Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 31351 - [PATCH] Account and Session PAM support for samba
[PATCH] Account and Session PAM support for samba
Status: CLOSED RAWHIDE
Product: Red Hat Raw Hide
Classification: Retired
Component: samba (Show other bugs)
1.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Trond Eivind Glomsrxd
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-03-10 02:28 EST by Andrew Bartlett
Modified: 2007-04-18 12:32 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-09-08 04:51:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrew Bartlett 2001-03-10 02:28:56 EST
My patch (located at
http://samba.org/cgi-bin/samba-patches/incoming?id=233;user=guest) adds PAM
session support for all logins, and account support for both encrypted and
plain-text logins.

It may well be too late for this RedHat relase, and I was hoping to get it
tested more - but here it is anyway.

Note that this patch is over raw 2.0.7, and that it conflicts with the
current PAM modifications.
Comment 1 Andrew Bartlett 2001-05-05 04:43:07 EDT
Samba 2.2.0 shipped with PAM password account support.  Samba 2.2.1 will ship
with PAM password, account, session and password support.  They can be enabled
with 'obey pam restrictions = yes' and 'pam password change = yes'.

Note that the 2.2.0 release broke domain logons with some PAM configurations,
but this is fixed in 2.2.1.
Comment 2 Trond Eivind Glomsrxd 2001-06-19 10:19:35 EDT
Where are those pam parameters documented?
Comment 3 Trond Eivind Glomsrxd 2001-08-08 23:50:59 EDT
Ping?
Comment 4 Andrew Bartlett 2001-08-09 05:07:11 EDT
Sorry about the lack of reply, both are documented in the smb.conf man-page in
Samba 2.2.1.

I'm also looking at other various PAM things as part of my AuthRewrite,
currently in progress of being written for/merged into the HEAD branch.
Comment 5 Trond Eivind Glomsrxd 2001-08-09 14:46:33 EDT
2.2.1a-3 (and a couple of earlier releases in the 2.2 series) are built with
"--with-pam".
Comment 6 Andrew Bartlett 2001-08-10 07:34:17 EDT
I'm not quite sure what you mean here.  All Samba RPMs have (AFAIK) been built
--with-pam since at least RH 5.2.  

When built --with-pam more recent samba versions will also check that
acocunts/passwords have not expired and that they pass the 'session' module. 
This aditionall functionality is automaticly available, but is controlled by the
'obey pam restrictions' paramater for backwards compatability.

I strongly recommend that RedHat enable 'obey pam restrictions' in its defualt
configuration to ensure consistancy of policy between applications.

At some future date --with-pam will no longer be required, and we will pick up
the functionality from the autoconf data.
Comment 7 Trond Eivind Glomsrxd 2001-08-12 22:03:36 EDT
I'll add it to the file - it may be commented out, to avoid introducing change
right now.
Comment 8 Trond Eivind Glomsrxd 2001-08-13 16:03:47 EDT
samba-2.2.1a-4 contains a section explaining the directive, but the directive is
commented out as samba now defaults to encrypted passwords.
Comment 9 Andrew Bartlett 2001-08-13 17:01:17 EDT
Just to make it clear, the new PAM code was specificly written to be used when
encrypted passwords = yes, in the same way that OpenSSH uses PAM despite
public-key authentication. (OpenSSH was the inspiration behind the work).

Also, look into the 'pam password chat' paramater, which does the same thing as
the old code, but without all the issues of actually 'chatting' over a tty.  I
my opinion is much more likaly to work 'out of the box' without doing stupid
things like changing root's password or the like.
Comment 10 Trond Eivind Glomsrxd 2001-08-13 17:10:51 EDT
The docs say "Note that Samba always ignores PAM for  authentica-tion  in  the
case of encrypt passwords = yes". Anyway, it's there now and with the section
from the smb.conf man page above it.
Comment 11 Andrew Bartlett 2001-08-13 17:36:56 EDT
BTW, you will need to make sure your PAM control files catch up with the change
to get the extra session and password entries.  (Having the extra entires will
have NO adverse effect without the code enabled within samba, so its a safe
move);
Comment 12 Andrew Bartlett 2001-09-08 04:51:52 EDT
Bug reopend:  The PAM control files still need updating, see the sample
samba.pamd.stack in our tree (packaging/RedHat) for what I mean.

Remember, that while PAM is well-known for checking passwords it can also
verifiy account status and manange session limits.  The comment in the man-page
refers to *authenticaion* not to account and session management.

Andrew Bartlett

Comment 13 Trond Eivind Glomsrxd 2001-11-29 18:53:17 EST
samba-2.2.2-8 has the rest of these changes enabled.

Note You need to log in before you can comment on or make changes to this bug.