Applies to: All versions of Centrify DirectControl-enabled Samba.
Question:
Using a small wrapper program in C, it is noticed pam_winbind.so (or libpam.so) will core dump/segfault under the following circumstances:
1) When the user's account password is about to expire, but has not actually expired. It's in the period where the warnings are issued.
2) The host is a RHEL 6.2 server, which is joined to a Windows AD, and is a domain member.
3) The password expiry timeout is coming from the Microsoft AD Group policies.
4) When using pam_winbind.so to perform the authentication and also filtering using the "require_membership_of" to filter to specific AD groups, for services on the host.
5) If the user's password is changed, the problem instantly goes away, but it re-appears when the account password is going to expire again.
Below is the gdb output from running the test program, with the PAM service file (see below)
Program received signal SIGSEGV, Segmentation fault.
0x0013d521 in pam_sm_authenticate () from /lib/security/pam_winbind.so
(gdb) bt
#0 0x0013d521 in pam_sm_authenticate () from /lib/security/pam_winbind.so
#1 0x00ba543f in ?? () from /lib/libpam.so.0
#2 0x00ba4c22 in pam_authenticate () from /lib/libpam.so.0
#3 0x08048770 in main (argc=3, argv=0xbffff0d4) at main.c:44
(gdb)
Service file/etc/pam.d/test contains:
auth required pam_env.so debug
auth sufficient pam_unix.so nullok try_first_pass debug
auth requisite pam_succeed_if.so uid >= 500 quiet debug
auth sufficient pam_winbind.so use_first_pass warn_pwd_expire=0 require_membership_of=S-1-5-21-1550212391-918360395-1544898942-18827 debug
auth required pam_deny.so debug
Using the 'warn_pwd_expire=0' seems to force the core dump. If this is left out, the following message appears:
"Your password will expire in 10 days. erroneous conversation (5)"
Is there any reason?
Answer:
pam_winbind is a PAM module that can authenticate users against the local domain by talking to the winbind daemon. Since Centrify is NOT in the PAM stack, it is suggested to post the same in Samba forums. And it was verified stock Samba will experience the same with above scenarios.
Following samba's Bugzilla fixed the bug "password expiration in pam_winbind which wasn't getting handled correctly from Active Directory".
https://bugzilla.samba.org/show_bug.cgi?id=6253
(Link provided as a courtesy)