Comment 15 for bug 570944

This is a tricky one. Dropping use_authtok does solve the problem of pam_unix not prompting for the password, but it also changes the behavior in the case that you have a password strength checking module stacked first, such as pam_cracklib. If pam_cracklib is configured, we don't want pam_winbind to prompt for a different password after we've gone to all the trouble of checking the strength of the first one entered!

This problem affects other combinations of stacked modules as well (e.g., pam_krb5+pam_unix), and needs to be solved generally. Currently the best solution I can offer is for PAM modules to always prompt for passwords even when they don't need them, in order to ensure correct usage of use_authtok. Alternatively, we could fix modules that accept use_authtok to recognize the lack of a password token as valid and prompt for it after all, or we could introduce a new common module option with "use_authtok_if_available" semantics. In any event, we don't want to lose the current behavior that modules *must* use the existing password if provided rather than prompting separately, and any solution we implement needs to be done systemically; so please don't change the winbind pam profile without us first having a larger conversation about how to make this work.