PAM-Winbind patch

Gabriel Buades Rubio bbuades at
Wed Sep 7 08:37:20 GMT 2005


We are thinking about deploy some Debian machine in our corporate network. 
To tightly couple current security infrastructure with Debian, we decided 
to use pam_winbind as the choice for user authentication and 

The problem with current pam-winbind module is how it handles expired 
passwords. When a password i expired, authorization phase complains about 
it. Instead it should return PAM_SUCCESS, and delay then 
PAM_AUTHTOK_EXPIRED to the account one.

After four months of testing, we've released a patch to allow the user to 
logon, even when it is expired or needs to be changed. When such a state 
is returned from winbind, pam module assumes the password is correct, but 
the accounting pam invocation warns about expired password, just at it is 
supposed to do. 

It has been successfully tested upon 3.0.14 version of samba, with login, 
sudo, gdm and kdm. I've not been able to test it with squid, but it is 
supposed to break nothing as long as squid does not handles pam 
accounting. As a side effect, users with expired password will be able to 
go throw the squid proxy server.

We'll be glad to see this patch included in future samba versions.

Thank you very much.

Gabriel Buades Rubio
bbuades at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba.patch
Type: application/octet-stream
Size: 2718 bytes
Desc: not available
Url :

More information about the samba-technical mailing list