[Pkg-samba-maint] [Bug 9056] New: warn_pwd_expire partly implemented

Fri Jul 20 00:16:16 UTC 2012

https://bugzilla.samba.org/show_bug.cgi?id=9056

           Summary: warn_pwd_expire partly implemented
           Product: Samba 3.6
           Version: 3.6.6
          Platform: All
               URL: http://bugs.debian.org
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Winbind
        AssignedTo: obnox at samba.org
        ReportedBy: bubulle at debian.org
         QAContact: samba-qa at samba.org
                CC: pkg-samba-maint at lists.alioth.debian.org


>From our user in Debian (Paolo Larcheri <paolo.larcheri at gmail.com>):

According to PAM_WINBIND(8) warn_pwd_expire should define the number
of days before pam_winbind starts to warn about passwords that are going
to expire. Defaults to 14 days.

I found out this option has been only partially implemented and using it leads
to the following in /var/log/auth.log:
pam_winbind(sshd:auth): pam_parse: unknown option: warn_pwd_expire=0
and the following in /var/log/messages:
sshd[2485]: segfault at 0 ip b6ffcb11 sp bf9749b0 error 4 in
pam_winbind.so[b6ff7000+e000]

Module segfaults and user does not get autheticated.

I managed to make it work with this:

--- samba-3.6.6.orig/nsswitch/pam_winbind.c
+++ samba-3.6.6/nsswitch/pam_winbind.c
@@ -494,6 +494,9 @@ config_from_pam:
             ctrl |= WINBIND_CACHED_LOGIN;
         else if (!strcasecmp(*v, "mkhomedir"))
             ctrl |= WINBIND_MKHOMEDIR;
+        else if (!strncasecmp(*v, "warn_pwd_expire",
+                      strlen("warn_pwd_expire")))
+            ctrl |= WINBIND_WARN_PWD_EXPIRE;
         else {
             __pam_log(pamh, ctrl, LOG_ERR,
                  "pam_parse: unknown option: %s", *v);


What is more the module turned out not to accept 0 as value even if it's
supposed to be a valid value (at least considering how this parameter is used):
if ((next_change < 0) ||
    (next_change > now + warn_pwd_expire * SECONDS_PER_DAY)) {
            return false;
 }

I got it working by simply allowing 0 as value:

--- samba-3.6.6.orig/nsswitch/pam_winbind.c
+++ samba-3.6.6/nsswitch/pam_winbind.c
@@ -2363,7 +2363,7 @@ static int get_warn_pwd_expire_from_conf
     ret = get_config_item_int(ctx, "warn_pwd_expire",
                   WINBIND_WARN_PWD_EXPIRE);
     /* no or broken setting */
-    if (ret <= 0) {
+    if (ret < 0) {
         return DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES;
     }
     return ret;

I have also checked upstream code and latest 3.6.6 tarball in facts
is affected.

Kind Regards (and thanks for existing)

-- 
Paolo Larcheri
Linux User   #383461
https://linuxcounter.net

-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

