Bug 149021 - passwd -e does not work anymore for local users with pam_winbind
Summary: passwd -e does not work anymore for local users with pam_winbind
Status: RESOLVED FIXED
Alias: None
Product: SUSE Linux 10.1
Classification: openSUSE
Component: Basesystem (show other bugs)
Version: Beta 4
Hardware: Other Other
: P5 - None : Major (vote)
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-02-08 10:46 UTC by Stephan Kulow
Modified: 2006-02-14 15:20 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
let pam_winbind not only rely on getpwnam (1.78 KB, patch)
2006-02-08 13:15 UTC, Guenther Deschner 		Details | Diff
Updated Patch to better identify whether a user is a winbind user or not (4.07 KB, patch)
2006-02-09 12:03 UTC, Guenther Deschner 		Details | Diff
Fixed version of that patch (4.32 KB, patch)
2006-02-10 18:50 UTC, Guenther Deschner 		Details | Diff
Fixed version of that patch (4.32 KB, patch)
2006-02-10 18:50 UTC, Guenther Deschner 		Details | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Kulow 2006-02-08 10:46:08 UTC 
how to reproduce: 
  * create local user 
  * passwd -e <username>
  * login with username
-> no expiration
Comment 1 Guenther Deschner 2006-02-08 13:14:24 UTC 
Ok, pam_winbind should better not return PAM_SUCCESS in pam_sm_acct_mgmt when the existance of the user has just been verified using NSS calls.

The attached patch still has a quirk in the WINBINDD_LOOKUPNAME which will cause an additional delay when logging in, working on that right now.
Comment 2 Guenther Deschner 2006-02-08 13:15:06 UTC 
Created attachment 66977 [details]
let pam_winbind not only rely on getpwnam
Comment 3 Guenther Deschner 2006-02-09 12:03:31 UTC 
Created attachment 67208 [details]
Updated Patch to better identify whether a user is a winbind user or not

The new fix touches some essential codepaths and still must be thoroughly tested.
Comment 4 Jeremy Allison 2006-02-10 06:00:18 UTC 
Yes, this will definately exercise winbindd to detect a winbindd-returned user. The only thing I hate is "parse_valid_domain_user" as well as 
parse_domain_user - can you make it really clear as to why this exists. As far as I can see this is the same except for the block :

+		if (!lp_winbind_use_default_domain() || 
+		    !lp_winbind_trusted_domains_only()) {
+			return False;
+		}

Any way you can make this common and select with a flag instead ?

Jeremy.
Comment 5 Guenther Deschner 2006-02-10 18:50:12 UTC 
Created attachment 67689 [details]
Fixed version of that patch

Ok, I fixed that (while fixing parse_domain_user() directly).

If no one shouts, I commit that upstream and to autobuild.
Comment 6 Guenther Deschner 2006-02-10 18:50:16 UTC 
Created attachment 67690 [details]
Fixed version of that patch

Ok, I fixed that (while fixing parse_domain_user() directly).

If no one shouts, I commit that upstream and to autobuild.
Comment 7 Guenther Deschner 2006-02-13 15:16:06 UTC 
Fixed upstream
Comment 8 Guenther Deschner 2006-02-13 17:51:06 UTC 
This is in autobuild right now. Closing this bug.