Here is my solution:
1) copy "winbind" "winbind-noauthtok" "unix-noauthtok" files from attachments
to /usr/share/pam-configs/ (with overwrite)
2) copy "pam_winbind.conf" from attachment to /etc/security/
3) run pam-auth-update and check "Unix authentication (no use_authtok)" &
"Winbind NT/Active Directory authentication (no use_authtok)", also uncheck
"Unix authentication" & "Winbind NT/Active Directory authentication"
4) use it
What it is:
1) new configs.
1. winbind - is the same as default winbind (you need to overwrite it) but:
a) without krb5_*, cached_login options, I think these should be placed in
special config file /etc/security/pam_winbind.conf - this is much more
customizable way to configure pam_winbind without any involving of
pam-auth-update. Also this solves bug about not getting krb ticket and ccache
when changing expired password on login (pam_winbind passwd section should
contain krb5_* options too, but it doesn't)
b) increased "Priority", it's to solve buggy changing expired password on
login. Winbind should be before unix (like pam_krb5 does)
2. winbind-noauthtok, unix-noauthtok - is the same as winbind and unix, but
without use_authtok option. These configs conflicts with winbind, unix and
cracklib, so you can't install winbind-noauthtok with winbind or cracklib
2) see 1-1-a
3) just changing configs in /etc/pam.d/ "the right" way
4) this solution has the next advantages:
1. customizable - you may choose: use cracklib or not, pam-auth-update
suggests different ways
2. solves some existing bugs: allows you to change unix, wb password via
passwd command (or any other graphical tools); allows to change expired unix,
wb password on login; gets krb ticket and ccache after wb expired password has
been changed; maybe some others...
To packages supporters:
Why not to implement this in all pam modules packages (add unix,
unix-noauthtok in libpam-runtime for example), while thinking about upgrading
whole pam system?
It would be really nice to add function of detecting if use use_authtok or
not to pam-auth-update (just read configs of higher priority modules).
Some offtopic (to pam-auth-update supporters):
Even if I use pam_winbind.conf option "mkhomedir = yes" it doesn't copy skel
directory to new user home. So I'm forced to use pam_mkhomedir. But if I create
config for it in /usr/share/pam-configs, it adds lines about making home
derictories to /etc/pam.d/common-session-noninteractive too, and this is really
BAD behavior. So the right way is to implement "Session-noninteractive:"
section in config files, I think.
Thanks for attantion.
** Attachment added: "winbind"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+attachment/2391119/+files/winbind
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/570944
Title:
passwd : gives "Authentication token manipulation error"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
