Package: libpam-winbind Version: 2:4.5.8+dfsg-1 Followup-For: Bug #858923 The common recommendation for how to fix this issue, as long as you don't have too much else in the way of "interesting" module stacking is to remove use_authtok from the pam_winbind entry.
But that will get clobbered the next time pam-auth-update gets run AFAICT. So I thought the next best solution would be to edit /usr/share/pam-configs/winbind to change the template entry for winbind. But that's not a conf file, so it too will get clobbered, this time on package upgrade. Making /usr/share/pam-configs/winbind a conffile would at least allow reasonable sysadmin workarounds. While others disagree, I'd go so far as to say that removing use_authtok should be the default, as the simple PAM configs are going to be vastly more common than the complex stacking ones that might be adversely affected by that. Another way around this I guess might be to have a special PAM module that's not part of the normal stack whose sole purpose is to force the prompt for the new password to happen, and then make all the "real" modules use use_authtok, including pam_unix. That's a more complex and invasive change, though. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libpam-winbind depends on: ii dpkg 1.18.23 ii libbsd0 0.8.3-1 ii libc6 2.24-10 ii libpam-runtime 1.1.8-3.5 ii libpam0g 1.1.8-3.5 ii libtalloc2 2.1.8-1 ii libwbclient0 2:4.5.8+dfsg-1 ii samba-common 2:4.5.8+dfsg-1 ii samba-libs 2:4.5.8+dfsg-1 ii winbind 2:4.5.8+dfsg-1 libpam-winbind recommends no packages. Versions of packages libpam-winbind suggests: ii libnss-winbind 2:4.5.8+dfsg-1 -- no debconf information