Error messages like NT_STATUS_ACCOUNT_DISABLED, NT_STATUS_PASSWORD_RESTRICTION does not have mapped PAM errors. So, when an application receives them, the PAM error will be "4", which is PAM_SYS_ERROR. So, the end user will not know what went wrong even though pam_winbind returns errors like "account disabled", "password restriction" etc. These errors should be mapped to known PAM errors, so that applications can interpret them in a better way and convey the same to end user.
Created attachment 877 [details] Patch to map some NT_STATUS_* errors to PAM errors
The patch attached above was discussed in samba-technical mailing list @ http://lists.samba.org/archive/samba-technical/2004-December/038398.html
moving back to 3.0
This looks like it has been fixed in the meantime. It should be fixed in all current versions.
Created attachment 12751 [details] patch to add/fix error code mappings I don't see where this should have been fixed. Attached patch fixes this for current master.
Created attachment 12769 [details] cherry-picked patch for 4.4 and 4.5 this patch should go into the maintained release branches
(In reply to Björn Jacke from comment #6) Pushed to autobuild-v4-{5,4}-test.
(In reply to Karolin Seeger from comment #7) Patch seems to break the build. More investigation needed. Will not be included in Samba 4.4.9.
This patch breaks the build on both branches: [2073/4033] Compiling nsswitch/pam_winbind.c ../nsswitch/pam_winbind.c: In function ‘pam_winbind_request_log’: ../nsswitch/pam_winbind.c:770:74: error: ‘pwd’ undeclared (first use in this function) _pam_log(LOG_WARNING, "user `%s' authentication token change failed " (pwd complexity/history/min_age not met?)", user); ^ ../nsswitch/pam_winbind.c:770:74: note: each undeclared identifier is reported only once for each function it appears in ../nsswitch/pam_winbind.c:770:78: error: expected ‘)’ before ‘complexity’ _pam_log(LOG_WARNING, "user `%s' authentication token change failed " (pwd complexity/history/min_age not met?)", user); ^ ../nsswitch/pam_winbind.c:770:73: error: called object is not a function or function pointer _pam_log(LOG_WARNING, "user `%s' authentication token change failed " (pwd complexity/history/min_age not met?)", user); ^ ../nsswitch/pam_winbind.c:770:114: error: missing terminating " character [-Werror] _pam_log(LOG_WARNING, "user `%s' authentication token change failed " (pwd complexity/history/min_age not met?)", user); ^ ../nsswitch/pam_winbind.c:770:78: error: missing terminating " character _pam_log(LOG_WARNING, "user `%s' authentication token change failed " (pwd complexity/history/min_age not met?)", user); ^ ../nsswitch/pam_winbind.c:771:3: error: expected ‘)’ before ‘return’ return retval; ^ ../nsswitch/pam_winbind.c:788:2: error: passing argument 1 of ‘_pam_log’ makes pointer from integer without a cast [-Werror] } ^ ../nsswitch/pam_winbind.c:216:13: note: expected ‘struct pwb_context *’ but argument is of type ‘int’ static void _pam_log(struct pwb_context *r, int err, const char *format, ...) ^ ../nsswitch/pam_winbind.c:788:2: error: too few arguments to function ‘_pam_log’ } ^ ../nsswitch/pam_winbind.c:216:13: note: declared here static void _pam_log(struct pwb_context *r, int err, const char *format, ...) ^ ../nsswitch/pam_winbind.c:788:2: error: expected ‘;’ before ‘}’ token } ^ ../nsswitch/pam_winbind.c:789:1: error: control reaches end of non-void function [-Werror=return-type] } ^ cc1: all warnings being treated as errors Waf: Leaving directory `/memdisk/kseeger/a44/b192620/samba/bin' Build failed: -> task failed (err #1): {task: cc pam_winbind.c -> pam_winbind_15.o} make: *** [all] Error 1
Re-assigning to Björn.
Created attachment 12813 [details] the right one sorry, the previous wasn't the right cherry picked file attached.
Comment on attachment 12813 [details] the right one LGTM.
(In reply to Jeremy Allison from comment #12) Pushed to autobuild-v4-{5,4}-test. Thanks!
(In reply to Karolin Seeger from comment #13) Pushed to both branches. Closing out bug report. Thanks!