Bug 400581 - Incorrect /etc/pam.d/samba (causes authentication failure when obey pam restrictions = yes)
Incorrect /etc/pam.d/samba (causes authentication failure when obey pam restr...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: samba (Show other bugs)
4.0
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Simo Sorce
:
: 415611 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-27 02:04 EST by Kari Hurtta
Modified: 2015-08-11 03:26 EDT (History)
7 users (show)

See Also:
Fixed In Version: RHBA-2008-0711
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-24 15:54:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Working /etc/pam.d/samba (189 bytes, text/plain)
2008-01-11 09:24 EST, Christian Rose
no flags Details
/etc/pam.d/samba patch to make it work (331 bytes, patch)
2008-01-11 09:25 EST, Christian Rose
no flags Details | Diff

  None (edit)
Description Kari Hurtta 2007-11-27 02:04:54 EST
Description of problem:

Incorrent /etc/pam.d/samba caused authentication failure


Version-Release number of selected component (if applicable):

[hurtta@amanda pam.d]$ cat /etc/redhat-release
Red Hat Enterprise Linux ES release 4 (Nahant Update 6)
[hurtta@amanda pam.d]$ rpm -qa samba
samba-3.0.25b-1.el4_6.2
[hurtta@amanda pam.d]$

------------------------------------------------------------------------

Samba was updated from 

[root@amanda ~]# rpm -qa '*samba*'
samba-3.0.10-1.4E.12.2
samba-common-3.0.10-1.4E.12.2

to (via up2date)

Name                                    Version        Rel
----------------------------------------------------------
samba                                   3.0.25b        1.el4_6.2         x86_64
samba-common                            3.0.25b        1.el4_6.2         x86_64


-------------------------

On new version there was error

[2007/11/19 15:15:23, 0, pid=3007, effective(0, 0), real(0, 0)]
auth/pampass.c:smb_pam_account(572)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (28) during Account Management for
User: hurtta

This error occured when on config was
           obey pam restrictions = yes

syslog reported:

Nov 22 16:19:10 amanda smbd[12945]: PAM unable to dlopen(/lib/security/pam_stack.so)
Nov 22 16:19:10 amanda smbd[12945]: PAM [dlerror: /lib/security/pam_stack.so:
cannot open shared object file: No such file or directory]
Nov 22 16:19:10 amanda smbd[12945]: PAM adding faulty module:
/lib/security/pam_stack.so

On that machine modules are not on /lib/security !!

[hurtta@amanda pam.d]$ ls -la /lib/security/
total 16
drwxr-xr-x   2 root root 4096 Sep  7 12:23 .
drwxr-xr-x  10 root root 4096 Nov 23 04:02 ..
[hurtta@amanda pam.d]$ ls -la /lib64/security/
total 2800
drwxr-xr-x  3 root root    4096 Nov 23 04:02 .
drwxr-xr-x  7 root root    4096 Nov 25 04:02 ..
-rwxr-xr-x  1 root root   19104 Sep  7 12:23 pam_access.so
-rwxr-xr-x  1 root root   19992 Aug 22  2006 pam_ccreds.so


samba packageg includes following pam config

[hurtta@amanda pam.d]$ cat samba
auth    required        /lib/security/pam_stack.so service=system-auth
account required        /lib/security/pam_stack.so service=system-auth
[hurtta@amanda pam.d]$                                      

However just removing /lib/security/ from that file resulted new
error

Nov 22 16:49:26 amanda smbd[24020]: [2007/11/22 16:49:26, 0, pid=24020,
effective(0, 0), real(0, 0)] auth/pampass.c:smb_pam_error_handler(73)
Nov 22 16:49:26 amanda smbd[24020]:   smb_pam_error_handler: PAM: session
setup failed : System error

There was misisng 'session' on samba -file. Working /etc/pam.d/samba 
is


[hurtta@amanda pam.d]$ cat /etc/pam.d/samba
auth    required        pam_stack.so service=system-auth
account required        pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
[hurtta@amanda pam.d]$                       

/ Kari Hurtta
Comment 1 Simo Sorce 2007-11-27 09:05:34 EST
Thanks for the report,
I will make sure this is fixed in the next release.
Comment 2 Simo Sorce 2007-12-07 10:03:44 EST
*** Bug 415611 has been marked as a duplicate of this bug. ***
Comment 3 RHEL Product and Program Management 2007-12-07 10:04:42 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 Need Real Name 2007-12-20 16:44:13 EST
I can confirm this error and it is killing us.  Over several iterations of RHEL
4 updates, I have never had this problem.  The latest update has caused this.  I
have checked the selinux contexts and made sure everything is correct.  

What's puzzling is that the dlopen file is there with right contexts etc.  I too
tried removing the absolute path, and even sticking in the /lib64 prefix instead
of /lib. Same problem.
 

My machine is a Dell poweredge 1950 x86_64

2.6.9-67.ELsmp #1 SMP Wed Nov 7 13:56:44 EST 2007 x86_64 x86_64 x86_64 GNU/Linux
Comment 5 Need Real Name 2007-12-20 16:57:36 EST
Well, I was fuming (after several hours of futile tries) and so I just now
noticed Karl's suggestion.  That works for me too.

Thanks. 
Comment 6 Christian Rose 2008-01-11 09:24:24 EST
Created attachment 291391 [details]
Working /etc/pam.d/samba
Comment 7 Christian Rose 2008-01-11 09:25:00 EST
Created attachment 291392 [details]
/etc/pam.d/samba patch to make it work
Comment 8 Christian Rose 2008-01-11 09:28:47 EST
For me on an i386 system, adding the mission "session" line to /etc/pam.d/samba
made authentication work again. The absolute paths didn't matter, so I kept them.
Comment 13 errata-xmlrpc 2008-07-24 15:54:08 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0711.html

Note You need to log in before you can comment on or make changes to this bug.