[Pkg-samba-maint] Bug#907318: pam-configs/winbind is erroneously handling account section.
Maurizio Cimaschi
mauri at unixrulez.org
Sun Aug 26 13:29:06 BST 2018
Package: libpam-winbind
Version: 2:4.5.12+dfsg-2+deb9u3
Dear package maintainer(s),
the "winbind" file has an issue so that the "account" part will never be
executed because the pam_unix usually return success due the presence of the
nss-winbind library.
Have a look at this fragment from the file:
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_winbind.so
from: https://salsa.debian.org/samba-team/samba/blob/stretch/debian/winbind.pam-config
The pam-auth-config will put the winbind library immediatly after the pam_unix
line in the "common-account" file. The pam_unix is configured so that its
success (which usually happens because the winbind nss library will make domain
users apper as local ones) will terminate the "Primary" section. So the
pam_winbind will (almost) never touch the ball.
See for example how this thing is sorted out in the sssd package:
Account-Type: Additional
Account:
sufficient pam_localuser.so
[default=bad success=ok user_unknown=ignore] pam_sss.so
from: https://salsa.debian.org/sssd-team/sssd/blob/debian/1.15.0-3/debian/libpam-sss.pam-auth-update
Here the "additional" property will put the pam_sss at the end of the
"commoun-account" file, so it will be executed even if the pam_unix had
previusly succceded. It is also interesting the use of the pam_localuser
library to prevent unnecessary network lookups.
Regards.
More information about the Pkg-samba-maint
mailing list