Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Samba's "pam_smbpass migrate" logic reversed???
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mikenerone
n00b
n00b


Joined: 11 Feb 2004
Posts: 22
Location: San Antonio, TX
PostPosted: Thu Sep 09, 2004 8:59 am    Post subject: Samba's "pam_smbpass migrate" logic reversed??? Reply with quote
Perhaps someone can tell me if I'm doing something wrong, or if this is a bug in Samba's pam_smbpass. What I want to do is have smb passwords set automatically when a user successfully logs into a shell with a password (or any other service using system-auth). As mentioned in the Samba Reference Guide, that's exactly what the "migrate" option in pam_smbpass is supposed to do when used in the auth context. So I added what I think is the appropriate line to /etc/pam.d/system-auth (though I am certainly no PAM jockey). Here's what it looks like now:
Code:
#%PAM-1.0

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok
auth       optional     /lib/security/pam_smbpass.so debug nodelay migrate
auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so

(Yes, I will add a "password" line as well, but I'm showing only the one change in order to demonstrate the problem.) Surprisingly the effect of this is that when the user enters the wrong password, that password is updated into the smbpasswd database. When the user enters the right password, no insert/update at all occurs. This is exactly the opposite of the expected/hoped-for/required/described behavior. Am I missing something? Note: I'm using net-fs/samba-3.0.6-r4.
Back to top
View user's profile Send private message
satya
Retired Dev
Retired Dev


Joined: 14 Sep 2004
Posts: 8
PostPosted: Tue Sep 14, 2004 8:20 am    Post subject: Reply with quote
I'm not a pam guru, but I'm wondering what would change if you replace
Code:
auth       sufficient   /lib/security/pam_unix.so likeauth nullok
with
Code:
auth       required     /lib/security/pam_unix.so

The reason is that pam is stackable, in the sense that pam_smbpass.so takes the output of the previous module as its own input (well, quite true: pam mongers, pardon me). If this module turns out 'null', but 'null' is ok, samba migrates this null as instructed
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy