Michael Tokarev
2025-Aug-14 16:10 UTC
[Samba] pam-winbind: When trying to update a password, this return status indicates that the value provided as the current password is not correct.
Some debian user reports than when pam-winbind is in use, a rather fun message is being printed when mis-typing user's password. $ su mjt Password: When trying to update a password, this return status indicates that the value provided as the current password is not correct. su: Authentication failure $ _ this comes from pam-winbind. And the message is misleading, because no one tried to update a password! Can we make at least this message more.. accurate? Also, what's the correct way to use pam-winbind module? Currently we have in debian: auth [success=2 default=ignore] pam_unix.so nullok try_first_pass auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so (the krb5_ccache_type= most likely should be removed now, but this is a different story). This means that it's the pam_winbind which is responsible to notify about bad password, I guess. Which is sort of wrong? Thanks, /mjt
Rowland Penny
2025-Aug-15 08:13 UTC
[Samba] pam-winbind: When trying to update a password, this return status indicates that the value provided as the current password is not correct.
On Thu, 14 Aug 2025 19:10:21 +0300 Michael Tokarev via samba <samba at lists.samba.org> wrote:> Some debian user reports than when pam-winbind is in use, > a rather fun message is being printed when mis-typing user's > password. > > $ su mjt > Password: > When trying to update a password, this return status indicates that > the value provided as the current password is not correct. > su: Authentication failure > $ _ > > this comes from pam-winbind. And the message is misleading, because > no one tried to update a password! > > Can we make at least this message more.. accurate? > > Also, what's the correct way to use pam-winbind module? > > Currently we have in debian: > > auth [success=2 default=ignore] pam_unix.so nullok > try_first_pass auth [success=1 default=ignore] pam_winbind.so > krb5_auth krb5_ccache_type=FILE cached_login try_first_pass > # here's the fallback if no module succeeds > auth requisite pam_deny.so > > > (the krb5_ccache_type= most likely should be removed now, but > this is a different story). > > This means that it's the pam_winbind which is responsible to > notify about bad password, I guess. Which is sort of wrong? > > Thanks, > > /mjt >I am a bit confused about this email, first the subject mentions updating a password and then in the text there is this: because no one tried to update a password! But, hey ho, it doesn't really matter, because that error message is not coming from Samba, it is coming from PAM, try reading the PAM man page: Under 'RETURN VALUES' there is this: PAM_AUTH_ERR Authentication failure. Rowland