Bug 4288 - pam_winbind: require_membership_of not working when WINBIND_KRB5_AUTH configured...
pam_winbind: require_membership_of not working when WINBIND_KRB5_AUTH configu...
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.23d
Other Linux
: P3 trivial
: none
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-08 05:10 UTC by Thomas Bünnemann
Modified: 2007-02-20 09:17 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Bünnemann 2006-12-08 05:10:21 UTC
Whe using pam_winbind with BOTH global:require_membership_of AND global:krb5_auth the group-membership check does not work.

Reason (as I believe):
In nsswitch/pam_winbind.c, function winbind_auth_request():
line 412: ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_AUTH, &request, &response, user);
sets the ret-value to PAM_AUTH_ERR correctly when group-membership fails,
but
line 429: ret = pam_putenv(pamh, var); 
overwrites the ret-value with PAM_SUCCESS

Solution: As in the following code, use a temporary return variable for the pam_putenv()-call...

Regards,
Thomas Bünnemann
Comment 1 Guenther Deschner 2007-02-20 09:17:27 UTC
Has been fixed with revision 21158, will be part of samba 3.0.25.