[Pkg-samba-maint] Bug#907318: pam-configs/winbind is erroneously handling account section.
mauri at unixrulez.org
Sun Aug 26 13:29:06 BST 2018
Dear package maintainer(s),
the "winbind" file has an issue so that the "account" part will never be
executed because the pam_unix usually return success due the presence of the
Have a look at this fragment from the file:
[success=end new_authtok_reqd=done default=ignore] pam_winbind.so
The pam-auth-config will put the winbind library immediatly after the pam_unix
line in the "common-account" file. The pam_unix is configured so that its
success (which usually happens because the winbind nss library will make domain
users apper as local ones) will terminate the "Primary" section. So the
pam_winbind will (almost) never touch the ball.
See for example how this thing is sorted out in the sssd package:
[default=bad success=ok user_unknown=ignore] pam_sss.so
Here the "additional" property will put the pam_sss at the end of the
"commoun-account" file, so it will be executed even if the pam_unix had
previusly succceded. It is also interesting the use of the pam_localuser
library to prevent unnecessary network lookups.
More information about the Pkg-samba-maint