Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 79081 - pam_smbpass(password comonent) unable to obtain authtok if invoked after pam_unix
Summary: pam_smbpass(password comonent) unable to obtain authtok if invoked after pam_...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam
Version: 7.2
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-12-05 14:02 UTC by Wenzhuo Zhang
Modified: 2015-01-08 00:02 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-11-17 15:30:08 UTC


Attachments (Terms of Use)

Description Wenzhuo Zhang 2002-12-05 14:02:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130

Description of problem:
I was trying to use pam_smbpass.so to keep /etc/samba/smbpasswd in sync with
system passwords. The module was compiled from samba-2.2.1a-4 src rpm.

I found that pam_smbpass password module cannot obtain correct authentication
tokens if it comes after pam_unix:

password    required     /lib/security/pam_cracklib.so retry=3 type=
password    requisite     /lib/security/pam_unix.so nullok use_authtok md5
shadow try_first_pass
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
#password    required      /lib/security/pam_deny.so

The following error messages are logged on attempts to change passwords:

Dec  5 21:12:43 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: passwd: bad authentication token (null
or unchanged)
Dec  5 21:12:48 daisy PAM_smbpass[5659]: new password not acceptable


I had to put pam_smbpass.so before pam_unix in order to make it work.

Version-Release number of selected component (if applicable):
pam-0.75-19

How reproducible:
Always

Steps to Reproduce:
1. Use the following system-auth configuration file
2. Authenticate user fred once (ssh, pop, or imap, etc.) to create a smbpasswd
entry for him.
3. run 'passwd fred' as root.
	

Actual Results:  Changed Fred's system password, but failed to change his samba
password.

Dec  5 21:12:43 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: username [fred] obtained
Dec  5 21:12:48 daisy PAM_smbpass[5659]: passwd: bad authentication token (null
or unchanged)
Dec  5 21:12:48 daisy PAM_smbpass[5659]: new password not acceptable



Expected Results:  Change Fred's samba password successfully.

Additional info:

[root@daisy pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        requisite     /lib/security/pam_unix.so likeauth nullok
auth        optional      /lib/security/pam_smbpass.so migrate
#auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required     /lib/security/pam_cracklib.so retry=3 type=
password    requisite     /lib/security/pam_unix.so nullok use_authtok md5
shadow try_first_pass
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
#password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

Comment 1 Wenzhuo Zhang 2002-12-05 14:07:01 UTC
Working version of system-auth:

[root@daisy pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        requisite     /lib/security/pam_unix.so likeauth nullok
auth        optional      /lib/security/pam_smbpass.so migrate
#auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required     /lib/security/pam_cracklib.so retry=3 type=
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
password    sufficient     /lib/security/pam_unix.so nullok use_authtok md5
shadow try_first_pass
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


Comment 2 Wenzhuo Zhang 2002-12-06 15:35:54 UTC
If I replace pam_unix.so with pam_pwdb.so, then even the previously broken
system-auth configuration works nicely.

[root@daisy pam.d]# grep password system-auth
password    required     /lib/security/pam_cracklib.so retry=3 type=
password    requisite    /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
try_first_pass
password    optional     /lib/security/pam_smbpass.so nullok use_authtok
try_first_pass audit
#password    required      /lib/security/pam_deny.so


So I guess pam_unix.so might have a problem.

Comment 3 Tomas Mraz 2004-10-20 13:36:36 UTC
Could you please retry with latest Fedora Core?


Comment 4 Tomas Mraz 2004-11-17 15:30:08 UTC
No response from reporter.


Comment 5 Kenneth Porter 2005-10-11 23:46:04 UTC
Update, for posterity:

http://lists.samba.org/archive/samba-technical/2001-July/015339.html

According to this post, this is a bug in pam_unix that's fixed in Linux PAM 0.76
and later.


Note You need to log in before you can comment on or make changes to this bug.