Andreas Schneider · Mathieu Parent · Mathieu Parent · Mathieu Parent · Mathieu Parent · Mathieu Parent
--- a/buildtools/wafsamba/samba_third_party.py
+++ b/buildtools/wafsamba/samba_third_party.py
@@ -62,5 +62,5 @@ Build.BuildContext.CHECK_UID_WRAPPER = CHECK_UID_WRAPPER

 @conf
 def CHECK_PAM_WRAPPER(conf):
-    return conf.CHECK_BUNDLED_SYSTEM_PKG('pam_wrapper', minversion='1.0.4')
+    return conf.CHECK_BUNDLED_SYSTEM_PKG('pam_wrapper', minversion='1.0.7')
 Build.BuildContext.CHECK_PAM_WRAPPER = CHECK_PAM_WRAPPER
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@ usershare.patch
 VERSION.patch
 add-so-version-to-private-libraries
 heimdal-rfc3454.txt
+nsswitch-Add-try_authtok-option-to-pam_winbind.patch
--- a/debian/winbind.pam-config
+++ b/debian/winbind.pam-config
@@ -11,7 +11,7 @@ Account:
 	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so
 Password-Type: Primary
 Password:
-	[success=end default=ignore]	pam_winbind.so use_authtok try_first_pass
+	[success=end default=ignore]	pam_winbind.so try_authtok try_first_pass
 Password-Initial:
 	[success=end default=ignore]	pam_winbind.so
 Session-Type: Additional

--- a/docs-xml/manpages/pam_winbind.8.xml
+++ b/docs-xml/manpages/pam_winbind.8.xml
@@ -122,6 +122,14 @@
 		</para></listitem>
 		</varlistentry>

+		<varlistentry>
+		<term>try_authtok</term>
+		<listitem><para>
+		Same as the use_authtok option (previous item), except that if the new password is not
+		valid, PAM will prompt for a password.
+		</para></listitem>
+		</varlistentry>
+
 		<varlistentry>
 		<term>krb5_auth</term>
 		<listitem><para>

--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -492,6 +492,8 @@ config_from_pam:
 			ctrl |= WINBIND_SILENT;
 		else if (!strcasecmp(*v, "use_authtok"))
 			ctrl |= WINBIND_USE_AUTHTOK_ARG;
+		else if (!strcasecmp(*v, "try_authtok"))
+			ctrl |= WINBIND_TRY_AUTHTOK_ARG;
 		else if (!strcasecmp(*v, "use_first_pass"))
 			ctrl |= WINBIND_USE_FIRST_PASS_ARG;
 		else if (!strcasecmp(*v, "try_first_pass"))
@@ -3181,6 +3183,9 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 		if (on(WINBIND_USE_AUTHTOK_ARG, lctrl)) {
 			lctrl |= WINBIND_USE_FIRST_PASS_ARG;
 		}
+		if (on(WINBIND_TRY_AUTHTOK_ARG, lctrl)) {
+			lctrl |= WINBIND_TRY_FIRST_PASS_ARG;
+		}
 		retry = 0;
 		ret = PAM_AUTHTOK_ERR;
 		while ((ret != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) {

--- a/nsswitch/pam_winbind.h
+++ b/nsswitch/pam_winbind.h
@@ -156,6 +156,7 @@ do {                             \
 #define WINBIND_DEBUG_STATE		0x00001000
 #define WINBIND_WARN_PWD_EXPIRE		0x00002000
 #define WINBIND_MKHOMEDIR		0x00004000
+#define WINBIND_TRY_AUTHTOK_ARG		0x00008000

 #if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
 #define _(string) dgettext(MODULE_NAME, string)

