[Pkg-samba-maint] Bug#858923: Proposing a new "try_authtok" option in pam password modules

[Mathieu Parent]

Dear PAM maintainers,

There are two similar bugs:
- in libpam-ldap: https://bugs.debian.org/858923 (and
https://bugs.launchpad.net/ubuntu/+source/libpam-ldap/+bug/329067).
- in libpam-winbind: https://bugs.debian.org/858923 (and
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944).

Steve proposed to change pam_unix to always ask a password, another
solution would be a new "try_authtok" option which "Set the new
password to the one provided by the previously stacked password module
if available or ask the user for the new password".

See a work-in-progress patch (0001) for libpam-winbind attached (I'll
send it to samba-technical once tested).

What do you think?

-- 
Mathieu Parent
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-pam_winbind-Use-the-new-try_authtok-option-allowing-.patch
Type: text/x-patch
Size: 977 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20180413/c61c11df/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-nsswitch-Add-try_authok-option-to-pam_winbind.patch
Type: text/x-patch
Size: 3924 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20180413/c61c11df/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-nsswitch-Add-try_authok-option-to-pam_winbind.patch
Type: text/x-patch
Size: 2639 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20180413/c61c11df/attachment-0002.bin>