#47573 – Неправильно отрабатывает устаревание пароля

Bug 47573 - Неправильно отрабатывает устаревание пароля

Summary: Неправильно отрабатывает устаревание пароля

Status:	CLOSED FIXED

Alias:	None

Product:	Sisyphus
Classification:	Development
Component:	samba-winbind-clients (show other bugs)
Version:	unstable
Hardware:	x86_64 Linux

Importance:	P5 normal
Assignee:	Evgeny Sinelnikov
QA Contact:	qa-sisyphus

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-09-14 13:20 MSK by Andrey Cherepanov
Modified:	2023-11-10 13:57 MSK (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrey Cherepanov 2023-09-14 13:20:07 MSK

[root@host-209 pam.d]# wbinfo -a 'newbie%Pa$$word'
plaintext password authentication failed
Could not authenticate user newbie%Pa$$word with plaintext password
challenge/response password authentication failed
wbcAuthenticateUserEx(TEST\newbie): error code was NT_STATUS_ACCOUNT_EXPIRED (0xc0000193, authoritative=1)
error message was: The user account has expired.
Could not authenticate user newbie with challenge/response

# grep auth.*pam_winbind.so system-auth-winbind-only
auth            required        pam_winbind.so krb5_auth pwd_change_prompt debug

сен 14 12:55:24 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): Verify user 'newbie'
сен 14 12:55:24 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): CONFIG file: krb5_ccache_type 'KEYRING'
сен 14 12:55:24 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): enabling krb5 login flag
сен 14 12:55:24 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): enabling cached login flag
сен 14 12:55:24 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): enabling request for a KEYRING krb5 ccache
сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'newbie')
сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): [pamh: 0x555766219bc0] LEAVE: pam_sm_authenticate returning 11 (PAM_MAXTRIES)
сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): [pamh: 0x555766219bc0] STATE: ITEM(PAM_SERVICE) = "lightdm" (0x555766212480)
сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): [pamh: 0x555766219bc0] STATE: ITEM(PAM_USER) = "newbie" (0x555766219d50)
сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): [pamh: 0x555766219bc0] STATE: ITEM(PAM_TTY) = ":0" (0x55576621e7e0)
сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): [pamh: 0x555766219bc0] STATE: ITEM(PAM_AUTHTOK) = 0x55576623f150
сен 14 12:55:25 host-209.test.alt lightdm[524625]: pam_winbind(lightdm:auth): [pamh: 0x555766219bc0] STATE: ITEM(PAM_CONV) = 0x555766219d70

Видно, что стек PAM вместо PAM_ACCT_EXPIRED и диалога смены пароля возвращает PAM_MAXTRIES. Даже если до этого пользователь удачно заходил.

Comment 1 Andrey Cherepanov 2023-09-14 13:48:44 MSK

wbcCtxLogonUser возвращает ошибку 11 вместо 27 (PAM_AUTHTOK_EXPIRED).

Comment 2 Andrey Cherepanov 2023-11-10 13:57:38 MSK

Исправлено в samba-winbind-clients-4.17.12-alt2