Narayana Pattipati wrote:
Hi,
This query is related to handling of pam_winbind errors like
NT_STATUS_ACCOUNT_DISABLED, NT_STATUS_PASSWORD_RESTRICTED etc., which
don't have direct mapping with PAM errors. For example, if pam_winbind
returns NT_STATUS_PASSWORD_EXPIRE, its mapped to PAM error
PAM_ACCT_EXPIRED. In my application, I can handle the mapped PAM error
and show relevant errors/warning "Your password has expired and you need
to change" to the user.
But, when pam_winbind returns, say, NT_STATUS_PASSWORD_RESTRICTED (it
comes when user tried to change the password of an AD user and password
does not meet the complexity criteria), it does not have a direct
mapping to any PAM error. So, pam_chauthtok() just returns error "4",
which means "system error" in PAM. So, the application can't convey the
exact reason for password change failure to the end user. I want the
application to show exact reasons for failure to the end user.
pam_cracklib maps passwords that don't meet the criteria to
PAM_AUTHTOK_ERR; I guess pam_winbind could be instructed to do the same
(e.g. by haking the code).
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
