Bug 9928 - [RFE] pam_sm_acct_mgmt() should support checking if an account expired or is disabled.
[RFE] pam_sm_acct_mgmt() should support checking if an account expired or is ...
Status: NEW
Product: Samba 4.0
Classification: Unclassified
Component: Winbind
unspecified
All All
: P5 enhancement
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-05 06:10 UTC by Andreas Schneider
Modified: 2013-06-05 06:11 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2013-06-05 06:10:09 UTC
In pam_winbind we only can check if an account expired or has been disabled if we try to authenticate. It should be possible to check if we can login without authenticating.

It is possible that an admin allows to login with ssh public keys so the user authentication is already done. As winbind can't check if the user is allowed to login it bypasses the check if the account is allowed to login.

This means we need to extend the winbind protocol. winbind needs to check the account information with:

samr_QueryUserInfo -> UserControlInformation
ads_find_samaccount (gets the userAccountControl flags)

Then we need to extend libwbclient to be able to get the information and then implement it in pam_winbind.