Hi, My concern specifically centers around SSH key auth, but in more general terms, Ubuntu makes a distinction between an account being locked, and a password being locked. So far as I can tell, Samba/AD do not make that distinction, but in any case the operation 'samba-tool user disable <account>' is described as disabling a "user". However, it does not disable a user in the same sense as other tools do. For example, 'passwd -l <account>' will disable password login, but not other ways to log in to a user account. 'usermod -e 1 <account>' however will disable other methods:
$ ssh test@foo echo yay yay # passwd -l test $ ssh test@foo echo yay yay # usermod -e 1 test $ ssh [email protected] echo yay Your account has expired; please contact your system administrator Connection closed by ... (This last case is rejected by pam_unix at the account stage: "pam_unix(sshd:account): account test has expired (account expired)") IMHO, the account stage of pam_winbind should do the same for disabled users. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1913851 Title: pam_winbind should reject disabled users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1913851/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
