[Pkg-samba-maint] Bug#907318: Bug#907318: pam-configs/winbind is erroneously handling account section.

[Mathieu Parent]

Le dim. 26 août 2018 à 14:39, Maurizio Cimaschi <mauri at unixrulez.org> a écrit :
>
> Package: libpam-winbind
> Version: 2:4.5.12+dfsg-2+deb9u3
>
> Dear package maintainer(s),

Hi,

> the "winbind" file has an issue so that the "account" part will never be
> executed because the pam_unix usually return success due the presence of the
> nss-winbind library.
>
> Have a look at this fragment from the file:
>
> Account-Type: Primary
> Account:
>         [success=end new_authtok_reqd=done default=ignore]      pam_winbind.so
>
> from: https://salsa.debian.org/samba-team/samba/blob/stretch/debian/winbind.pam-config
>
> The pam-auth-config will put the winbind library immediatly after the pam_unix
> line in the "common-account" file. The pam_unix is configured so that its
> success (which usually happens because the winbind nss library will make domain
> users apper as local ones) will terminate the "Primary" section. So the
> pam_winbind will (almost) never touch the ball.
>
> See for example how this thing is sorted out in the sssd package:
>
> Account-Type: Additional
> Account:
>         sufficient                      pam_localuser.so
>         [default=bad success=ok user_unknown=ignore]    pam_sss.so
>
> from: https://salsa.debian.org/sssd-team/sssd/blob/debian/1.15.0-3/debian/libpam-sss.pam-auth-update
>
> Here the "additional" property will put the pam_sss at the end of the
> "commoun-account" file, so it will be executed even if the pam_unix had
> previusly succceded. It is also interesting the use of the pam_localuser
> library to prevent unnecessary network lookups.

Thanks for your bug report. Would you mind creating a merge request
for this feature?

I'm not sure this could go in buster.

Regards
-- 
Mathieu Parent