In some error conditions with winbindd enabled, log can get spammed with messages such as: openpam_check_error_code(): pam_sm_setcred(): unexpected return value 12 This is message is generated by openpam_check_error_code() in src/contrib/openpam/lib/libpam/openpam_dispatch.c static void openpam_check_error_code(int primitive, int r) { /* common error codes */ if (r == PAM_SUCCESS || r == PAM_SYSTEM_ERR || r == PAM_SERVICE_ERR || r == PAM_BUF_ERR || r == PAM_CONV_ERR || r == PAM_PERM_DENIED || r == PAM_ABORT) return; /* specific error codes */ switch (primitive) { case PAM_SM_AUTHENTICATE: if (r == PAM_AUTH_ERR || r == PAM_CRED_INSUFFICIENT || r == PAM_AUTHINFO_UNAVAIL || r == PAM_USER_UNKNOWN || r == PAM_MAXTRIES) return; break; case PAM_SM_SETCRED: if (r == PAM_CRED_UNAVAIL || r == PAM_CRED_EXPIRED || r == PAM_USER_UNKNOWN || r == PAM_CRED_ERR) return; break; case PAM_SM_ACCT_MGMT: if (r == PAM_USER_UNKNOWN || r == PAM_AUTH_ERR || r == PAM_NEW_AUTHTOK_REQD || r == PAM_ACCT_EXPIRED) return; break; case PAM_SM_OPEN_SESSION: case PAM_SM_CLOSE_SESSION: if (r == PAM_SESSION_ERR) return; break; case PAM_SM_CHAUTHTOK: if (r == PAM_PERM_DENIED || r == PAM_AUTHTOK_ERR || r == PAM_AUTHTOK_RECOVERY_ERR || r == PAM_AUTHTOK_LOCK_BUSY || r == PAM_AUTHTOK_DISABLE_AGING || r == PAM_TRY_AGAIN) return; break; } openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d", pam_sm_func_name[primitive], r); } In this case I think we can convert to something like PAM_SERVICE_ERR and generate a log message that can be silenced through pam_winbind settings.
WIP fix here: https://gitlab.com/samba-team/devel/samba/-/tree/anodos325-pam_winbind-silence-openpam-errors