Bug 79081 - pam_smbpass(password comonent) unable to obtain authtok if invoked after pam_unix
Summary: pam_smbpass(password comonent) unable to obtain authtok if invoked after pam_...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam
Version: 7.2
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-12-05 14:02 UTC by Wenzhuo Zhang
Modified: 2015-01-08 00:02 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-11-17 15:30:08 UTC
Embargoed:


Attachments (Terms of Use)

Description Wenzhuo Zhang 2002-12-05 14:02:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130

Description of problem:
I was trying to use pam_smbpass.so to keep /etc/samba/smbpasswd in sync with
system passwords. The module was compiled from samba-2.2.1a-4 src rpm.

I found that pam_smbpass password module cannot obtain correct authentication
tokens if it comes after pam_unix:

password    required     /lib/security/pam_cracklib.so retry=3 type=
password    requisite     /lib/security/pam_unix.so nullok use_authtok md5
shadow try_first_pass
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
#password    required      /lib/security/pam_deny.so

The following error messages are logged on attempts to change passwords:

Dec  5 21:12:43 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: passwd: bad authentication token (null
or unchanged)
Dec  5 21:12:48 daisy PAM_smbpass[5659]: new password not acceptable


I had to put pam_smbpass.so before pam_unix in order to make it work.

Version-Release number of selected component (if applicable):
pam-0.75-19

How reproducible:
Always

Steps to Reproduce:
1. Use the following system-auth configuration file
2. Authenticate user fred once (ssh, pop, or imap, etc.) to create a smbpasswd
entry for him.
3. run 'passwd fred' as root.
	

Actual Results:  Changed Fred's system password, but failed to change his samba
password.

Dec  5 21:12:43 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: passwd: bad authentication token (null
or unchanged)
Dec  5 21:12:48 daisy PAM_smbpass[5659]: new password not acceptable



Expected Results:  Change Fred's samba password successfully.

Additional info:

[root@daisy pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        requisite     /lib/security/pam_unix.so likeauth nullok
auth        optional      /lib/security/pam_smbpass.so migrate
#auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required     /lib/security/pam_cracklib.so retry=3 type=
password    requisite     /lib/security/pam_unix.so nullok use_authtok md5
shadow try_first_pass
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
#password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

Comment 1 Wenzhuo Zhang 2002-12-05 14:07:01 UTC
Working version of system-auth:

[root@daisy pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        requisite     /lib/security/pam_unix.so likeauth nullok
auth        optional      /lib/security/pam_smbpass.so migrate
#auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required     /lib/security/pam_cracklib.so retry=3 type=
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
password    sufficient     /lib/security/pam_unix.so nullok use_authtok md5
shadow try_first_pass
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


Comment 2 Wenzhuo Zhang 2002-12-06 15:35:54 UTC
If I replace pam_unix.so with pam_pwdb.so, then even the previously broken
system-auth configuration works nicely.

[root@daisy pam.d]# grep password system-auth
password    required     /lib/security/pam_cracklib.so retry=3 type=
password    requisite    /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
try_first_pass
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
#password    required      /lib/security/pam_deny.so


So I guess pam_unix.so might have a problem.

Comment 3 Tomas Mraz 2004-10-20 13:36:36 UTC
Could you please retry with latest Fedora Core?


Comment 4 Tomas Mraz 2004-11-17 15:30:08 UTC
No response from reporter.


Comment 5 Kenneth Porter 2005-10-11 23:46:04 UTC
Update, for posterity:

http://lists.samba.org/archive/samba-technical/2001-July/015339.html

According to this post, this is a bug in pam_unix that's fixed in Linux PAM 0.76
and later.


Note You need to log in before you can comment on or make changes to this bug.