samba - Jan 2013 - pam_smbpass.so on AIX

Yet another odd one...

I've got it set up now so that swat uses pam_smbpass.so, and once a user
logs into swat at least once, it'll update their password in the passdb
backend configured for Samba.  But, I also need to ensure that when a user
changes their password via passwd, it also gets updated.  I added the following
in /etc/security/login.cfg:

usw:
     auth_type = PAM_AUTH

and that makes telnetd, passwd, etc all go through pam.  

However, when I try to log in via telnet or run passwd, I get this in
syslog.log:

Jan 18 10:59:06 systst auth|security:debug login PAM: load_modules:
/usr/lib/security/pam_aix
Jan 18 10:59:06 systst auth|security:debug login PAM: load_function: successful
load of pam_sm_authenticate
Jan 18 10:59:06 systst auth|security:debug login PAM: load_modules:
/opt/samba-4.0.0/lib/security/pam_smbpass.so
Jan 18 10:59:06 systst auth|security:debug login PAM: open_module:
/opt/samba-4.0.0/lib/security/pam_smbpass.so failed: A file or directory in the
path name does not exist.
Jan 18 10:59:06 systst auth|security:err|error login PAM: load_modules: can not
open module /opt/samba-4.0.0/lib/security/pam_smbpass.so


However, if I run swat, it'll load
/opt/samba-4.0.0/lib/security/pam_smbpass.so just fine.  No, it's not a
typo, and yes, the module is present in that path.

I don't know what to do.  I need to deploy this tomorrow (Saturday), and the
users need to be able to update their Samba passwords when they run passwd, etc.
Replacing the system passwd program with a script that calls both from absolute
paths is not a workable solution, though technically it would work.

Anyway, any idea why swat can load pam_smbpass.so but not telnetd or passwd?

Many thanks!

-Ben

On Fri, 2013-01-18 at 19:20 +0000, Benjamin Huntsman
wrote:
> Yet another odd one...
> 
> I've got it set up now so that swat uses pam_smbpass.so, and once a
user logs into swat at least once, it'll update their password in the passdb
backend configured for Samba.  But, I also need to ensure that when a user
changes their password via passwd, it also gets updated.  I added the following
in /etc/security/login.cfg:
> 
> usw:
>      auth_type = PAM_AUTH
> 
> and that makes telnetd, passwd, etc all go through pam.  
> 
> However, when I try to log in via telnet or run passwd, I get this in
syslog.log:
> 
> Jan 18 10:59:06 systst auth|security:debug login PAM: load_modules:
/usr/lib/security/pam_aix
> Jan 18 10:59:06 systst auth|security:debug login PAM: load_function:
successful load of pam_sm_authenticate
> Jan 18 10:59:06 systst auth|security:debug login PAM: load_modules:
/opt/samba-4.0.0/lib/security/pam_smbpass.so
> Jan 18 10:59:06 systst auth|security:debug login PAM: open_module:
/opt/samba-4.0.0/lib/security/pam_smbpass.so failed: A file or directory in the
path name does not exist.
> Jan 18 10:59:06 systst auth|security:err|error login PAM: load_modules: can
not open module /opt/samba-4.0.0/lib/security/pam_smbpass.so
> 
> 
> However, if I run swat, it'll load
/opt/samba-4.0.0/lib/security/pam_smbpass.so just fine.  No, it's not a
typo, and yes, the module is present in that path.
> 
> I don't know what to do.  I need to deploy this tomorrow (Saturday),
and the users need to be able to update their Samba passwords when they run
passwd, etc.  Replacing the system passwd program with a script that calls both
from absolute paths is not a workable solution, though technically it would
work.
> 
> Anyway, any idea why swat can load pam_smbpass.so but not telnetd or
passwd?
Run ldd on the binary.  it will show the unresolved library references.

My guess is that things it relies on, are on in the standard library
path for the system.  Perhaps edit /etc/ld.so.conf to put
opt/samba-4.0.0/lib in that path?

Normally all that isn't required (we use -rpath when linking), but
perhaps that's working for our binaries (eg swat), but not our plugins
when loaded by telnet?

Anyway, that's how I would start debugging this.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org