Bug 4288 - pam_winbind: require_membership_of not working when WINBIND_KRB5_AUTH configured...
Summary: pam_winbind: require_membership_of not working when WINBIND_KRB5_AUTH configu...
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.23d
Hardware: Other Linux
: P3 trivial
Target Milestone: none
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-12-08 05:10 UTC by Thomas Bünnemann
Modified: 2007-02-20 09:17 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Bünnemann 2006-12-08 05:10:21 UTC 
Whe using pam_winbind with BOTH global:require_membership_of AND global:krb5_auth the group-membership check does not work.

Reason (as I believe):
In nsswitch/pam_winbind.c, function winbind_auth_request():
line 412: ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_AUTH, &request, &response, user);
sets the ret-value to PAM_AUTH_ERR correctly when group-membership fails,
but
line 429: ret = pam_putenv(pamh, var); 
overwrites the ret-value with PAM_SUCCESS

Solution: As in the following code, use a temporary return variable for the pam_putenv()-call...

Regards,
Thomas Bünnemann
Comment 1 Guenther Deschner 2007-02-20 09:17:27 UTC 
Has been fixed with revision 21158, will be part of samba 3.0.25.