Bug 400581 - Incorrect /etc/pam.d/samba (causes authentication failure when obey pam restrictions = yes)
Summary: Incorrect /etc/pam.d/samba (causes authentication failure when obey pam restr...
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: samba   
(Show other bugs)
Version: 4.0
Hardware: x86_64 Linux
Target Milestone: ---
: ---
Assignee: Simo Sorce
QA Contact:
: 415611 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2007-11-27 07:04 UTC by Kari Hurtta
Modified: 2018-10-19 21:58 UTC (History)
7 users (show)

Fixed In Version: RHBA-2008-0711
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-24 19:54:08 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Working /etc/pam.d/samba (189 bytes, text/plain)
2008-01-11 14:24 UTC, Christian Rose
no flags Details
/etc/pam.d/samba patch to make it work (331 bytes, patch)
2008-01-11 14:25 UTC, Christian Rose
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0711 normal SHIPPED_LIVE samba bug fix and enhancement update 2008-07-23 16:22:02 UTC

Description Kari Hurtta 2007-11-27 07:04:54 UTC
Description of problem:

Incorrent /etc/pam.d/samba caused authentication failure

Version-Release number of selected component (if applicable):

[hurtta@amanda pam.d]$ cat /etc/redhat-release
Red Hat Enterprise Linux ES release 4 (Nahant Update 6)
[hurtta@amanda pam.d]$ rpm -qa samba
[hurtta@amanda pam.d]$


Samba was updated from 

[root@amanda ~]# rpm -qa '*samba*'

to (via up2date)

Name                                    Version        Rel
samba                                   3.0.25b        1.el4_6.2         x86_64
samba-common                            3.0.25b        1.el4_6.2         x86_64


On new version there was error

[2007/11/19 15:15:23, 0, pid=3007, effective(0, 0), real(0, 0)]
  smb_pam_account: PAM: UNKNOWN PAM ERROR (28) during Account Management for
User: hurtta

This error occured when on config was
           obey pam restrictions = yes

syslog reported:

Nov 22 16:19:10 amanda smbd[12945]: PAM unable to dlopen(/lib/security/pam_stack.so)
Nov 22 16:19:10 amanda smbd[12945]: PAM [dlerror: /lib/security/pam_stack.so:
cannot open shared object file: No such file or directory]
Nov 22 16:19:10 amanda smbd[12945]: PAM adding faulty module:

On that machine modules are not on /lib/security !!

[hurtta@amanda pam.d]$ ls -la /lib/security/
total 16
drwxr-xr-x   2 root root 4096 Sep  7 12:23 .
drwxr-xr-x  10 root root 4096 Nov 23 04:02 ..
[hurtta@amanda pam.d]$ ls -la /lib64/security/
total 2800
drwxr-xr-x  3 root root    4096 Nov 23 04:02 .
drwxr-xr-x  7 root root    4096 Nov 25 04:02 ..
-rwxr-xr-x  1 root root   19104 Sep  7 12:23 pam_access.so
-rwxr-xr-x  1 root root   19992 Aug 22  2006 pam_ccreds.so

samba packageg includes following pam config

[hurtta@amanda pam.d]$ cat samba
auth    required        /lib/security/pam_stack.so service=system-auth
account required        /lib/security/pam_stack.so service=system-auth
[hurtta@amanda pam.d]$                                      

However just removing /lib/security/ from that file resulted new

Nov 22 16:49:26 amanda smbd[24020]: [2007/11/22 16:49:26, 0, pid=24020,
effective(0, 0), real(0, 0)] auth/pampass.c:smb_pam_error_handler(73)
Nov 22 16:49:26 amanda smbd[24020]:   smb_pam_error_handler: PAM: session
setup failed : System error

There was misisng 'session' on samba -file. Working /etc/pam.d/samba 

[hurtta@amanda pam.d]$ cat /etc/pam.d/samba
auth    required        pam_stack.so service=system-auth
account required        pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
[hurtta@amanda pam.d]$                       

/ Kari Hurtta

Comment 1 Simo Sorce 2007-11-27 14:05:34 UTC
Thanks for the report,
I will make sure this is fixed in the next release.

Comment 2 Simo Sorce 2007-12-07 15:03:44 UTC
*** Bug 415611 has been marked as a duplicate of this bug. ***

Comment 3 RHEL Product and Program Management 2007-12-07 15:04:42 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 4 Need Real Name 2007-12-20 21:44:13 UTC
I can confirm this error and it is killing us.  Over several iterations of RHEL
4 updates, I have never had this problem.  The latest update has caused this.  I
have checked the selinux contexts and made sure everything is correct.  

What's puzzling is that the dlopen file is there with right contexts etc.  I too
tried removing the absolute path, and even sticking in the /lib64 prefix instead
of /lib. Same problem.

My machine is a Dell poweredge 1950 x86_64

2.6.9-67.ELsmp #1 SMP Wed Nov 7 13:56:44 EST 2007 x86_64 x86_64 x86_64 GNU/Linux

Comment 5 Need Real Name 2007-12-20 21:57:36 UTC
Well, I was fuming (after several hours of futile tries) and so I just now
noticed Karl's suggestion.  That works for me too.


Comment 6 Christian Rose 2008-01-11 14:24:24 UTC
Created attachment 291391 [details]
Working /etc/pam.d/samba

Comment 7 Christian Rose 2008-01-11 14:25:00 UTC
Created attachment 291392 [details]
/etc/pam.d/samba patch to make it work

Comment 8 Christian Rose 2008-01-11 14:28:47 UTC
For me on an i386 system, adding the mission "session" line to /etc/pam.d/samba
made authentication work again. The absolute paths didn't matter, so I kept them.

Comment 13 errata-xmlrpc 2008-07-24 19:54:08 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.