--- a/python/samba/tests/pam_winbind_chauthtok.py
+++ b/python/samba/tests/pam_winbind_chauthtok.py
+# Unix SMB/CIFS implementation.
+#
+# Copyright (C) 2017      Andreas Schneider <asn@samba.org>
+# Copyright (C) 2018      Mathieu Parent <math.parent@gmail.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import samba.tests
+import pypamtest
+import os
+
+class PamChauthtokTests(samba.tests.TestCase):
+    def test_chauthtok(self):
+        domain = os.environ["DOMAIN"]
+        username = os.environ["USERNAME"]
+        password = os.environ["PASSWORD"]
+        newpassword = os.environ["NEWPASSWORD"]
+        unix_username = "%s/%s" % (domain, username)
+        expected_rc = 0 # PAM_SUCCESS
+
+        tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc)
+        res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
+
+        self.assertTrue(res is not None)
--- a/python/samba/tests/test_pam_winbind_chauthtok.sh
+++ b/python/samba/tests/test_pam_winbind_chauthtok.sh
+#!/bin/sh
+
+PYTHON="$1"
+PAM_WRAPPER_SO_PATH="$2"
+PAM_SET_ITEMS_SO_PATH="$3"
+shift 3
+
+DOMAIN="$1"
+export DOMAIN
+USERNAME="$2"
+export USERNAME
+PASSWORD="$3"
+export PASSWORD
+NEWPASSWORD="$4"
+export NEWPASSWORD
+PAM_OPTIONS="$5"
+export PAM_OPTIONS
+CREATE_USER="$6"
+shift 6
+
+samba_bindir="$BINDIR"
+samba_tool="$samba_bindir/samba-tool"
+
+if [ "$CREATE_USER" = yes ]; then
+    CREATE_SERVER="$1"
+    CREATE_USERNAME="$2"
+    CREATE_PASSWORD="$3"
+    shift 3
+    $samba_tool user create "$USERNAME" "$PASSWORD" -H "ldap://$CREATE_SERVER" -U "$CREATE_USERNAME%$CREATE_PASSWORD"
+    # reset password policies beside of minimum password age of 0 days
+    $samba_tool domain passwordsettings set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default -H "ldap://$CREATE_SERVER" -U "$CREATE_USERNAME%$CREATE_PASSWORD"
+fi
+
+PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
+
+pam_winbind="$BINDIR/shared/pam_winbind.so"
+service_dir="$SELFTEST_TMPDIR/pam_services"
+service_file="$service_dir/samba"
+
+mkdir $service_dir
+echo "auth        required    $pam_winbind debug debug_state $PAM_OPTIONS" > $service_file
+echo "account     required    $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+echo "password    required    $PAM_SET_ITEMS_SO_PATH" >> $service_file
+echo "password    required    $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+echo "session     required    $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+
+PAM_WRAPPER_SERVICE_DIR="$service_dir"
+export PAM_WRAPPER_SERVICE_DIR
+LD_PRELOAD="$LD_PRELOAD:$PAM_WRAPPER_SO_PATH"
+export LD_PRELOAD
+
+PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"}
+export PAM_WRAPPER_DEBUGLEVEL
+
+case $PAM_OPTIONS in
+    use_authtok)
+        PAM_AUTHTOK="$NEWPASSWORD"
+        export PAM_AUTHTOK
+    ;;
+    try_authtok)
+        PAM_AUTHTOK="$NEWPASSWORD"
+        export PAM_AUTHTOK
+    ;;
+esac
+
+PAM_WRAPPER="1" PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_chauthtok
+exit_code=$?
+
+rm -rf $service_dir
+
+if [ "$CREATE_USER" = yes ]; then
+    $samba_tool user delete "$USERNAME" -H "ldap://$CREATE_SERVER" -U "$CREATE_USERNAME%$CREATE_PASSWORD"
+    # reset password policies
+    $samba_tool domain passwordsettings set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default -H "ldap://$CREATE_SERVER" -U "$CREATE_USERNAME%$CREATE_PASSWORD"
+fi
+
+exit $exit_code
--- a/script/compare_cc_results.py
+++ b/script/compare_cc_results.py
@@ -14,6 +14,7 @@ exceptions = [
    'LIBSOCKET_WRAPPER_SO_PATH',
    'LIBNSS_WRAPPER_SO_PATH',
    'LIBPAM_WRAPPER_SO_PATH',
+    'PAM_SET_ITEMS_SO_PATH',
    'LIBUID_WRAPPER_SO_PATH',
    'LIBRESOLV_WRAPPER_SO_PATH',
 ]

--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -40,6 +40,7 @@ finally:
 have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)
 with_pam = ("WITH_PAM" in config_hash)
 pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"]
+pam_set_items_so_path=config_hash["PAM_SET_ITEMS_SO_PATH"]

 planpythontestsuite("none", "samba.tests.source", py3_compatible=True)
 if have_man_pages_support:
@@ -167,6 +168,15 @@ if with_pam:
                  [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
                   valgrindify(python), pam_wrapper_so_path,
                   "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD"])
+
+    for pam_options in ["''", "use_authtok", "try_authtok"]:
+        plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member",
+                      [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"),
+                       valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path,
+                       "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0", "newp@ssword0",
+                       pam_options, 'yes',
+                       "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"])
+
    plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member",
                  [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
                   valgrindify(python), pam_wrapper_so_path,

