Dear PAM maintainers, There are two similar bugs: - in libpam-ldap: https://bugs.debian.org/858923 (and https://bugs.launchpad.net/ubuntu/+source/libpam-ldap/+bug/329067). - in libpam-winbind: https://bugs.debian.org/858923 (and https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944).
Steve proposed to change pam_unix to always ask a password, another solution would be a new "try_authtok" option which "Set the new password to the one provided by the previously stacked password module if available or ask the user for the new password". See a work-in-progress patch (0001) for libpam-winbind attached (I'll send it to samba-technical once tested). What do you think? -- Mathieu Parent
From 7808a17c18221d3fd95f09bcd3ab18f4a4011165 Mon Sep 17 00:00:00 2001 From: Mathieu Parent <math.par...@gmail.com> Date: Fri, 13 Apr 2018 20:50:20 +0200 Subject: [PATCH 3/3] pam_winbind: Use the new try_authtok option allowing password change while preserving current behavior with password strength modules (Closes: #858923, LP: #570944) --- debian/winbind.pam-config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/winbind.pam-config b/debian/winbind.pam-config index ccf03d7b63a..3079439d470 100644 --- a/debian/winbind.pam-config +++ b/debian/winbind.pam-config @@ -11,7 +11,7 @@ Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: - [success=end default=ignore] pam_winbind.so use_authtok try_first_pass + [success=end default=ignore] pam_winbind.so try_authtok try_first_pass Password-Initial: [success=end default=ignore] pam_winbind.so Session-Type: Additional -- 2.17.0
From e749dc84af647225f244d9c93e7297e53018aa53 Mon Sep 17 00:00:00 2001 From: Mathieu Parent <math.par...@gmail.com> Date: Thu, 12 Apr 2018 11:58:21 +0200 Subject: [PATCH 2/3] nsswitch: Add try_authok option to pam_winbind Same as the use_authtok option, except that if the new password is not valid, PAM will prompt for a password. --- ...Add-try_authok-option-to-pam_winbind.patch | 75 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 76 insertions(+) create mode 100644 debian/patches/nsswitch-Add-try_authok-option-to-pam_winbind.patch diff --git a/debian/patches/nsswitch-Add-try_authok-option-to-pam_winbind.patch b/debian/patches/nsswitch-Add-try_authok-option-to-pam_winbind.patch new file mode 100644 index 00000000000..1c2139a4eb1 --- /dev/null +++ b/debian/patches/nsswitch-Add-try_authok-option-to-pam_winbind.patch @@ -0,0 +1,75 @@ +From 7dc13b8b6d15223121bceea8cfb9f85820eedfd6 Mon Sep 17 00:00:00 2001 +From: Mathieu Parent <math.par...@gmail.com> +Date: Thu, 12 Apr 2018 11:57:15 +0200 +Subject: [PATCH] nsswitch: Add try_authok option to pam_winbind + +Same as the use_authtok option, except that if the new password is not +valid, PAM will prompt for a password. + +Bug-Debian: https://bugs.debian.org/858923 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944 + +Signed-off-by: Mathieu Parent <math.par...@gmail.com> +--- + docs-xml/manpages/pam_winbind.8.xml | 8 ++++++++ + nsswitch/pam_winbind.c | 5 +++++ + nsswitch/pam_winbind.h | 1 + + 3 files changed, 14 insertions(+) + +diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml +index f57a9286a6c..b8af5b54c58 100644 +--- a/docs-xml/manpages/pam_winbind.8.xml ++++ b/docs-xml/manpages/pam_winbind.8.xml +@@ -122,6 +122,14 @@ + </para></listitem> + </varlistentry> + ++ <varlistentry> ++ <term>try_authtok</term> ++ <listitem><para> ++ Same as the use_authtok option (previous item), except that if the new password is not ++ valid, PAM will prompt for a password. ++ </para></listitem> ++ </varlistentry> ++ + <varlistentry> + <term>krb5_auth</term> + <listitem><para> +diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c +index e14fcfeb263..0a303202f21 100644 +--- a/nsswitch/pam_winbind.c ++++ b/nsswitch/pam_winbind.c +@@ -492,6 +492,8 @@ config_from_pam: + ctrl |= WINBIND_SILENT; + else