[Bug 1530929] Re: /usr/share/pam-configs/winbind should not include krb5_ccache_type or other options

Launchpad Bug Tracker 1530929 at bugs.launchpad.net
Fri Nov 23 10:03:23 UTC 2018 

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: samba (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1530929

Title:
  /usr/share/pam-configs/winbind should not include krb5_ccache_type or
  other options

Status in samba package in Ubuntu:
  Confirmed

Bug description:
  the template file winbind includes a lot of options that should be in
  /etc/security/pam_winbind.conf.

  Putting options in the template overwrites the option in /etc/security/pam_winbind.conf,
  So, if you want for example to put the krb5cc outside of tmp, you have to modify the file in /usr/share/pam-configs/,
  than call pam-auth-update.
  Files in /usr should not be touched by users, so this is not a real solution. The correct place is /etc, in this case the configuration file /etc/security/pam_winbind.conf

  The file in usr should be like:

  Name: Winbind NT/Active Directory authentication
  Default: yes
  Priority: 192
  Auth-Type: Primary
  Auth:
          [success=end default=ignore]    pam_winbind.so try_first_pass
  Auth-Initial:
          [success=end default=ignore]    pam_winbind.so
  Account-Type: Primary
  Account:
          [success=end new_authtok_reqd=done default=ignore]      pam_winbind.so
  Password-Type: Primary
  Password:
          [success=end default=ignore]    pam_winbind.so use_authtok try_first_pass
  Password-Initial:
          [success=end default=ignore]    pam_winbind.so
  Session-Type: Additional
  Session:
          optional                        pam_winbind.so

  
  whereas the file in /etc/security/pam_winbind.conf should be like this to not change the effective configuration

  [global]
  krb5_auth=yes
  krb5_ccache_type=FILE
  cached_login=yes

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1530929/+subscriptions

More information about the foundations-bugs mailing list