Description of problem: Package samba-common-3.0.24-3.fc6 pam_winbind fails unexpectedly when user doesn't exist in ADS domain pam_winbind.so is called with unknown_ok argument (which is not listed at manual page, but argument silent which is in the man page in fact doesn't acceptable) Actual results: Apr 4 11:13:13 pegasus pam_winbind[5144]: request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER Apr 4 11:13:13 pegasus pam_winbind[5144]: request failed, but PAM error 0! Apr 4 11:13:13 pegasus pam_winbind[5144]: internal module error (retval = 3, user = `root') Expected results: Should return PAM_IGNORE
Simo, this we have fixed with 3.0.24-5.fc7 already.
Thank you for the report, I have pushed to FC5 and FC6 the fixes we had in rawhide, please reopen the bug is the new package still gives you problems.
I just got samba-client-3.0.24-4.fc6 samba-common-3.0.24-4.fc6 # grep winbind /etc/pam.d/system-auth auth sufficient pam_winbind.so unknown_ok account sufficient pam_winbind.so unknown_ok session sufficient pam_winbind.so unknown_ok As I said earlier, I found argument unknown_ok in the source code, it is not listed at the pam_winbind man page and listed argument silent in fact doesn't exist. The problem still exist, but it now looks different: Apr 11 07:34:45 pegasus pam_winbind[10673]: request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER Apr 11 07:34:45 pegasus pam_winbind[10673]: request failed
Right, the "silent" option can currently only be enabled when using a /etc/security/pam_winbind.conf config file (which we do not package yet). Let me rephrase this bug: you're trying to login with a local user (and you have pam_winbind) in the PAM stack, correct? And that local login fails, as pam_winbind does not return the correct error code (PAM_IGNORE), right?
Yes, this is correct
Ok, your PAM configration seems to be selfwritten (not generated by authconfig). Just make sure you have account sufficient pam_localuser.so before the account sufficient pam_winbind.so unknown_ok then your pam configuration should work. authconfig will have this fixed and work by default on Fedora 7. Closing this bug now.