Bug 10666 - Authentication failure w/pam using samba
Authentication failure w/pam using samba
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: samba (Show other bugs)
6.2
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Trond Eivind Glomsrxd
:
: 12410 21685 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-04-08 14:33 EDT by Henri J. Schlereth
Modified: 2008-05-01 11:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-01-18 19:08:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Henri J. Schlereth 2000-04-08 14:33:39 EDT
Note: This is not a show stopper it puts in a delay and then passes
the user thru.

version:
Version 2.0.6

From syslog:

Apr  8 13:27:18 kesrith PAM_pwdb[32520]: authentication failure; (uid=0) ->
henris for samba service
Apr  8 13:27:21 kesrith last message repeated 3 times
Apr  8 13:27:26 kesrith PAM_pwdb[32521]: authentication failure; (uid=0) ->
henris for samba service

from log.smb
[2000/04/08 13:27:20, 1] smbd/reply.c:reply_sesssetup_and_X(909)
  Rejecting user 'henris': authentication failed
[2000/04/08 13:27:22, 1] smbd/reply.c:reply_sesssetup_and_X(909)
  Rejecting user 'henris': authentication failed

from /etc/pam.d/samba
auth    required        /lib/security/pam_pwdb.so nullok shadow audit
account required        /lib/security/pam_pwdb.so

note: I added the audit.

I have four Linux/Samba boxes that perform the same error. The all users
except one(for testing) have matching acounts/passwords on both servers/
clients (clients are both W95a).I dont use encryption on Windows,I dont
use smbpasswd or usermap on samba. I have seen this error in the
following:

RPM's from Redhat and Samba
compiled from source from samba and RH (2.0.6)

samba-2.0.7Pre2 (compiled w/ -lpam)
samba-TNG-0.11 (compiled w/ -lpam)

As I said in the begining that it doesnt halt the connection it merely
induces a brief delay, coughs up the error message. In a production
environment the delay may well be worse or unacceptable. If required I
will add my smb.confs from all machines.
Comment 1 Henri J. Schlereth 2000-06-05 13:15:20 EDT
Tested this issue with samba 2.0.7 from rawhide and this issue still
exists. I emailed RH web support and they said it was "not supported".
Comment 2 Henri Schlereth 2000-07-12 21:15:38 EDT
Still exists in samba-2.0.7-11
Comment 3 Bill Nottingham 2000-07-19 11:38:34 EDT
*** Bug 12410 has been marked as a duplicate of this bug. ***
Comment 4 Henri Schlereth 2000-10-02 22:45:17 EDT
Found an email from samba-technical with a possible patch. This refers to 1.9.18 which shows how far back this exists.
Dont know how useful this is but I thought I would submit it for review of the more technically inclined. When I get a spare
machine I will try and patch 2.0.7 and see what it does.

Henri

Patch (was Re: disable "fake" samba authentication
error messages)

Charlie Brady cbrady@ind.tansu.com.au
Mon, 10 Aug 1998 19:47:51 +1000 (EST) 

Attached is a patch to 1.9.18p8 to kill the "authentication failure"
messages when samba is permuting upper/lower cases. This follows the
strategy suggested by Andrew Morgan.

The patch isn't really as big as it looks, I've moved some code around so
that there is less repetition.

I note that samba always tries the password lowercased unless it receives
the password in mixed case. I would have thought that we knew which
clients might have uppercased it, and should only do the case permutation
for known dumb clients. Otherwise we reduce password security somewhat on
well behaved clients. 

There's also the issue of PAM adding a pause on every authentication
failure (PAM_FAIL_DELAY). At the moment this can be disabled on a per
service basis in the PAM config file, but I think that samba should turn
it off in the code, then turn it back on for the last authentication
attempt.

I sent this patch to Andrew and John Terpstra back in July, but it seems
to have been lost in the noise, so I'll repost it here in case it is
useful to anyone.

I can't claim to have tested this exhaustively, but it was doing the right
thing for me.

Charlie Brady - Telstra  |internet: cbrady@ind.tansu.com.au
Network Products         |Snail    : Locked Bag 6581, GPO Sydney 2001 Australia
Platform Technologies    |Physical : Lvl 2, 175 Liverpool St, Sydney 2000
 IN-Sub Unit - Sydney    | Phone: +61 2 9206 3470 Fax: +61 2 9281 1301

---------- Forwarded message ----------
Date: 18 Jul 1998 13:43:59 -0000
From: charlieb@charlieb.nlc.net.au
To: cbrady@ind.tansu.com.au
Subject: samba.patch

--- password.c.orig     Mon May 11 18:37:47 1998
+++ password.c  Sat Jul 18 23:37:11 1998
@@ -449,10 +449,17 @@
     NULL
 };
 
+static  pam_handle_t *pamh;
+
+static BOOL samba_pam_checkpass(char *password)
+{
+  PAM_password = password;
+
+  return (PAM_SUCCESS == pam_authenticate(pamh, 0));
+}
 
 static BOOL pam_auth(char *this_user,char *password)
 {
-  pam_handle_t *pamh;
   int pam_error;
 
