Bug 3205 - pam_winbind account module does not manage correctly an expired password
Summary: pam_winbind account module does not manage correctly an expired password
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.20b
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-24 04:59 UTC by Marco Marinuzzo
Modified: 2006-01-13 04:12 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marco Marinuzzo 2005-10-24 04:59:09 UTC 
This module works well in auth and password fields. There are problems in the
account management. A bug is still reported for this problem for the 3.0.4
version (n.1524).
In that bug report (n. 1524), Scott Barker says: "When authenticating a user for
login, if a new password is required, pam_authenticate should return
PAM_SUCCESS, and pam_acct_mgmt should return PAM_NEW_AUTHTOK_REQD". 
In my tests (version 3.0.20b), when a password is expired on AD Domain
Controller, pam_sm_authenticate returns "4" (logging "internal module error")
and pam_sm_acct_mgmt is never called.
I tried patch "972" but login always succeded, while whith patch "1436" is
always denied.
Comment 1 Guenther Deschner 2005-12-22 04:27:05 UTC 
If it is possible for you, please re-test with the pam_winbind module that is now in trunk. It should be fixed there.
Comment 2 Guenther Deschner 2006-01-13 04:12:19 UTC 
Fixed in Subversion, please reopen if it is still an issue for you.