[Pkg-samba-maint] Bug#907318: pam-configs/winbind is erroneously handling account section.

Maurizio Cimaschi mauri at unixrulez.org
Sun Aug 26 13:29:06 BST 2018

Package: libpam-winbind
Version: 2:4.5.12+dfsg-2+deb9u3

Dear package maintainer(s),
the "winbind" file has an issue so that the "account" part will never be
executed because the pam_unix usually return success due the presence of the
nss-winbind library.

Have a look at this fragment from the file:

Account-Type: Primary
	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so

from: https://salsa.debian.org/samba-team/samba/blob/stretch/debian/winbind.pam-config

The pam-auth-config will put the winbind library immediatly after the pam_unix
line in the "common-account" file. The pam_unix is configured so that its
success (which usually happens because the winbind nss library will make domain
users apper as local ones) will terminate the "Primary" section. So the
pam_winbind will (almost) never touch the ball.

See for example how this thing is sorted out in the sssd package:

Account-Type: Additional
	sufficient			pam_localuser.so
	[default=bad success=ok user_unknown=ignore]	pam_sss.so

from: https://salsa.debian.org/sssd-team/sssd/blob/debian/1.15.0-3/debian/libpam-sss.pam-auth-update

Here the "additional" property will put the pam_sss at the end of the
"commoun-account" file, so it will be executed even if the pam_unix had
previusly succceded. It is also interesting the use of the pam_localuser
library to prevent unnecessary network lookups.


More information about the Pkg-samba-maint mailing list