9928 – [RFE] pam_sm_acct_mgmt() should support checking if an account expired or is disabled.

Bug 9928 - [RFE] pam_sm_acct_mgmt() should support checking if an account expired or is disabled.

Summary: [RFE] pam_sm_acct_mgmt() should support checking if an account expired or is ...

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 enhancement (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-06-05 06:10 UTC by Andreas Schneider
Modified:	2016-12-14 00:18 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Schneider 2013-06-05 06:10:09 UTC

In pam_winbind we only can check if an account expired or has been disabled if we try to authenticate. It should be possible to check if we can login without authenticating.

It is possible that an admin allows to login with ssh public keys so the user authentication is already done. As winbind can't check if the user is allowed to login it bypasses the check if the account is allowed to login.

This means we need to extend the winbind protocol. winbind needs to check the account information with:

samr_QueryUserInfo -> UserControlInformation
ads_find_samaccount (gets the userAccountControl flags)

Then we need to extend libwbclient to be able to get the information and then implement it in pam_winbind.