samba - Aug 2025 - pam-winbind: When trying to update a password, this return status indicates that the value provided as the current password is not correct.

On Fri, 15 Aug 2025 11:36:00 +0000
Kristian Rasmussen via samba <samba at lists.samba.org> wrote:
> On 15.08.2025 10:13, Rowland Penny via samba wrote:
> > 
> > I am a bit confused about this email, first the subject mentions
> > updating a password and then in the text there is this:
> > 
> > because no one tried to update a password!
> 
> If you read the post carefully you'll see that the subject refers to
> the actual error message, while the post itself clarifies that the
> error occurs during a failed authentication unrelated to password
> changes.
I did read the post carefully and what is more I tried the command in
the same way and got the same result, just without:

When trying to update a password, this return status indicates that the 
value provided as the current password is not correct.

between the password prompt and the error message.
> 
> > But, hey ho, it doesn't really matter, because that error message
is
> > not coming from Samba, it is coming from PAM, try reading the PAM
> > man page:
> 
> The return code from PAM is PAM_AUTH_ERR, which is just a 
> run-of-the-mill authentication failure.
The thing is, yes PAM is returning 'PAM_AUTH_ERR', but PAM is then
turning it into 'Authentication failure' and returning it.
> 
> The exact text of this error message can be found in the Samba source 
> code, specifically in libcli/util/ntstatus_err_table.txt.
Where ?
I cannot see 'Authentication failure' in that file, what I can see is
STATUS_WRONG_PASSWORD 
with the text:

When trying to update a password, this return status indicates that the
value provided as the current password is not correct.

However, from what I can find with a quick check is that Samba maps
'PAM_AUTH_ERR' to 'NT_STATUS_WRONG_PASSWORD', but the command
shown in
the initial post was what happens when you try to become another user
and mistype the password, so, in essence, what is returned is correct
(and initially comes from PAM), but could be better. I suggest that if
anyone is really bothered about this, then they provide a patch to fix
it.

Rowland

On 15.08.2025 15:40, Rowland Penny via samba wrote:
> On Fri, 15 Aug 2025 11:36:00 +0000
> Kristian Rasmussen via samba <samba at lists.samba.org> wrote:
> 
>> On 15.08.2025 10:13, Rowland Penny via samba wrote:
>>>
>>> I am a bit confused about this email, first the subject mentions
>>> updating a password and then in the text there is this:
>>>
>>> because no one tried to update a password!
>>
>> If you read the post carefully you'll see that the subject refers
to
>> the actual error message, while the post itself clarifies that the
>> error occurs during a failed authentication unrelated to password
>> changes.
> 
> I did read the post carefully and what is more I tried the command in
> the same way and got the same result, just without:
> 
> When trying to update a password, this return status indicates that the
> value provided as the current password is not correct.
> 
> between the password prompt and the error message.
This difference might be due to the pam stack difference.  Second
part of my initial message contains a question about how pam-winbind
is supposed to be used, - whether this usage is correct.

The message from $subject is exact message printed/returned by the
pam-winbind module. It is not the pam message, it is message provided
by pam-winbind.

With the example pam stack I provided, we're getting pam-winbind
messages like this, instead of seeing traditional pam-unix messages
which are definitely less confusing.
>>> But, hey ho, it doesn't really matter, because that error
message is
>>> not coming from Samba, it is coming from PAM, try reading the PAM
>>> man page:
It is coming from pam-winbind.  You can run strings(1) on the module
itself, and find this string is there.
>> The return code from PAM is PAM_AUTH_ERR, which is just a
>> run-of-the-mill authentication failure.
> 
> The thing is, yes PAM is returning 'PAM_AUTH_ERR', but PAM is then
> turning it into 'Authentication failure' and returning it.
> 
>>
>> The exact text of this error message can be found in the Samba source
>> code, specifically in libcli/util/ntstatus_err_table.txt.
> 
> Where ?
> I cannot see 'Authentication failure' in that file, what I can see
is
> STATUS_WRONG_PASSWORD
> with the text:
> 
> When trying to update a password, this return status indicates that the
> value provided as the current password is not correct.
> 
> However, from what I can find with a quick check is that Samba maps
> 'PAM_AUTH_ERR' to 'NT_STATUS_WRONG_PASSWORD', but the
command shown in
> the initial post was what happens when you try to become another user
> and mistype the password, so, in essence, what is returned is correct
> (and initially comes from PAM), but could be better. I suggest that if
> anyone is really bothered about this, then they provide a patch to fix
> it.
Please take a look at this ntstatus_err_table.txt file - you'll see
its origin.  At the very least, before providing a patch, it might
be good to ask a question whether this file is "patchable" to begin
with - because it is the official windows error messages, at least
were at some point.

Before doing so, I'd love to hear some opinion on this file and
how pam-wibind messages are used.  The message in subject is
definitely confusing and should be changed, but *how* it should
be changed is what I'm asking.  Not the exact wording, but a
more generally, which error messages we're supposed to return
and should we use microsoft texts for them.

Rowland, you're really not helping.  As usual.

Thanks,

/mjt