Handling errors rerurned by pam_winbind from GDM

Narayana Pattipati narayana.pattipati at wipro.com
Mon Dec 6 11:11:21 UTC 2004 

Hi,

This query is related to handling of pam_winbind errors like
NT_STATUS_ACCOUNT_DISABLED, NT_STATUS_PASSWORD_RESTRICTED etc., which
don't have direct mapping with PAM errors. For example, if pam_winbind
returns NT_STATUS_PASSWORD_EXPIRE, its mapped to PAM error
PAM_ACCT_EXPIRED. In my application, I can handle the mapped PAM error
and show relevant errors/warning "Your password has expired and you need
to change" to the user. 

But, when pam_winbind returns, say, NT_STATUS_PASSWORD_RESTRICTED (it
comes when user tried to change the password of an AD user and password
does not meet the complexity criteria), it does not have a direct
mapping to any PAM error. So, pam_chauthtok() just returns error "4",
which means "system error" in PAM. So, the application can't convey the
exact reason for password change failure to the end user. I want the
application to show exact reasons for failure to the end user.

How do I handle such cases in my application? 

Details of my setup and application in case you need more info:

I joined my SUSE linux system with windows 2003 AD domain controller. I
can now login into my SESE linux system with any AD user id. I am using
GDM (GNOME display manager) as login manager. The pam configuration file
for gdm is like this:

#%PAM-1.0
auth     sufficient     pam_unix2.so   debug audit  #set_secrpc
auth     required       pam_winbind.so use_first_pass 
account  sufficient     pam_unix2.so   debug audit
account  sufficient     pam_winbind.so debug
password sufficient     pam_unix2.so   debug audit #strict=false
password sufficient     pam_winbind.so debug
session  required       pam_unix2.so   debug # trace or none
session  required       pam_devperm.so
session  optional       pam_console.so

When AD password expires, GDM will show me a dialog "your password has
expired and must be changed". I can change the password there. But if
the new AD password does not match complexity criteria, pam_winbind
returns NT_STATUS_PASSWORD_RESTRICTED error and pam_chauthtok() function
just returns error "4", which means SYSTEM ERROR in PAM. Because of
this, gdm application is not able to show exact reason for password
change failure to the end user.

Thanks,
Narayana

More information about the Pam-list mailing list