[Bug 1530929] [NEW] /usr/share/pam-configs/winbind should not include krb5_ccache_type or other options

msaxl 1530929 at bugs.launchpad.net
Mon Jan 4 17:46:19 UTC 2016 

Public bug reported:

the template file winbind includes a lot of options that should be in
/etc/security/pam_winbind.conf.

Putting options in the template overwrites the option in /etc/security/pam_winbind.conf,
So, if you want for example to put the krb5cc outside of tmp, you have to modify the file in /usr/share/pam-configs/,
than call pam-auth-update.
Files in /usr should not be touched by users, so this is not a real solution. The correct place is /etc, in this case the configuration file /etc/security/pam_winbind.conf

The file in usr should be like:

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_winbind.so try_first_pass
Auth-Initial:
        [success=end default=ignore]    pam_winbind.so
Account-Type: Primary
Account:
        [success=end new_authtok_reqd=done default=ignore]      pam_winbind.so
Password-Type: Primary
Password:
        [success=end default=ignore]    pam_winbind.so use_authtok try_first_pass
Password-Initial:
        [success=end default=ignore]    pam_winbind.so
Session-Type: Additional
Session:
        optional                        pam_winbind.so


whereas the file in /etc/security/pam_winbind.conf should be like this to not change the effective configuration

[global]
krb5_auth=yes
krb5_ccache_type=FILE
cached_login=yes

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: libpam-winbind

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1530929

Title:
  /usr/share/pam-configs/winbind should not include krb5_ccache_type or
  other options

Status in samba package in Ubuntu:
  New

Bug description:
  the template file winbind includes a lot of options that should be in
  /etc/security/pam_winbind.conf.

  Putting options in the template overwrites the option in /etc/security/pam_winbind.conf,
  So, if you want for example to put the krb5cc outside of tmp, you have to modify the file in /usr/share/pam-configs/,
  than call pam-auth-update.
  Files in /usr should not be touched by users, so this is not a real solution. The correct place is /etc, in this case the configuration file /etc/security/pam_winbind.conf

  The file in usr should be like:

  Name: Winbind NT/Active Directory authentication
  Default: yes
  Priority: 192
  Auth-Type: Primary
  Auth:
          [success=end default=ignore]    pam_winbind.so try_first_pass
  Auth-Initial:
          [success=end default=ignore]    pam_winbind.so
  Account-Type: Primary
  Account:
          [success=end new_authtok_reqd=done default=ignore]      pam_winbind.so
  Password-Type: Primary
  Password:
          [success=end default=ignore]    pam_winbind.so use_authtok try_first_pass
  Password-Initial:
          [success=end default=ignore]    pam_winbind.so
  Session-Type: Additional
  Session:
          optional                        pam_winbind.so

  
  whereas the file in /etc/security/pam_winbind.conf should be like this to not change the effective configuration

  [global]
  krb5_auth=yes
  krb5_ccache_type=FILE
  cached_login=yes

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1530929/+subscriptions

More information about the foundations-bugs mailing list