system-auth: Add support for winbind, like krb5

[jonesmz]

This hasn't been tested, as I am not an expert at pam, or jinja. This PR is intended to serve as an inspiration for how to go about adding winbind support to the system-auth file, in the same way that krb5 or systemd-homed are supported.

I've been using this (Possibly very broken...?) system-auth file for several years on my domain-controller connected linux machines:

and It'd be great if I could stop needing to figure out what's changed everytime pambase is updated.

cat /etc/pam.d/system-auth
auth            required                        pam_env.so
auth            requisite                       pam_faillock.so preauth
auth            [success=2 default=ignore]      pam_unix.so nullok try_first_pass
auth            [success=1 default=ignore]      pam_winbind.so use_first_pass
auth            [default=die]                   pam_faillock.so authfail
auth            optional                        pam_permit.so

account         [success=2 default=ignore]      pam_unix.so
account         [success=1 default=ignore]      pam_winbind.so
account         required                        pam_faillock.so
account         optional                        pam_permit.so

password        required                        pam_passwdqc.so config=/etc/security/passwdqc.conf
password        sufficient                      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        sufficient                      pam_winbind.so use_authtok
password        optional                        pam_permit.so

session         optional                        pam_systemd.so
session         required                        pam_limits.so
session         required                        pam_env.so
session         required                        pam_unix.so
session         required                        pam_winbind.so
session         optional                        pam_permit.so

The way that I wanted my environment to work was to have the system check the local unix auth for success/fail, before attempting to contact the domain controller. I did this because the timeout for winbind can be kind of long, and if i'm trying to log into a local-only-user on a laptop that's not in the domain controllers network, that gets annoying.

That being said, I don't object to seeing winbind contacted first, like systemd-homed and krb5 are in the template file, if that's the direction you want to go.

[mikhailkoliada]

@thesamesam what do you think?

[jonesmz]

Hi, could I get some feedback about functionality like this?

It'd be nice to not have to keep updating my pam files to support winbind every update.

obviously the pull request is out of date, but i still need feedback before i can update it.

[jonesmz]

Hi, been another year, but I received feedback on other tickets in this project.

Can I please get some feedback?

[thesamesam]

In general, rebasing is a prerequisite before pinging.