It is, I believe, the default line added by pam-auth-update: # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. #
# here are the per-package modules (the "Primary" block) account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) account required pam_krb5.so minimum_uid=1000 # end of pam-auth-update config Thanks, John Runyon On Fri, 29 Jan 2021 at 21:45, Seth Arnold <1913...@bugs.launchpad.net> wrote: > Can you double-check that your pam configuration for pam_winbind is > configured to use required or requisite rather than sufficient? > > It's possible that the required or requisite defaults aren't sufficient > but may still be possible to configure using the more complicated pam > syntax. Search for 'valueN' in /usr/share/doc/libpam-doc/txt/Linux- > PAM_SAG.txt.gz for some details. I don't know off-hand if the > pam_winbind module supports these finer-grained controls but it's > possible it does. > > Thanks > > ** Information type changed from Private Security to Public Security > > ** Changed in: samba (Ubuntu) > Status: New => Incomplete > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1913851 > > Title: > pam_winbind should reject disabled users > > Status in samba package in Ubuntu: > Incomplete > > Bug description: > pam_winbind should reject disabled users. Currently, disabled accounts > are instead treated as disabled passwords, which means that they can > still be logged into through other credentials. > > ProblemType: Bug > DistroRelease: Ubuntu 18.04 > Package: libpam-winbind 2:4.7.6+dfsg~ubuntu-0ubuntu2.21 > ProcVersionSignature: Ubuntu 4.15.0-135.139-generic 4.15.18 > Uname: Linux 4.15.0-135-generic x86_64 > ApportVersion: 2.20.9-0ubuntu7.21 > Architecture: amd64 > Date: Fri Jan 29 20:36:50 2021 > InstallationDate: Installed on 2018-05-02 (1003 days ago) > InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 > (20180426) > OtherFailedConnect: Yes > ProcEnviron: > TERM=xterm-256color > PATH=(custom, no user) > LANG=en_US.UTF-8 > SHELL=/bin/bash > SambaServerRegression: No > SmbConfIncluded: No > SourcePackage: samba > TestparmExitCode: 0 > UpgradeStatus: No upgrade log present (probably fresh install) > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1913851/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1913851 Title: pam_winbind should reject disabled users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1913851/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
