Handling errors rerurned by pam_winbind from GDM
Narayana Pattipati
narayana.pattipati at wipro.com
Mon Dec 6 11:11:21 UTC 2004
Hi,
This query is related to handling of pam_winbind errors like
NT_STATUS_ACCOUNT_DISABLED, NT_STATUS_PASSWORD_RESTRICTED etc., which
don't have direct mapping with PAM errors. For example, if pam_winbind
returns NT_STATUS_PASSWORD_EXPIRE, its mapped to PAM error
PAM_ACCT_EXPIRED. In my application, I can handle the mapped PAM error
and show relevant errors/warning "Your password has expired and you need
to change" to the user.
But, when pam_winbind returns, say, NT_STATUS_PASSWORD_RESTRICTED (it
comes when user tried to change the password of an AD user and password
does not meet the complexity criteria), it does not have a direct
mapping to any PAM error. So, pam_chauthtok() just returns error "4",
which means "system error" in PAM. So, the application can't convey the
exact reason for password change failure to the end user. I want the
application to show exact reasons for failure to the end user.
How do I handle such cases in my application?
Details of my setup and application in case you need more info:
I joined my SUSE linux system with windows 2003 AD domain controller. I
can now login into my SESE linux system with any AD user id. I am using
GDM (GNOME display manager) as login manager. The pam configuration file
for gdm is like this:
#%PAM-1.0
auth sufficient pam_unix2.so debug audit #set_secrpc
auth required pam_winbind.so use_first_pass
account sufficient pam_unix2.so debug audit
account sufficient pam_winbind.so debug
password sufficient pam_unix2.so debug audit #strict=false
password sufficient pam_winbind.so debug
session required pam_unix2.so debug # trace or none
session required pam_devperm.so
session optional pam_console.so
When AD password expires, GDM will show me a dialog "your password has
expired and must be changed". I can change the password there. But if
the new AD password does not match complexity criteria, pam_winbind
returns NT_STATUS_PASSWORD_RESTRICTED error and pam_chauthtok() function
just returns error "4", which means SYSTEM ERROR in PAM. Because of
this, gdm application is not able to show exact reason for password
change failure to the end user.
Thanks,
Narayana
More information about the Pam-list
mailing list