PAM-Winbind patch

Andrew Bartlett abartlet at
Sat Sep 10 11:12:25 GMT 2005

On Wed, 2005-09-07 at 10:37 +0200, Gabriel Buades Rubio wrote:
> Hello.
> We are thinking about deploy some Debian machine in our corporate network. 
> To tightly couple current security infrastructure with Debian, we decided 
> to use pam_winbind as the choice for user authentication and 
> authorization.
> The problem with current pam-winbind module is how it handles expired 
> passwords. When a password i expired, authorization phase complains about 
> it. Instead it should return PAM_SUCCESS, and delay then 
> PAM_AUTHTOK_EXPIRED to the account one.

I still wonder if this should be broadened to other 'account' errors.

> After four months of testing, we've released a patch to allow the user to 
> logon, even when it is expired or needs to be changed. When such a state 
> is returned from winbind, pam module assumes the password is correct, but 
> the accounting pam invocation warns about expired password, just at it is 
> supposed to do. 
> It has been successfully tested upon 3.0.14 version of samba, with login, 
> sudo, gdm and kdm. I've not been able to test it with squid, but it is 
> supposed to break nothing as long as squid does not handles pam 
> accounting. As a side effect, users with expired password will be able to 
> go throw the squid proxy server.
> We'll be glad to see this patch included in future samba versions.

Have you put the patch in bugzilla?  It will help jerry track it, so it
can be put in the next version.

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list