Bug 14416 - pam_winbind can spam logs due to openpam checks
Summary: pam_winbind can spam logs due to openpam checks
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.12.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-19 16:55 UTC by Andrew Walker
Modified: 2020-06-23 05:25 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Walker 2020-06-19 16:55:05 UTC
In some error conditions with winbindd enabled, log can get spammed with messages such as:

openpam_check_error_code(): pam_sm_setcred(): unexpected return value 12

This is message is generated by openpam_check_error_code() in src/contrib/openpam/lib/libpam/openpam_dispatch.c

static void
openpam_check_error_code(int primitive, int r)
{
        /* common error codes */
        if (r == PAM_SUCCESS ||
            r == PAM_SYSTEM_ERR ||
            r == PAM_SERVICE_ERR ||
            r == PAM_BUF_ERR ||
            r == PAM_CONV_ERR ||
            r == PAM_PERM_DENIED ||
            r == PAM_ABORT)
                return;

        /* specific error codes */
        switch (primitive) {
        case PAM_SM_AUTHENTICATE:
                if (r == PAM_AUTH_ERR ||
                    r == PAM_CRED_INSUFFICIENT ||
                    r == PAM_AUTHINFO_UNAVAIL ||
                    r == PAM_USER_UNKNOWN ||
                    r == PAM_MAXTRIES)
                        return;
                break;
        case PAM_SM_SETCRED:
                if (r == PAM_CRED_UNAVAIL ||
                    r == PAM_CRED_EXPIRED ||
                    r == PAM_USER_UNKNOWN ||
                    r == PAM_CRED_ERR)
                        return;
                break;
        case PAM_SM_ACCT_MGMT:
                if (r == PAM_USER_UNKNOWN ||
                    r == PAM_AUTH_ERR ||
                    r == PAM_NEW_AUTHTOK_REQD ||
                    r == PAM_ACCT_EXPIRED)
                        return;
                break;
        case PAM_SM_OPEN_SESSION:
        case PAM_SM_CLOSE_SESSION:
                if (r == PAM_SESSION_ERR)
                        return;
                break;
        case PAM_SM_CHAUTHTOK:
                if (r == PAM_PERM_DENIED ||
                    r == PAM_AUTHTOK_ERR ||
                    r == PAM_AUTHTOK_RECOVERY_ERR ||
                    r == PAM_AUTHTOK_LOCK_BUSY ||
                    r == PAM_AUTHTOK_DISABLE_AGING ||
                    r == PAM_TRY_AGAIN)
                        return;
                break;
        }

        openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
            pam_sm_func_name[primitive], r);
}

In this case I think we can convert to something like PAM_SERVICE_ERR and generate a log message that can be silenced through pam_winbind settings.