[Pkg-samba-maint] Bug#858923: libpam-winbind: Cannot change password via passwd (pam) in default config

Matthew Gabeler-Lee cheetah at fastcat.org
Tue May 9 21:13:29 UTC 2017

Package: libpam-winbind
Version: 2:4.5.8+dfsg-1
Followup-For: Bug #858923

The common recommendation for how to fix this issue, as long as you don't
have too much else in the way of "interesting" module stacking is to remove
use_authtok from the pam_winbind entry.

But that will get clobbered the next time pam-auth-update gets run AFAICT.

So I thought the next best solution would be to edit
/usr/share/pam-configs/winbind to change the template entry for winbind. 
But that's not a conf file, so it too will get clobbered, this time on
package upgrade.

Making /usr/share/pam-configs/winbind a conffile would at least allow
reasonable sysadmin workarounds.

While others disagree, I'd go so far as to say that removing use_authtok
should be the default, as the simple PAM configs are going to be vastly more
common than the complex stacking ones that might be adversely affected by

Another way around this I guess might be to have a special PAM module that's
not part of the normal stack whose sole purpose is to force the prompt for
the new password to happen, and then make all the "real" modules use
use_authtok, including pam_unix.  That's a more complex and invasive change,

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-winbind depends on:
ii  dpkg            1.18.23
ii  libbsd0         0.8.3-1
ii  libc6           2.24-10
ii  libpam-runtime  1.1.8-3.5
ii  libpam0g        1.1.8-3.5
ii  libtalloc2      2.1.8-1
ii  libwbclient0    2:4.5.8+dfsg-1
ii  samba-common    2:4.5.8+dfsg-1
ii  samba-libs      2:4.5.8+dfsg-1
ii  winbind         2:4.5.8+dfsg-1

libpam-winbind recommends no packages.

Versions of packages libpam-winbind suggests:
ii  libnss-winbind  2:4.5.8+dfsg-1

-- no debconf information

More information about the Pkg-samba-maint mailing list