXPIRED is not a valid return code for this function. A
PAM_SUCCESS should be returned and after that in the account management
the expired password should be handled.
This means that the user will not be able to login in the system. I didn't
I would like to know if this is done on purpose or if it's a bug.
I would also like to work on providing off line authentication in
pam_winbind. The idea is that the winbind daemon can not contact the
password server a set of cached credentials will be used. Those
credentials will be updated every time a user successfully logins and
they will be deleted if the account is disabled. This feature could be
enabled/disabled using one argument in the pam line, something like:
auth required pam_winbind.so try_first_pass offline
What do you think about this feature? is anyone already working on this?
Will you accept a patch that implements this feature?
Finally, in order to improve the integration with the printing system,
as now it's supported to use kerberos tickets to print I would also like
to add a feature to pam_winbind to obtain a kerberos ticket for the user
if configured to do so. I know that this can be done with pam_krb5 but
if you work in an off line environment having two Spam modules trying to
communicate with the password server will introduce a long delay in the
The idea again is to have an extra parameter in the pam line to
enable/disable this feature
auth required pam_winbind.so try_first_pass offline aquire_ticket
Do you have any comments or suggestions?
More information about the samba-technical