[Pkg-samba-maint] Bug#907318: Bug#907318: pam-configs/winbind is erroneously handling account section.

Mathieu Parent math.parent at gmail.com
Thu Jan 17 21:52:59 GMT 2019

Le dim. 26 août 2018 à 14:39, Maurizio Cimaschi <mauri at unixrulez.org> a écrit :
> Package: libpam-winbind
> Version: 2:4.5.12+dfsg-2+deb9u3
> Dear package maintainer(s),


> the "winbind" file has an issue so that the "account" part will never be
> executed because the pam_unix usually return success due the presence of the
> nss-winbind library.
> Have a look at this fragment from the file:
> Account-Type: Primary
> Account:
>         [success=end new_authtok_reqd=done default=ignore]      pam_winbind.so
> from: https://salsa.debian.org/samba-team/samba/blob/stretch/debian/winbind.pam-config
> The pam-auth-config will put the winbind library immediatly after the pam_unix
> line in the "common-account" file. The pam_unix is configured so that its
> success (which usually happens because the winbind nss library will make domain
> users apper as local ones) will terminate the "Primary" section. So the
> pam_winbind will (almost) never touch the ball.
> See for example how this thing is sorted out in the sssd package:
> Account-Type: Additional
> Account:
>         sufficient                      pam_localuser.so
>         [default=bad success=ok user_unknown=ignore]    pam_sss.so
> from: https://salsa.debian.org/sssd-team/sssd/blob/debian/1.15.0-3/debian/libpam-sss.pam-auth-update
> Here the "additional" property will put the pam_sss at the end of the
> "commoun-account" file, so it will be executed even if the pam_unix had
> previusly succceded. It is also interesting the use of the pam_localuser
> library to prevent unnecessary network lookups.

Thanks for your bug report. Would you mind creating a merge request
for this feature?

I'm not sure this could go in buster.

Mathieu Parent

More information about the Pkg-samba-maint mailing list