[Pkg-samba-maint] [Git][samba-team/samba][master] 2 commits: winbind pam-config: fix account section

Michael Tokarev (@mjt) gitlab at salsa.debian.org
Fri Jul 11 10:00:20 BST 2025



Michael Tokarev pushed to branch master at Debian Samba Team / samba


Commits:
affb716b by Sascha Lucas at 2025-05-09T10:41:52+02:00
winbind pam-config: fix account section

This fixes a bug[1], where the PAM "account" part will never be executed
because the pam_unix usually return success due the presence of the
nss-winbind library.

The bug reporter points to sssd, how the problem is solved there, by
making the account section of type "Additional". This way pam_winbind is
always executed and i.e. enforces users with expired passwords to change
it before logging in.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907318

Signed-off-by: Sascha Lucas <sascha_lucas at web.de>

- - - - -
b725f36c by Michael Tokarev at 2025-07-11T12:00:18+03:00
Merge branch 'pam_winbind_fix_account' into 'master'

winbind pam-config: fix account section

See merge request samba-team/samba!66
- - - - -


1 changed file:

- debian/winbind.pam-config


Changes:

=====================================
debian/winbind.pam-config
=====================================
@@ -6,9 +6,10 @@ Auth:
 	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
 Auth-Initial:
 	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
-Account-Type: Primary
+Account-Type: Additional
 Account:
-	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so
+	sufficient					pam_localuser.so
+	[default=bad success=ok user_unknown=ignore]	pam_winbind.so
 Password-Type: Primary
 Password:
 	[success=end default=ignore]	pam_winbind.so try_authtok try_first_pass



View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/a88e34b1574d0af43fa61500bf6d735124522a0a...b725f36ca00cf81c7562a869ac9688d876f81553

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/a88e34b1574d0af43fa61500bf6d735124522a0a...b725f36ca00cf81c7562a869ac9688d876f81553
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20250711/f82932cd/attachment.htm>


More information about the Pkg-samba-maint mailing list