samba - Jul 2006 - samba-3.0.22 -> samba-3.0.23 pam_winbind issue(s)

Previously had samba-3.0.22 on RedHat Enterprise 4 functioning happily,
using pam_winbind to authenticate against our campus active directory
(currently only doing password authentication, account info is still
retrieved via NIS).

/etc/pam.d/system-auth attached

After upgrading to 3.0.23
* I needed to add idmap options (I used idmap backend = rid), else winbind
would only start in "netlogon proxy mode", and basically, didn't
work.  ):
Since we're not using winbind for account info currently, I don't
necessarily blame samba here for that, but is there a better/recommended
configuration for this situation?

* login/authentication attempts now (most often) ask for a password
*twice*.  ??????

-- Rex
-------------- next part --------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
nis
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

Rex Dieter wrote:
> After upgrading to 3.0.23
> * login/authentication attempts now (most often) ask for a password
> *twice*.  ??????
After googling around a bit, I found that adjusting /etc/pam.d/system-auth
from
auth sufficient /lib/security/$ISA/pam_unix.so ...
to
auth sufficient /lib/security/$ISA/pam_unix.so ... use_first_pass
seemed to do the trick.  Why/how did this behavior change wrt pam_winbind
between 3.0.22 and 3.0.23?

-- Rex

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rex Dieter wrote:
> After upgrading to 3.0.23
> * I needed to add idmap options (I used idmap 
> backend = rid), else winbind would only start in "netlogon
> proxy mode", and basically, didn't work.  ):
What do you mean by wouldn't work?  Wouldn't return
users?  That is to be expected.
> Since we're not using winbind for account info 
> currently, I don't necessarily blame samba here for
> that, but is there a better/recommended
> configuration for this situation?
This has always been like this.  Idmap_rid needs a range
for mapping the RID value on a a uid or gid.  Not sure how
it was working at all before.
> 
> * login/authentication attempts now (most often) 
> ask for a password *twice*.  ??????
Known issue.  We're workign on it.
https://bugzilla.samba.org/show_bug.cgi?id=3916






cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEtRUAIR7qMdg1EfYRAnuzAKDB17t7GKtl32DTGpAGolD5c7SjPQCeI1G2
m8bl0QTdwMkE6D0YrrCQ0XE=SwUS
-----END PGP SIGNATURE-----

I found a bug in nsswitch/pam_winbind.c which I reported to

https://bugzilla.samba.org/show_bug.cgi?id=3916

I submitted shortly a patch which solves the issue.

In _pam_parse (pam_winbind.c) there are two for statements which consume the
parameters argc and argv. The first loop decrements argc and increments argv
while trying to find out if a config file argument is given to pam_winbind.

The second for statement, which does the usual loop through argv, assumes that
argc and argv are at initial state so, in best case the loop is never entered
and parameters like use_first_pass are not recognized.


The patch can be found here:

https://bugzilla.samba.org/attachment.cgi?id=2030

Please report if this
> Gerald (Jerry) Carter wrote:
> >/ -----BEGIN PGP SIGNED MESSAGE-----
> />/ Hash: SHA1
> />/ 
> />/ Rex Dieter wrote:
> />/ 
> />>/ After upgrading to 3.0.23
> />>/ * I needed to add idmap options (I used idmap 
> />>/ backend = rid), else winbind would only start in "netlogon
> />>/ proxy mode", and basically, didn't work.  ):
> />/ 
> />/ What do you mean by wouldn't work?  Wouldn't return
> />/ users?  That is to be expected.
> /
> Nothing worked.  In particular, authentication no longer functioned as 
> it did before the upgrade.
>
> Like I said, no biggie.  EASYFIX.  Since, as you said, it probably 
> shouldn't have worked in that configuration before.
>
> >>/ * login/authentication attempts now (most often) 
> />>/ ask for a password *twice*.  ??????
> />/ 
> />/ Known issue.  We're workign on it.
> />/ https://bugzilla.samba.org/show_bug.cgi?id=3916
> /
> Thanks.
>
>   
-- 
Mit freundlichen Gr??en
Dietrich Streifert
Visionet GmbH

Dietrich Streifert wrote:
> I found a bug in nsswitch/pam_winbind.c which I reported to
> https://bugzilla.samba.org/show_bug.cgi?id=3916
> I submitted shortly a patch which solves the issue.
I can confirm that patch works as advertised, and fixes the issue for me. 
Many thanks Dietrich.

-- Rex

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rex Dieter wrote:
> Dietrich Streifert wrote:
> 
>> I found a bug in nsswitch/pam_winbind.c which I reported to
>> https://bugzilla.samba.org/show_bug.cgi?id=3916
>> I submitted shortly a patch which solves the issue.
> 
> I can confirm that patch works as advertised, and fixes 
> the issue for me.  Many thanks Dietrich.
Yup.  Thanks much to Dietrich.  Patch has been checked
in for 3.0.23a due next week.




cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEtnYJIR7qMdg1EfYRAp8sAKCxkvVgRNpEwBEbOTGdjU2rDsqDFwCg4qQP
z9oz8jMp/MyFiZ6URT5B+r8=DBHf
-----END PGP SIGNATURE-----