if (!strcasecmp(*v, "use_authtok")) + ctrl |= WINBIND_USE_AUTHTOK_ARG; ++ else if (!strcasecmp(*v, "try_authtok")) ++ ctrl |= WINBIND_TRY_AUTHTOK_ARG; + else if (!strcasecmp(*v, "use_first_pass")) + ctrl |= WINBIND_USE_FIRST_PASS_ARG; + else if (!strcasecmp(*v, "try_first_pass")) +@@ -3180,6 +3182,9 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, + if (on(WINBIND_USE_AUTHTOK_ARG, lctrl)) { + lctrl |= WINBIND_USE_FIRST_PASS_ARG; + } ++ if (on(WINBIND_TRY_AUTHTOK_ARG, lctrl)) { ++ lctrl |= WINBIND_TRY_FIRST_PASS_ARG; ++ } + retry = 0; + ret = PAM_AUTHTOK_ERR; + while ((ret != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) { +diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h +index d468efbb56a..c6786d65a4d 100644 +--- a/nsswitch/pam_winbind.h ++++ b/nsswitch/pam_winbind.h +@@ -156,6 +156,7 @@ do { \ + #define WINBIND_DEBUG_STATE 0x00001000 + #define WINBIND_WARN_PWD_EXPIRE 0x00002000 + #define WINBIND_MKHOMEDIR 0x00004000 ++#define WINBIND_TRY_AUTHTOK_ARG 0x00008000 + + #if defined(HAVE_GETTEXT) && !defined(__LCLINT__) + #define _(string) dgettext(MODULE_NAME, string) +-- +2.17.0 + diff --git a/debian/patches/series b/debian/patches/series index 5c2e3107739..a815470f6e2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ usershare.patch VERSION.patch add-so-version-to-private-libraries heimdal-rfc3454.txt +nsswitch-Add-try_authok-option-to-pam_winbind.patch -- 2.17.0
From 7dc13b8b6d15223121bceea8cfb9f85820eedfd6 Mon Sep 17 00:00:00 2001 From: Mathieu Parent <math.par...@gmail.com> Date: Thu, 12 Apr 2018 11:57:15 +0200 Subject: [PATCH 1/3] nsswitch: Add try_authok option to pam_winbind Same as the use_authtok option, except that if the new password is not valid, PAM will prompt for a password. Bug-Debian: https://bugs.debian.org/858923 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944 Signed-off-by: Mathieu Parent <math.par...@gmail.com> --- docs-xml/manpages/pam_winbind.8.xml | 8 ++++++++ nsswitch/pam_winbind.c | 5 +++++ nsswitch/pam_winbind.h | 1 + 3 files changed, 14 insertions(+) diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml index f57a9286a6c..b8af5b54c58 100644 --- a/docs-xml/manpages/pam_winbind.8.xml +++ b/docs-xml/manpages/pam_winbind.8.xml @@ -122,6 +122,14 @@ </para></listitem> </varlistentry> + <varlistentry> + <term>try_authtok</term> + <listitem><para> + Same as the use_authtok option (previous item), except that if the new password is not + valid, PAM will prompt for a password. + </para></listitem> + </varlistentry> + <varlistentry> <term>krb5_auth</term> <listitem><para> diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c index e14fcfeb263..0a303202f21 100644 --- a/nsswitch/pam_winbind.c +++ b/nsswitch/pam_winbind.c @@ -492,6 +492,8 @@ config_from_pam: ctrl |= WINBIND_SILENT; else if (!strcasecmp(*v, "use_authtok")) ctrl |= WINBIND_USE_AUTHTOK_ARG; + else if (!strcasecmp(*v, "try_authtok")) + ctrl |= WINBIND_TRY_AUTHTOK_ARG; else if (!strcasecmp(*v, "use_first_pass")) ctrl |= WINBIND_USE_FIRST_PASS_ARG; else if (!strcasecmp(*v, "try_first_pass")) @@ -3180,6 +3182,9 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, if (on(WINBIND_USE_AUTHTOK_ARG, lctrl)) { lctrl |= WINBIND_USE_FIRST_PASS_ARG; } + if (on(WINBIND_TRY_AUTHTOK_ARG, lctrl)) { + lctrl |= WINBIND_TRY_FIRST_PASS_ARG; + } retry = 0; ret = PAM_AUTHTOK_ERR; while ((ret != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) { diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h index d468efbb56a..c6786d65a4d 100644 --- a/nsswitch/pam_winbind.h +++ b/nsswitch/pam_winbind.h @@ -156,6 +156,7 @@ do { \ #define WINBIND_DEBUG_STATE 0x00001000 #define WINBIND_WARN_PWD_EXPIRE 0x00002000 #define WINBIND_MKHOMEDIR 0x00004000 +#define WINBIND_TRY_AUTHTOK_ARG 0x00008000 #if defined(HAVE_GETTEXT) && !defined(__LCLINT__) #define _(string) dgettext(MODULE_NAME, string) -- 2.17.0