--- a/third_party/pam_wrapper/libpamtest.c
+++ b/third_party/pam_wrapper/libpamtest.c
@@ -214,12 +214,11 @@ static int pamtest_simple_conv(int num_msg,
 			       struct pam_response **response,
 			       void *appdata_ptr)
 {
-	int i, ri = 0;
+	int i = 0;
 	int ret;
 	struct pam_response *reply = NULL;
 	const char *prompt;
-	struct pamtest_conv_ctx *cctx = \
-				    (struct pamtest_conv_ctx *) appdata_ptr;
+	struct pamtest_conv_ctx *cctx = (struct pamtest_conv_ctx *)appdata_ptr;

 	if (cctx == NULL) {
 		return PAM_CONV_ERR;
@@ -241,15 +240,12 @@ static int pamtest_simple_conv(int num_msg,

 			if (reply != NULL) {
 				if (prompt != NULL) {
-					ret = add_to_reply(&reply[ri], prompt);
+					ret = add_to_reply(&reply[i], prompt);
 					if (ret != PAM_SUCCESS) {
 						free_reply(reply, num_msg);
 						return ret;
 					}
-				} else {
-					reply[ri].resp = NULL;
 				}
-				ri++;
 			}

 			cctx->echo_off_idx++;
@@ -264,18 +260,25 @@ static int pamtest_simple_conv(int num_msg,

 			if (reply != NULL) {
 				if (prompt != NULL) {
-					ret = add_to_reply(&reply[ri], prompt);
+					ret = add_to_reply(&reply[i], prompt);
 					if (ret != PAM_SUCCESS) {
 						free_reply(reply, num_msg);
 						return ret;
 					}
 				}
-				ri++;
 			}

 			cctx->echo_on_idx++;
 			break;
 		case PAM_ERROR_MSG:
+			if (reply != NULL) {
+				ret = add_to_reply(&reply[i], msgm[i]->msg);
+				if (ret != PAM_SUCCESS) {
+					free_reply(reply, num_msg);
+					return ret;
+				}
+			}
+
 			if (cctx->data->out_err != NULL) {
 				memcpy(cctx->data->out_err[cctx->err_idx],
 				       msgm[i]->msg,
@@ -285,6 +288,14 @@ static int pamtest_simple_conv(int num_msg,
 			}
 			break;
 		case PAM_TEXT_INFO:
+			if (reply != NULL) {
+				ret = add_to_reply(&reply[i], msgm[i]->msg);
+				if (ret != PAM_SUCCESS) {
+					free_reply(reply, num_msg);
+					return ret;
+				}
+			}
+
 			if (cctx->data->out_info != NULL) {
 				memcpy(cctx->data->out_info[cctx->info_idx],
 				       msgm[i]->msg,
@@ -298,7 +309,7 @@ static int pamtest_simple_conv(int num_msg,
 		}
 	}

-	if (response && ri > 0) {
+	if (response != NULL) {
 		*response = reply;
 	} else {
 		free(reply);

