Bug 9056 - warn_pwd_expire partly implemented
Summary: warn_pwd_expire partly implemented
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.1.0
Hardware: All All
: P5 normal (vote)
Target Milestone: 4.2
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL: http://bugs.debian.org
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-20 00:16 UTC by Christian Perrier (dead mail address)
Modified: 2014-12-10 20:11 UTC (History)
4 users (show)

See Also:


Attachments
patch for 4.2 (1.74 KB, patch)
2014-12-04 10:44 UTC, Guenther Deschner
asn: review+
Details
patch for 4.1 (1.74 KB, patch)
2014-12-04 10:45 UTC, Guenther Deschner
asn: review+
Details
patch for 4.1 (1.72 KB, patch)
2014-12-04 22:52 UTC, Guenther Deschner
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Perrier (dead mail address) 2012-07-20 00:16:15 UTC
From our user in Debian (Paolo Larcheri <paolo.larcheri@gmail.com>):

According to PAM_WINBIND(8) warn_pwd_expire should define the number
of days before pam_winbind starts to warn about passwords that are going
to expire. Defaults to 14 days.

I found out this option has been only partially implemented and using it leads
to the following in /var/log/auth.log:
pam_winbind(sshd:auth): pam_parse: unknown option: warn_pwd_expire=0
and the following in /var/log/messages:
sshd[2485]: segfault at 0 ip b6ffcb11 sp bf9749b0 error 4 in
pam_winbind.so[b6ff7000+e000]

Module segfaults and user does not get autheticated.

I managed to make it work with this:

--- samba-3.6.6.orig/nsswitch/pam_winbind.c
+++ samba-3.6.6/nsswitch/pam_winbind.c
@@ -494,6 +494,9 @@ config_from_pam:
 			ctrl |= WINBIND_CACHED_LOGIN;
 		else if (!strcasecmp(*v, "mkhomedir"))
 			ctrl |= WINBIND_MKHOMEDIR;
+		else if (!strncasecmp(*v, "warn_pwd_expire",
+				      strlen("warn_pwd_expire")))
+			ctrl |= WINBIND_WARN_PWD_EXPIRE;
 		else {
 			__pam_log(pamh, ctrl, LOG_ERR,
 				 "pam_parse: unknown option: %s", *v);


What is more the module turned out not to accept 0 as value even if it's
supposed to be a valid value (at least considering how this parameter is used):
if ((next_change < 0) ||
    (next_change > now + warn_pwd_expire * SECONDS_PER_DAY)) {
            return false;
 }

I got it working by simply allowing 0 as value:

--- samba-3.6.6.orig/nsswitch/pam_winbind.c
+++ samba-3.6.6/nsswitch/pam_winbind.c
@@ -2363,7 +2363,7 @@ static int get_warn_pwd_expire_from_conf
 	ret = get_config_item_int(ctx, "warn_pwd_expire",
 				  WINBIND_WARN_PWD_EXPIRE);
 	/* no or broken setting */
-	if (ret <= 0) {
+	if (ret < 0) {
 		return DEFAULT_DAYS_TO_WARN_BEFORE_PWD_EXPIRES;
 	}
 	return ret;

I have also checked upstream code and latest 3.6.6 tarball in facts
is affected.

Kind Regards (and thanks for existing)

-- 
Paolo Larcheri
Linux User   #383461
https://linuxcounter.net
Comment 1 Guenther Deschner 2014-12-04 10:44:07 UTC
Created attachment 10482 [details]
patch for 4.2
Comment 2 Guenther Deschner 2014-12-04 10:45:41 UTC
Created attachment 10483 [details]
patch for 4.1
Comment 3 Andreas Schneider 2014-12-04 12:22:17 UTC
Karolin please add the patches to the relevant branches. Thanks!
Comment 4 Karolin Seeger 2014-12-04 19:32:15 UTC
(In reply to Guenther Deschner from comment #1)
Pushed to autobuild-v4-2-test.
Comment 5 Karolin Seeger 2014-12-04 19:33:50 UTC
(In reply to Guenther Deschner from comment #2)
Patch does not apply to v4-1-test.
Re-assigning to Günther.
Comment 6 Guenther Deschner 2014-12-04 22:52:41 UTC
Created attachment 10487 [details]
patch for 4.1
Comment 7 Andreas Schneider 2014-12-05 10:37:27 UTC
Comment on attachment 10487 [details]
patch for 4.1

I've applied the patch to v4-1-test and it works this time.
Comment 8 Karolin Seeger 2014-12-07 19:19:07 UTC
(In reply to Andreas Schneider from comment #7)
Pushed to autobuild-v4-1-test, thanks!
Pushed to v4-2-test.
Comment 9 Karolin Seeger 2014-12-10 20:11:49 UTC
(In reply to Karolin Seeger from comment #8)
Pushed to v4-1-test.
Closing out bug report.

Thanks!