Comment 3 for bug 1913851

It is, I believe, the default line added by pam-auth-update:

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]
 pam_winbind.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required pam_krb5.so minimum_uid=1000
# end of pam-auth-update config

Thanks,
John Runyon

On Fri, 29 Jan 2021 at 21:45, Seth Arnold <email address hidden>
wrote:

> Can you double-check that your pam configuration for pam_winbind is
> configured to use required or requisite rather than sufficient?
>
> It's possible that the required or requisite defaults aren't sufficient
> but may still be possible to configure using the more complicated pam
> syntax. Search for 'valueN' in /usr/share/doc/libpam-doc/txt/Linux-
> PAM_SAG.txt.gz for some details. I don't know off-hand if the
> pam_winbind module supports these finer-grained controls but it's
> possible it does.
>
> Thanks
>
> ** Information type changed from Private Security to Public Security
>
> ** Changed in: samba (Ubuntu)
> Status: New => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1913851
>
> Title:
> pam_winbind should reject disabled users
>
> Status in samba package in Ubuntu:
> Incomplete
>
> Bug description:
> pam_winbind should reject disabled users. Currently, disabled accounts
> are instead treated as disabled passwords, which means that they can
> still be logged into through other credentials.
>
> ProblemType: Bug
> DistroRelease: Ubuntu 18.04
> Package: libpam-winbind 2:4.7.6+dfsg~ubuntu-0ubuntu2.21
> ProcVersionSignature: Ubuntu 4.15.0-135.139-generic 4.15.18
> Uname: Linux 4.15.0-135-generic x86_64
> ApportVersion: 2.20.9-0ubuntu7.21
> Architecture: amd64
> Date: Fri Jan 29 20:36:50 2021
> InstallationDate: Installed on 2018-05-02 (1003 days ago)
> InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64
> (20180426)
> OtherFailedConnect: Yes
> ProcEnviron:
> TERM=xterm-256color
> PATH=(custom, no user)
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SambaServerRegression: No
> SmbConfIncluded: No
> SourcePackage: samba
> TestparmExitCode: 0
> UpgradeStatus: No upgrade log present (probably fresh install)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1913851/+subscriptions
>