--- a/third_party/pam_wrapper/modules/pam_set_items.c
+++ b/third_party/pam_wrapper/modules/pam_set_items.c
+/*
+ * Copyright (c) 2015 Andreas Schneider <asn@samba.org>
+ * Copyright (c) 2015 Jakub Hrozek <jakub.hrozek@posteo.se>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+#include "config.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
+#ifdef HAVE_SECURITY_PAM_APPL_H
+#include <security/pam_appl.h>
+#endif
+#ifdef HAVE_SECURITY_PAM_MODULES_H
+#include <security/pam_modules.h>
+#endif
+
+#include "config.h"
+
+/* GCC have printf type attribute check. */
+#ifdef HAVE_FUNCTION_ATTRIBUTE_FORMAT
+#define PRINTF_ATTRIBUTE(a,b) __attribute__ ((__format__ (__printf__, a, b)))
+#else
+#define PRINTF_ATTRIBUTE(a,b)
+#endif /* HAVE_FUNCTION_ATTRIBUTE_FORMAT */
+
+/*****************
+ * LOGGING
+ *****************/
+
+enum pwrap_dbglvl_e {
+	PWRAP_LOG_ERROR = 0,
+	PWRAP_LOG_WARN,
+	PWRAP_LOG_DEBUG,
+	PWRAP_LOG_TRACE
+};
+
+static void pwrap_log(enum pwrap_dbglvl_e dbglvl,
+		      const char *function,
+		      const char *format, ...) PRINTF_ATTRIBUTE(3, 4);
+# define PWRAP_LOG(dbglvl, ...) pwrap_log((dbglvl), __func__, __VA_ARGS__)
+
+static void pwrap_vlog(enum pwrap_dbglvl_e dbglvl,
+		       const char *function,
+		       const char *format,
+		       va_list args) PRINTF_ATTRIBUTE(3, 0);
+
+static void pwrap_vlog(enum pwrap_dbglvl_e dbglvl,
+		       const char *function,
+		       const char *format,
+		       va_list args)
+{
+	char buffer[1024];
+	const char *d;
+	unsigned int lvl = 0;
+	const char *prefix = "PWRAP";
+
+	d = getenv("PAM_WRAPPER_DEBUGLEVEL");
+	if (d != NULL) {
+		lvl = atoi(d);
+	}
+
+	if (lvl < dbglvl) {
+		return;
+	}
+
+	vsnprintf(buffer, sizeof(buffer), format, args);
+
+	switch (dbglvl) {
+	case PWRAP_LOG_ERROR:
+		prefix = "PWRAP_ERROR";
+		break;
+	case PWRAP_LOG_WARN:
+		prefix = "PWRAP_WARN";
+		break;
+	case PWRAP_LOG_DEBUG:
+		prefix = "PWRAP_DEBUG";
+		break;
+	case PWRAP_LOG_TRACE:
+		prefix = "PWRAP_TRACE";
+		break;
+	}
+
+	fprintf(stderr,
+		"%s(%d) - PAM_SET_ITEM %s: %s\n",
+		prefix,
+		(int)getpid(),
+		function,
+		buffer);
+}
+
+static void pwrap_log(enum pwrap_dbglvl_e dbglvl,
+		      const char *function,
+		      const char *format, ...)
+{
+	va_list va;
+
+	va_start(va, format);
+	pwrap_vlog(dbglvl, function, format, va);
+	va_end(va);
+}
+
+#define ITEM_FILE_KEY	"item_file="
+
+static const char *envs[] = {
+#ifndef HAVE_OPENPAM
+	"PAM_SERVICE",
+#endif
+	"PAM_USER",
+	"PAM_USER_PROMPT",
+	"PAM_TTY",
+	"PAM_RUSER",
+	"PAM_RHOST",
+	"PAM_AUTHTOK",
+	"PAM_OLDAUTHTOK",
+#ifdef PAM_XDISPLAY
+	"PAM_XDISPLAY",
+#endif
+#ifdef PAM_AUTHTOK_TYPE
+	"PAM_AUTHTOK_TYPE",
+#endif
+	NULL
+};
+
+static const int items[] = {
+#ifndef HAVE_OPENPAM
+	PAM_SERVICE,
+#endif
+	PAM_USER,
+	PAM_USER_PROMPT,
+	PAM_TTY,
+	PAM_RUSER,
+	PAM_RHOST,
+	PAM_AUTHTOK,
+	PAM_OLDAUTHTOK,
+#ifdef PAM_XDISPLAY
+	PAM_XDISPLAY,
+#endif
+#ifdef PAM_AUTHTOK_TYPE
+	PAM_AUTHTOK_TYPE,
+#endif
+};
+
+static void pam_setitem_env(pam_handle_t *pamh)
+{
+	int i;
+	int rv;
+	const char *v;
+
+	for (i = 0; envs[i] != NULL; i++) {
+		v = getenv(envs[i]);
+		if (v == NULL) {
+			continue;
+		}
+
+		PWRAP_LOG(PWRAP_LOG_TRACE, "%s=%s", envs[i], v);
+
+		rv = pam_set_item(pamh, items[i], v);
+		if (rv != PAM_SUCCESS) {
+			continue;
+		}
+	}
+}
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+		    int argc, const char *argv[])
+{
+	(void) flags;	/* unused */
+	(void) argc;	/* unused */
+	(void) argv;	/* unused */
+
+	PWRAP_LOG(PWRAP_LOG_TRACE, "AUTHENTICATE");
+
+	pam_setitem_env(pamh);
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags,
+	       int argc, const char *argv[])
+{
+	(void) flags;	/* unused */
+	(void) argc;	/* unused */
+	(void) argv;	/* unused */
+
+	PWRAP_LOG(PWRAP_LOG_TRACE, "SETCRED");
+
+	pam_setitem_env(pamh);
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+		 int argc, const char *argv[])
+{
+	(void) flags;	/* unused */
+	(void) argc;	/* unused */
+	(void) argv;	/* unused */
+
+	PWRAP_LOG(PWRAP_LOG_TRACE, "ACCT_MGMT");
+
+	pam_setitem_env(pamh);
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *pamh, int flags,
+		    int argc, const char *argv[])
+{
+	(void) flags;	/* unused */
+	(void) argc;	/* unused */
+	(void) argv;	/* unused */
+
+	PWRAP_LOG(PWRAP_LOG_TRACE, "OPEN_SESSION");
+
+	pam_setitem_env(pamh);
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_close_session(pam_handle_t *pamh, int flags,
+		     int argc, const char *argv[])
+{
+	(void) flags;	/* unused */
+	(void) argc;	/* unused */
+	(void) argv;	/* unused */
+
+	PWRAP_LOG(PWRAP_LOG_TRACE, "CLOSE_SESSION");
+
+	pam_setitem_env(pamh);
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_chauthtok(pam_handle_t *pamh, int flags,
+		 int argc, const char *argv[])
+{
+	(void) flags;	/* unused */
+	(void) argc;	/* unused */
+	(void) argv;	/* unused */
+
+	PWRAP_LOG(PWRAP_LOG_TRACE, "CHAUTHTOK");
+
+	pam_setitem_env(pamh);
+	return PAM_SUCCESS;
+}
--- a/third_party/pam_wrapper/pam_wrapper.c
+++ b/third_party/pam_wrapper/pam_wrapper.c
@@ -300,7 +300,15 @@ static void *pwrap_load_lib_handle(enum pwrap_lib lib)
 	void *handle = NULL;

