12725 – PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain

Bug 12725 - PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain

Summary: PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.5.5
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-03-28 21:04 UTC by Christof Schmitt
Modified:	2017-04-28 07:05 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
backport to 4.5 (1.69 KB, patch) 2017-03-29 21:56 UTC, Christof Schmitt	asn: review+	Details
backport to 4.6 (1.69 KB, patch) 2017-03-29 21:56 UTC, Christof Schmitt	asn: review+	Details
Additional patch for v4-6-test (6.53 KB, patch) 2017-04-06 12:09 UTC, Stefan Metzmacher	asn: review+ cs: review+	Details
Additional patch for v4-5-test (6.53 KB, patch) 2017-04-06 12:10 UTC, Stefan Metzmacher	asn: review+ cs: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christof Schmitt 2017-03-28 21:04:42 UTC

A PAM_AUTH request is sent to the DC in the joined domain. If the
authentication request was for a user from a trusted domain, and the
flag WBFLAG_PAM_GET_PWD_POLICY is specified then the password
policy from the joined domain is queried and returned.

In case the PAM_AUTH request has been issued from the pam_winbind
module that can lead to a wrong password expiration warning in pam_winbind,
if the password of the users would be expired according the the joined
domain policy, but it is not expired with the policy of the trusted domain.

Comment 1 Christof Schmitt 2017-03-29 21:56:14 UTC

Created attachment 13122 [details]
backport to 4.5

Comment 2 Christof Schmitt 2017-03-29 21:56:38 UTC

Created attachment 13123 [details]
backport to 4.6

Comment 3 Andreas Schneider 2017-03-30 06:33:55 UTC

Comment on attachment 13122 [details]
backport to 4.5

Karolin, please add the patches to the relevant branches. Thanks.

Comment 4 Karolin Seeger 2017-03-31 08:26:30 UTC

(In reply to Andreas Schneider from comment #3)
Pushed to autobuild-v4-{6,5}-test.

Comment 5 Stefan Metzmacher 2017-04-06 12:09:31 UTC

Created attachment 13135 [details]
Additional patch for v4-6-test

Comment 6 Stefan Metzmacher 2017-04-06 12:10:06 UTC

Created attachment 13136 [details]
Additional patch for v4-5-test

Comment 7 Andreas Schneider 2017-04-07 13:05:52 UTC

Karolin, please add the addtional patches too. Thanks.

Comment 8 Karolin Seeger 2017-04-21 07:05:45 UTC

(In reply to Andreas Schneider from comment #7)
Pushed additional patches to autobuild-v4-{6,5}-test.

Comment 9 Karolin Seeger 2017-04-28 07:05:43 UTC

(In reply to Karolin Seeger from comment #8)
Pushed to both branches.
Closing out bug report.

Thanks!