PAM-Winbind patch
Gabriel Buades Rubio
bbuades at dgtic.caib.es
Wed Sep 7 08:37:20 GMT 2005
Hello.
We are thinking about deploy some Debian machine in our corporate network.
To tightly couple current security infrastructure with Debian, we decided
to use pam_winbind as the choice for user authentication and
authorization.
The problem with current pam-winbind module is how it handles expired
passwords. When a password i expired, authorization phase complains about
it. Instead it should return PAM_SUCCESS, and delay then
PAM_AUTHTOK_EXPIRED to the account one.
After four months of testing, we've released a patch to allow the user to
logon, even when it is expired or needs to be changed. When such a state
is returned from winbind, pam module assumes the password is correct, but
the accounting pam invocation warns about expired password, just at it is
supposed to do.
It has been successfully tested upon 3.0.14 version of samba, with login,
sudo, gdm and kdm. I've not been able to test it with squid, but it is
supposed to break nothing as long as squid does not handles pam
accounting. As a side effect, users with expired password will be able to
go throw the squid proxy server.
We'll be glad to see this patch included in future samba versions.
Thank you very much.
Gabriel Buades Rubio
bbuades at dgtic.caib.es
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba.patch
Type: application/octet-stream
Size: 2718 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20050907/6b64b154/samba.obj
More information about the samba-technical
mailing list