enterprise-support team mailing list archive

[msaxl <1530929@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

the template file winbind includes a lot of options that should be in
/etc/security/pam_winbind.conf.

Putting options in the template overwrites the option in /etc/security/pam_winbind.conf,
So, if you want for example to put the krb5cc outside of tmp, you have to modify the file in /usr/share/pam-configs/,
than call pam-auth-update.
Files in /usr should not be touched by users, so this is not a real solution. The correct place is /etc, in this case the configuration file /etc/security/pam_winbind.conf

The file in usr should be like:

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_winbind.so try_first_pass
Auth-Initial:
        [success=end default=ignore]    pam_winbind.so
Account-Type: Primary
Account:
        [success=end new_authtok_reqd=done default=ignore]      pam_winbind.so
Password-Type: Primary
Password:
        [success=end default=ignore]    pam_winbind.so use_authtok try_first_pass
Password-Initial:
        [success=end default=ignore]    pam_winbind.so
Session-Type: Additional
Session:
        optional                        pam_winbind.so


whereas the file in /etc/security/pam_winbind.conf should be like this to not change the effective configuration

[global]
krb5_auth=yes
krb5_ccache_type=FILE
cached_login=yes

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: libpam-winbind

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1530929

Title:
  /usr/share/pam-configs/winbind should not include krb5_ccache_type or
  other options

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1530929/+subscriptions