Le dim. 26 août 2018 à 14:39, Maurizio Cimaschi <ma...@unixrulez.org> a écrit : > > Package: libpam-winbind > Version: 2:4.5.12+dfsg-2+deb9u3 > > Dear package maintainer(s),
Hi, > the "winbind" file has an issue so that the "account" part will never be > executed because the pam_unix usually return success due the presence of the > nss-winbind library. > > Have a look at this fragment from the file: > > Account-Type: Primary > Account: > [success=end new_authtok_reqd=done default=ignore] pam_winbind.so > > from: > https://salsa.debian.org/samba-team/samba/blob/stretch/debian/winbind.pam-config > > The pam-auth-config will put the winbind library immediatly after the pam_unix > line in the "common-account" file. The pam_unix is configured so that its > success (which usually happens because the winbind nss library will make > domain > users apper as local ones) will terminate the "Primary" section. So the > pam_winbind will (almost) never touch the ball. > > See for example how this thing is sorted out in the sssd package: > > Account-Type: Additional > Account: > sufficient pam_localuser.so > [default=bad success=ok user_unknown=ignore] pam_sss.so > > from: > https://salsa.debian.org/sssd-team/sssd/blob/debian/1.15.0-3/debian/libpam-sss.pam-auth-update > > Here the "additional" property will put the pam_sss at the end of the > "commoun-account" file, so it will be executed even if the pam_unix had > previusly succceded. It is also interesting the use of the pam_localuser > library to prevent unnecessary network lookups. Thanks for your bug report. Would you mind creating a merge request for this feature? I'm not sure this could go in buster. Regards -- Mathieu Parent