Handling errors rerurned by pam_winbind from GDM
Pierangelo Masarati
ando at sys-net.it
Mon Dec 6 11:57:56 UTC 2004
Narayana Pattipati wrote:
>Hi,
>
>This query is related to handling of pam_winbind errors like
>NT_STATUS_ACCOUNT_DISABLED, NT_STATUS_PASSWORD_RESTRICTED etc., which
>don't have direct mapping with PAM errors. For example, if pam_winbind
>returns NT_STATUS_PASSWORD_EXPIRE, its mapped to PAM error
>PAM_ACCT_EXPIRED. In my application, I can handle the mapped PAM error
>and show relevant errors/warning "Your password has expired and you need
>to change" to the user.
>
>But, when pam_winbind returns, say, NT_STATUS_PASSWORD_RESTRICTED (it
>comes when user tried to change the password of an AD user and password
>does not meet the complexity criteria), it does not have a direct
>mapping to any PAM error. So, pam_chauthtok() just returns error "4",
>which means "system error" in PAM. So, the application can't convey the
>exact reason for password change failure to the end user. I want the
>application to show exact reasons for failure to the end user.
>
>
pam_cracklib maps passwords that don't meet the criteria to
PAM_AUTHTOK_ERR; I guess pam_winbind could be instructed to do the same
(e.g. by haking the code).
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
More information about the Pam-list
mailing list