in nsswitch/pam_winbind.c:valid_user pam_winbind_request is called with a WINBINDD_GETPWNAM request. The problem is, that pam_winbind_request checks response.data.auth.pam_status, but WINBINDD_GETPWNAM uses the response.data.name union part. regards, Lars Heete
Created attachment 2131 [details] dont use pam_winbind_request for WINBINDD_GETPWNAM
Shouldn't that be an easier fix? Index: nsswitch/winbindd_user.c =================================================================== --- nsswitch/winbindd_user.c (revision 18508) +++ nsswitch/winbindd_user.c (working copy) @@ -331,6 +331,7 @@ username)) { DEBUG(5, ("Could not parse domain user: %s\n", state->request.data.username)); + set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER); request_error(state); return; }
No, winbindd_getpwnam fills in the "pw" part of the response.data union, set_auth_errors the "auth_reply" part. Actually there are other places in pam_winbind too, that check for auth errors (using pam_winbind_request) for requests that don't provide auth_info.
Created attachment 2141 [details] don't check response.data.auth.pam_error for winbind-requests that don't provide auth data pam_winbind_response was also used for WINBINDD_LOOKUPNAME (provides response.data.sid)
Fixed with -r21143.