Bug#907318: pam-configs/winbind is erroneously handling account section.
On 09.05.2025 11:59, Sascha Lucas wrote: On Thu, 17 Jan 2019 22:52:59 +0100 Mathieu Parent wrote: Thanks for your bug report. Would you mind creating a merge request for this feature? PR created[1] as suggested by the bug reporter pointing to the sssd soultion. Thank you for this! I'll merge it. I'm not sure this could go in buster. Maybe Trixie :-). Trixie is frozen currently, it is unlikely to land in trixie, especially such a risky change which can potentionally break user logins. Somehow I missed this bug report while triaging samba bugs in debian, multiple times - apparently there are too many bugs in there still.. /mjt
Bug#907318: [Pkg-samba-maint] Bug#907318: pam-configs/winbind is erroneously handling account section.
On Thu, 17 Jan 2019 22:52:59 +0100 Mathieu Parent wrote: > Thanks for your bug report. Would you mind creating a merge request > for this feature? PR created[1] as suggested by the bug reporter pointing to the sssd soultion. > I'm not sure this could go in buster. Maybe Trixie :-). TIA, Sascha. [1] https://salsa.debian.org/samba-team/samba/-/merge_requests/66 pgpZWd96HrfAE.pgp Description: PGP signature
Bug#907318: [Pkg-samba-maint] Bug#907318: pam-configs/winbind is erroneously handling account section.
Le dim. 26 août 2018 à 14:39, Maurizio Cimaschi a écrit : > > Package: libpam-winbind > Version: 2:4.5.12+dfsg-2+deb9u3 > > Dear package maintainer(s), Hi, > the "winbind" file has an issue so that the "account" part will never be > executed because the pam_unix usually return success due the presence of the > nss-winbind library. > > Have a look at this fragment from the file: > > Account-Type: Primary > Account: > [success=end new_authtok_reqd=done default=ignore] pam_winbind.so > > from: > https://salsa.debian.org/samba-team/samba/blob/stretch/debian/winbind.pam-config > > The pam-auth-config will put the winbind library immediatly after the pam_unix > line in the "common-account" file. The pam_unix is configured so that its > success (which usually happens because the winbind nss library will make > domain > users apper as local ones) will terminate the "Primary" section. So the > pam_winbind will (almost) never touch the ball. > > See for example how this thing is sorted out in the sssd package: > > Account-Type: Additional > Account: > sufficient pam_localuser.so > [default=bad success=ok user_unknown=ignore]pam_sss.so > > from: > https://salsa.debian.org/sssd-team/sssd/blob/debian/1.15.0-3/debian/libpam-sss.pam-auth-update > > Here the "additional" property will put the pam_sss at the end of the > "commoun-account" file, so it will be executed even if the pam_unix had > previusly succceded. It is also interesting the use of the pam_localuser > library to prevent unnecessary network lookups. Thanks for your bug report. Would you mind creating a merge request for this feature? I'm not sure this could go in buster. Regards -- Mathieu Parent
Bug#907318: pam-configs/winbind is erroneously handling account section.
Package: libpam-winbind Version: 2:4.5.12+dfsg-2+deb9u3 Dear package maintainer(s), the "winbind" file has an issue so that the "account" part will never be executed because the pam_unix usually return success due the presence of the nss-winbind library. Have a look at this fragment from the file: Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so from: https://salsa.debian.org/samba-team/samba/blob/stretch/debian/winbind.pam-config The pam-auth-config will put the winbind library immediatly after the pam_unix line in the "common-account" file. The pam_unix is configured so that its success (which usually happens because the winbind nss library will make domain users apper as local ones) will terminate the "Primary" section. So the pam_winbind will (almost) never touch the ball. See for example how this thing is sorted out in the sssd package: Account-Type: Additional Account: sufficient pam_localuser.so [default=bad success=ok user_unknown=ignore]pam_sss.so from: https://salsa.debian.org/sssd-team/sssd/blob/debian/1.15.0-3/debian/libpam-sss.pam-auth-update Here the "additional" property will put the pam_sss at the end of the "commoun-account" file, so it will be executed even if the pam_unix had previusly succceded. It is also interesting the use of the pam_localuser library to prevent unnecessary network lookups. Regards.