 #ifdef RTLD_DEEPBIND
+	const char *env = getenv("LD_PRELOAD");
+
+	/* Don't do a deepbind if we run with libasan */
+	if (env != NULL && strlen(env) < PATH_MAX) {
+		const char *p = strstr(env, "libasan.so");
+		if (p == NULL) {
 			flags |= RTLD_DEEPBIND;
+		}
+	}
 #endif

 	switch (lib) {
@@ -896,8 +904,6 @@ static void pwrap_init(void)

 	PWRAP_LOG(PWRAP_LOG_DEBUG, "Initialize pam_wrapper");

-	pwrap_clean_stale_dirs(tmp_config_dir);
-
 	pwrap.config_dir = strdup(tmp_config_dir);
 	if (pwrap.config_dir == NULL) {
 		PWRAP_LOG(PWRAP_LOG_ERROR,
@@ -945,7 +951,7 @@ static void pwrap_init(void)
 	rc = mkdir(libpam_path, 0755);
 	if (rc != 0) {
 		PWRAP_LOG(PWRAP_LOG_ERROR,
-			  "Failed to create pam_wrapper config dir: %s - %s",
+			  "Failed to create path for libpam: %s - %s",
 			  tmp_config_dir, strerror(errno));
 		p_rmdirs(pwrap.config_dir);
 		exit(1);

--- a/third_party/pam_wrapper/wscript
+++ b/third_party/pam_wrapper/wscript
@@ -2,20 +2,23 @@

 import os

-VERSION="1.0.6"
+VERSION="1.0.7"

 def find_library(library_names, lookup_paths):
    for directory in lookup_paths:
        for filename in library_names:
-            libpam_path = os.path.join(directory, filename)
-            if os.path.exists(libpam_path):
-                return libpam_path
+            so_path = os.path.join(directory, filename)
+            if os.path.exists(so_path):
+                return so_path
    return ''

 def configure(conf):
    if conf.CHECK_PAM_WRAPPER():
        conf.DEFINE('USING_SYSTEM_PAM_WRAPPER', 1)
        libpam_wrapper_so_path = 'libpam_wrapper.so'
+
+        pam_set_items_so_path = find_library(['pam_set_items.so'],
+                                             ['/usr/lib64/pam_wrapper', '/usr/lib/pam_wrapper'])
    else:
        # check HAVE_GCC_THREAD_LOCAL_STORAGE
        conf.CHECK_CODE('''
@@ -96,8 +99,10 @@ def configure(conf):
        # Create full path to pam_wrapper
        blddir = os.path.realpath(conf.blddir)
        libpam_wrapper_so_path = blddir + '/default/third_party/pam_wrapper/libpam-wrapper.so'
+        pam_set_items_so_path = blddir + '/default/third_party/pam_wrapper/libpam-set-items.so'

    conf.DEFINE('LIBPAM_WRAPPER_SO_PATH', libpam_wrapper_so_path)
+    conf.DEFINE('PAM_SET_ITEMS_SO_PATH', pam_set_items_so_path)
    conf.DEFINE('PAM_WRAPPER', 1)

 def build(bld):
@@ -115,6 +120,12 @@ def build(bld):
                            source='libpamtest.c',
                            deps='dl pam')

+        bld.SAMBA_LIBRARY('pam_set_items',
+                          source='modules/pam_set_items.c',
+                          deps='pam',
+                          install=False,
+                          realname='pam_set_items.so')
+
        # Can be used to write pam tests in python
        for env in bld.gen_python_environments():
            bld.SAMBA_PYTHON('pypamtest',