Bug 79081

Summary: pam_smbpass(password comonent) unable to obtain authtok if invoked after pam_unix
Product: [Retired] Red Hat Linux Reporter: Wenzhuo Zhang <wenzhuo>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: shiva, srevivo, villapla
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-11-17 15:30:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Wenzhuo Zhang 2002-12-05 14:02:39 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130

Description of problem:
I was trying to use pam_smbpass.so to keep /etc/samba/smbpasswd in sync with
system passwords. The module was compiled from samba-2.2.1a-4 src rpm.

I found that pam_smbpass password module cannot obtain correct authentication
tokens if it comes after pam_unix:

password    required     /lib/security/pam_cracklib.so retry=3 type=
password    requisite     /lib/security/pam_unix.so nullok use_authtok md5
shadow try_first_pass
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
#password    required      /lib/security/pam_deny.so

The following error messages are logged on attempts to change passwords:

Dec  5 21:12:43 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: passwd: bad authentication token (null
or unchanged)
Dec  5 21:12:48 daisy PAM_smbpass[5659]: new password not acceptable


I had to put pam_smbpass.so before pam_unix in order to make it work.

Version-Release number of selected component (if applicable):
pam-0.75-19

How reproducible:
Always

Steps to Reproduce:
1. Use the following system-auth configuration file
2. Authenticate user fred once (ssh, pop, or imap, etc.) to create a smbpasswd
entry for him.
3. run 'passwd fred' as root.
	

Actual Results:  Changed Fred's system password, but failed to change his samba
password.

Dec  5 21:12:43 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: passwd: bad authentication token (null
or unchanged)
Dec  5 21:12:48 daisy PAM_smbpass[5659]: new password not acceptable



Expected Results:  Change Fred's samba password successfully.

Additional info:

[root@daisy pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        requisite     /lib/security/pam_unix.so likeauth nullok
auth        optional      /lib/security/pam_smbpass.so migrate
#auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required     /lib/security/pam_cracklib.so retry=3 type=
password    requisite     /lib/security/pam_unix.so nullok use_authtok md5
shadow try_first_pass
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
#password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
Comment 1 Wenzhuo Zhang 2002-12-05 14:07:01 UTC 
Working version of system-auth:

[root@daisy pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        requisite     /lib/security/pam_unix.so likeauth nullok
auth        optional      /lib/security/pam_smbpass.so migrate
#auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required     /lib/security/pam_cracklib.so retry=3 type=
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
password    sufficient     /lib/security/pam_unix.so nullok use_authtok md5
shadow try_first_pass
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
Comment 2 Wenzhuo Zhang 2002-12-06 15:35:54 UTC 
If I replace pam_unix.so with pam_pwdb.so, then even the previously broken
system-auth configuration works nicely.

[root@daisy pam.d]# grep password system-auth
password    required     /lib/security/pam_cracklib.so retry=3 type=
password    requisite    /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
try_first_pass
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
#password    required      /lib/security/pam_deny.so


So I guess pam_unix.so might have a problem.
Comment 3 Tomas Mraz 2004-10-20 13:36:36 UTC 
Could you please retry with latest Fedora Core?
Comment 4 Tomas Mraz 2004-11-17 15:30:08 UTC 
No response from reporter.
Comment 5 Kenneth Porter 2005-10-11 23:46:04 UTC 
Update, for posterity:

http://lists.samba.org/archive/samba-technical/2001-July/015339.html

According to this post, this is a bug in pam_unix that's fixed in Linux PAM 0.76
and later.