This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 79081 - pam_smbpass(password comonent) unable to obtain authtok if invoked after pam_unix
pam_smbpass(password comonent) unable to obtain authtok if invoked after pam_...
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
7.2
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-12-05 09:02 EST by Wenzhuo Zhang
Modified: 2015-01-07 19:02 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-17 10:30:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Wenzhuo Zhang 2002-12-05 09:02:39 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130

Description of problem:
I was trying to use pam_smbpass.so to keep /etc/samba/smbpasswd in sync with
system passwords. The module was compiled from samba-2.2.1a-4 src rpm.

I found that pam_smbpass password module cannot obtain correct authentication
tokens if it comes after pam_unix:

password    required     /lib/security/pam_cracklib.so retry=3 type=
password    requisite     /lib/security/pam_unix.so nullok use_authtok md5
shadow try_first_pass
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
#password    required      /lib/security/pam_deny.so

The following error messages are logged on attempts to change passwords:

Dec  5 21:12:43 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: passwd: bad authentication token (null
or unchanged)
Dec  5 21:12:48 daisy PAM_smbpass[5659]: new password not acceptable


I had to put pam_smbpass.so before pam_unix in order to make it work.

Version-Release number of selected component (if applicable):
pam-0.75-19

How reproducible:
Always

Steps to Reproduce:
1. Use the following system-auth configuration file
2. Authenticate user fred once (ssh, pop, or imap, etc.) to create a smbpasswd
entry for him.
3. run 'passwd fred' as root.
	

Actual Results:  Changed Fred's system password, but failed to change his samba
password.

Dec  5 21:12:43 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: passwd: bad authentication token (null
or unchanged)
Dec  5 21:12:48 daisy PAM_smbpass[5659]: new password not acceptable



Expected Results:  Change Fred's samba password successfully.

Additional info:

[root@daisy pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        requisite     /lib/security/pam_unix.so likeauth nullok
auth        optional      /lib/security/pam_smbpass.so migrate
#auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required     /lib/security/pam_cracklib.so retry=3 type=
password    requisite     /lib/security/pam_unix.so nullok use_authtok md5
shadow try_first_pass
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
#password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
Comment 1 Wenzhuo Zhang 2002-12-05 09:07:01 EST
Working version of system-auth:

[root@daisy pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        requisite     /lib/security/pam_unix.so likeauth nullok
auth        optional      /lib/security/pam_smbpass.so migrate
#auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required     /lib/security/pam_cracklib.so retry=3 type=
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
password    sufficient     /lib/security/pam_unix.so nullok use_authtok md5
shadow try_first_pass
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
Comment 2 Wenzhuo Zhang 2002-12-06 10:35:54 EST
If I replace pam_unix.so with pam_pwdb.so, then even the previously broken
system-auth configuration works nicely.

[root@daisy pam.d]# grep password system-auth
password    required     /lib/security/pam_cracklib.so retry=3 type=
password    requisite    /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
try_first_pass
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
#password    required      /lib/security/pam_deny.so


So I guess pam_unix.so might have a problem.
Comment 3 Tomas Mraz 2004-10-20 09:36:36 EDT
Could you please retry with latest Fedora Core?
Comment 4 Tomas Mraz 2004-11-17 10:30:08 EST
No response from reporter.
Comment 5 Kenneth Porter 2005-10-11 19:46:04 EDT
Update, for posterity:

http://lists.samba.org/archive/samba-technical/2001-July/015339.html

According to this post, this is a bug in pam_unix that's fixed in Linux PAM 0.76
and later.

Note You need to log in before you can comment on or make changes to this bug.