400581 – Incorrect /etc/pam.d/samba (causes authentication failure when obey pam restrictions = yes)

Bug 400581 - Incorrect /etc/pam.d/samba (causes authentication failure when obey pam restrictions = yes)

Summary: Incorrect /etc/pam.d/samba (causes authentication failure when obey pam restr...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	samba
Sub Component:
Version:	4.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Simo Sorce
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	415611 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-27 07:04 UTC by Kari Hurtta
Modified:	2018-10-19 21:58 UTC (History)
CC List:	7 users (show)
Fixed In Version:	RHBA-2008-0711
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-07-24 19:54:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Working /etc/pam.d/samba (189 bytes, text/plain) 2008-01-11 14:24 UTC, Christian Rose	no flags	Details
/etc/pam.d/samba patch to make it work (331 bytes, patch) 2008-01-11 14:25 UTC, Christian Rose	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2008:0711	0	normal	SHIPPED_LIVE	samba bug fix and enhancement update	2008-07-23 16:22:02 UTC

Description Kari Hurtta 2007-11-27 07:04:54 UTC

Description of problem:

Incorrent /etc/pam.d/samba caused authentication failure


Version-Release number of selected component (if applicable):

[hurtta@amanda pam.d]$ cat /etc/redhat-release
Red Hat Enterprise Linux ES release 4 (Nahant Update 6)
[hurtta@amanda pam.d]$ rpm -qa samba
samba-3.0.25b-1.el4_6.2
[hurtta@amanda pam.d]$

------------------------------------------------------------------------

Samba was updated from 

[root@amanda ~]# rpm -qa '*samba*'
samba-3.0.10-1.4E.12.2
samba-common-3.0.10-1.4E.12.2

to (via up2date)

Name                                    Version        Rel
----------------------------------------------------------
samba                                   3.0.25b        1.el4_6.2         x86_64
samba-common                            3.0.25b        1.el4_6.2         x86_64


-------------------------

On new version there was error

[2007/11/19 15:15:23, 0, pid=3007, effective(0, 0), real(0, 0)]
auth/pampass.c:smb_pam_account(572)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (28) during Account Management for
User: hurtta

This error occured when on config was
           obey pam restrictions = yes

syslog reported:

Nov 22 16:19:10 amanda smbd[12945]: PAM unable to dlopen(/lib/security/pam_stack.so)
Nov 22 16:19:10 amanda smbd[12945]: PAM [dlerror: /lib/security/pam_stack.so:
cannot open shared object file: No such file or directory]
Nov 22 16:19:10 amanda smbd[12945]: PAM adding faulty module:
/lib/security/pam_stack.so

On that machine modules are not on /lib/security !!

[hurtta@amanda pam.d]$ ls -la /lib/security/
total 16
drwxr-xr-x   2 root root 4096 Sep  7 12:23 .
drwxr-xr-x  10 root root 4096 Nov 23 04:02 ..
[hurtta@amanda pam.d]$ ls -la /lib64/security/
total 2800
drwxr-xr-x  3 root root    4096 Nov 23 04:02 .
drwxr-xr-x  7 root root    4096 Nov 25 04:02 ..
-rwxr-xr-x  1 root root   19104 Sep  7 12:23 pam_access.so
-rwxr-xr-x  1 root root   19992 Aug 22  2006 pam_ccreds.so


samba packageg includes following pam config

[hurtta@amanda pam.d]$ cat samba
auth    required        /lib/security/pam_stack.so service=system-auth
account required        /lib/security/pam_stack.so service=system-auth
[hurtta@amanda pam.d]$                                      

However just removing /lib/security/ from that file resulted new
error

Nov 22 16:49:26 amanda smbd[24020]: [2007/11/22 16:49:26, 0, pid=24020,
effective(0, 0), real(0, 0)] auth/pampass.c:smb_pam_error_handler(73)
Nov 22 16:49:26 amanda smbd[24020]:   smb_pam_error_handler: PAM: session
setup failed : System error

There was misisng 'session' on samba -file. Working /etc/pam.d/samba 
is


[hurtta@amanda pam.d]$ cat /etc/pam.d/samba
auth    required        pam_stack.so service=system-auth
account required        pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
[hurtta@amanda pam.d]$                       

/ Kari Hurtta

Comment 1 Simo Sorce 2007-11-27 14:05:34 UTC

Thanks for the report,
I will make sure this is fixed in the next release.

Comment 2 Simo Sorce 2007-12-07 15:03:44 UTC

*** Bug 415611 has been marked as a duplicate of this bug. ***

Comment 3 RHEL Program Management 2007-12-07 15:04:42 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 4 Need Real Name 2007-12-20 21:44:13 UTC

I can confirm this error and it is killing us.  Over several iterations of RHEL
4 updates, I have never had this problem.  The latest update has caused this.  I
have checked the selinux contexts and made sure everything is correct.  

What's puzzling is that the dlopen file is there with right contexts etc.  I too
tried removing the absolute path, and even sticking in the /lib64 prefix instead
of /lib. Same problem.
 

My machine is a Dell poweredge 1950 x86_64

2.6.9-67.ELsmp #1 SMP Wed Nov 7 13:56:44 EST 2007 x86_64 x86_64 x86_64 GNU/Linux

Comment 5 Need Real Name 2007-12-20 21:57:36 UTC

Well, I was fuming (after several hours of futile tries) and so I just now
noticed Karl's suggestion.  That works for me too.

Thanks.

Comment 6 Christian Rose 2008-01-11 14:24:24 UTC

Created attachment 291391 [details]
Working /etc/pam.d/samba

Comment 7 Christian Rose 2008-01-11 14:25:00 UTC

Created attachment 291392 [details]
/etc/pam.d/samba patch to make it work

Comment 8 Christian Rose 2008-01-11 14:28:47 UTC

For me on an i386 system, adding the mission "session" line to /etc/pam.d/samba
made authentication work again. The absolute paths didn't matter, so I kept them.

Comment 13 errata-xmlrpc 2008-07-24 19:54:08 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0711.html

Note You need to log in before you can comment on or make changes to this bug.