   /* Now use PAM to do authentication.  For now, we won't worry about
@@ -462,27 +469,34 @@
    * verbose as would otherwise make sense.
    * Query: should we be using PAM_SILENT to shut PAM up?
    */
-  #define PAM_BAIL if (pam_error != PAM_SUCCESS) { \
-     pam_end(pamh, 0); return False; \
-   }
   PAM_password = password;
   PAM_username = this_user;
-  pam_error = pam_start("samba", this_user, &PAM_conversation, &pamh);
-  PAM_BAIL;
+
+  if (PAM_SUCCESS != pam_start("samba", this_user, &PAM_conversation, &pamh))
+  {
+    pam_end(pamh, 0); return False;
+  }
+
 /* Setting PAM_SILENT stops generation of error messages to syslog
  * to enable debugging on Red Hat Linux set:
  * /etc/pam.d/samba:
  *     auth required /lib/security/pam_pwdb.so nullok shadow audit
  * _OR_ change PAM_SILENT to 0 to force detailed reporting (logging)
  */
-  pam_error = pam_authenticate(pamh, PAM_SILENT);
-  PAM_BAIL;
+
+  if (!string_combinations(password, samba_pam_checkpass, lp_passwordlevel()))
+  {
+    pam_end(pamh, 0); return False;
+  }
+
   /* It is not clear to me that account management is the right thing
    * to do, but it is not clear that it isn't, either.  This can be
    * removed if no account management should be done.  Alternately,
    * put a pam_allow.so entry in /etc/pam.conf for account handling. */
-  pam_error = pam_acct_mgmt(pamh, PAM_SILENT);
-  PAM_BAIL;
+  if (PAM_SUCCESS != pam_acct_mgmt(pamh, PAM_SILENT))
+  {
+    pam_end(pamh, 0); return False;
+  }
   pam_end(pamh, PAM_SUCCESS);
   /* If this point is reached, the user has been authenticated. */
   return(True);
@@ -756,6 +770,7 @@
 offset is the first char to try and change (start with 0)
 it assumes the string starts lowercased
 ****************************************************************************/
+static BOOL string_combinations(char *s,BOOL (*fn)(char *),int N);
 static BOOL string_combinations2(char *s,int offset,BOOL (*fn)(char *),int N)
 {
   int len = strlen(s);
@@ -790,8 +805,29 @@
 static BOOL string_combinations(char *s,BOOL (*fn)(char *),int N)
 {
   int n;
+  pstring pass2;
+
+  if (fn(s))
+    return(True);
+
+  /* if the password was given to us with mixed case then we don't
+     need to proceed as we know it hasn't been case modified by the
+     client */
+
+  if (strhasupper(s) && strhaslower(s))
+    return(False);
+
+  /* make a copy of it */
+  StrnCpy(pass2,s,sizeof(pstring)-1);
+  
+  /* try all lowercase */
+  strlower(pass2);
+  if (fn(pass2))
+    return(True);
+
   for (n=1;n<=N;n++)
-    if (string_combinations2(s,0,fn,n)) return(True);
+    if (string_combinations2(pass2,0,fn,n))
+      return(True);
   return(False);
 }
 
@@ -804,15 +840,6 @@
 {
 
 #ifdef USE_PAM
-/* This falls through if the password check fails
-       - if NO_CRYPT is defined this causes an error msg
-               saying Warning - no crypt available
-       - if NO_CRYPT is NOT defined this is a potential security hole
-               as it may authenticate via the crypt call when PAM
-               settings say it should fail.
-  if (pam_auth(this_user,password)) return(True);
-Hence we make a direct return to avoid a second chance!!!
-*/
   return (pam_auth(this_user,password));
 #endif
 
@@ -1112,49 +1139,11 @@
 #endif    
   }
 
-  /* try it as it came to us */
-  if (password_check(password))
-    {
-      update_protected_database(user,True);
-      if (pass && update_encrypted)
-        update_smbpassword_file(pass,password);
-      return(True);
-    }
-
-  /* if the password was given to us with mixed case then we don't
-     need to proceed as we know it hasn't been case modified by the
-     client */
-  if (strhasupper(password) && strhaslower(password))
-    return(False);
-
-  /* make a copy of it */
-  StrnCpy(pass2,password,sizeof(pstring)-1);
-  
-  /* try all lowercase */
-  strlower(password);
+#ifdef USE_PAM
   if (password_check(password))
-    {
-      update_protected_database(user,True);
-      if (pass && update_encrypted)
-        update_smbpassword_file(pass,password);
-      return(True);
-    }
-
-  /* give up? */
-  if (level < 1)
-    {
-      update_protected_database(user,False);
-
-      /* restore it */
-      strcpy(password,pass2);
-
-      return(False);
-    }
-
-  /* last chance - all combinations of up to level chars upper! */
-  strlower(password);
-
+#else
   if (string_combinations(password,password_check,level))
+#endif
     {
       update_protected_database(user,True);
       if (pass && update_encrypted)
@@ -1163,10 +1152,6 @@
     }
 
   update_protected_database(user,False);
-  
-  /* restore it */
-  strcpy(password,pass2);
-  
   return(False);
 }
 
Comment 5 Henri Schlereth 2000-10-19 23:23:09 EDT
This patch doesnt work with 2.0.7 as the password.c is now pass_check.c
Comment 6 Bill Nottingham 2001-01-18 19:08:15 EST
*** Bug 21685 has been marked as a duplicate of this bug. ***
Comment 7 Bill Nottingham 2001-01-18 19:19:12 EST
Hm, will be applied in 2.0.7-24. We can quickly back it out if it
does anything odd.

Note You need to log in before you can comment on or make changes to this bug.