From our user in Debian (Paolo Larcheri <paolo.larcheri@gmail.com>):

According to PAM_WINBIND(8) warn_pwd_expire should define the number
of days before pam_winbind starts to warn about passwords that are going
to expire. Defaults to 14 days.

I found out this option has been only partially implemented and using it leads
to the following in /var/log/auth.log:
pam_winbind(sshd:auth): pam_parse: unknown option: warn_pwd_expire=0
and the following in /var/log/messages:
sshd[2485]: segfault at 0 ip b6ffcb11 sp bf9749b0 error 4 in
pam_winbind.so[b6ff7000+e000]

Module segfaults and user does not get autheticated.

I managed to make it work with this:

--- samba-3.6.6.orig/nsswitch/pam_winbind.c
+++ samba-3.6.6/nsswitch/pam_winbind.c
@@ -494,6 +494,9 @@ config_from_pam:
 			ctrl |= WINBIND_CACHED_LOGIN;
 		else if (!strcasecmp(*v, "mkhomedir"))
 			ctrl |= WINBIND_MKHOMEDIR;
+		else if (!strncasecmp(*v, "warn_pwd_expire",
+				      strlen("warn_pwd_expire")))
+			ctrl |= WINBIND_WARN_PWD_EXPIRE;
 		else {
 			__pam_log(pamh, ctrl, LOG_ERR,
 				 "pam_parse: unknown option: %s", *v);


What is more the module turned out not to accept 0 as value even if it's
supposed to be a valid value (at least considering how this parameter is used):
if ((next_change < 0) ||
    (next_change > now + warn_pwd_expire * SECONDS_PER_DAY)) {
            return false;
 }

I got it working by simply allowing 0 as value:

--- samba-3.6.6.orig/nsswitch/pam_winbind.c
+++ samba-3.6.6/nsswitch/pam_winbind.c
@@ -2363,7 +2363,7 @@ static int get_warn_pwd_expire_from_conf
 	ret = get_config_item_int(ctx, "warn_pwd_expire",
 				  WINBIND_WARN_PWD_EXPIRE);
 	/* no or broken setting */
-	if (ret <= 0) {
+	if (ret < 0) {
 		return DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES;
 	}
 	return ret;

I have also checked upstream code and latest 3.6.6 tarball in facts
is affected.

Kind Regards (and thanks for existing)

-- 
Paolo Larcheri
Linux User   #383461
https://linuxcounter.net