[PATCH][BUG 12725] winbindd: Fix password policy for pam authentication
Andreas Schneider
asn at samba.org
Mon Apr 3 07:58:45 UTC 2017
On Monday, 3 April 2017 00:20:37 CEST Stefan Metzmacher wrote:
> Am 29.03.2017 um 19:01 schrieb Christof Schmitt via samba-technical:
> > On Wed, Mar 29, 2017 at 10:11:21AM +0200, Andreas Schneider wrote:
> >> On Tuesday, 28 March 2017 23:09:51 CEST Christof Schmitt via
> >> samba-technical>>
> >> wrote:
> >>> From d993da727d8af96ba4717fbd18d261ce69db21d7 Mon Sep 17 00:00:00 2001
> >>> From: Christof Schmitt <cs at samba.org>
> >>> Date: Mon, 27 Mar 2017 15:11:08 -0700
> >>> Subject: [PATCH] winbindd: Fix password policy for pam authentication
> >>>
> >>> Authenticating users from trusted domains would return the password
> >>> policy of the joined domain. Fix the code so that the password policy of
> >>> the joined domain is only returned for users from that domain.
>
> I think it's wrong to look at the password policy at all.
> There are so many situations where the global password policy
> for the domain is not what applies to the user
> (newer Windows domains support fine granted
> password policies).
>
> The force_password_change value from the netr_SamBaseInfo, is the
> effective value from the
> correct policy that applies to the user. We already look at
> pass_must_change_time (force_password_change)
> in pam_winbind before doing our own calculation (which can't be more
> correct)
> based on the domain password policy.
>
> The following patch removes the only user of WBFLAG_PAM_GET_PWD_POLICY
> (within samba).
> I guess we should be able remove the WBFLAG_PAM_GET_PWD_POLICY handling
> in winbindd too.
>
> What is the use case you're trying to solve?
> Would my patch also solve the problem?
>
> Comments please, I'm not sure yet if my change belongs to
> https://bugzilla.samba.org/show_bug.cgi?id=12725...
>
> I didn't test this (beside making sure it compiles)...
> I think we really need to use pam_wrapper and add testcases for
> pam_winbind.
FYI: I've started to integrate pam_wrapper [1] in Samba [2] so we can write
tests for pam_winbind soon.
Andreas
[1] https://cwrap.org/pam_wrapper.html
[2] https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-pam_winbind
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list