Your message dated Fri, 6 Apr 2018 22:40:25 +0200
with message-id 
<CAFX5sbwmL+xCnbt=my9fqdl8vubmch9zrdeve6eb540vp2z...@mail.gmail.com>
and subject line Package removed
has caused the Debian Bug report #661751,
regarding libpam-smbpass: pam_smbldap ldap and ssl does not work
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
661751: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661751
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libpam-smbpass
Version: 2:3.5.6~dfsg-3squeeze6
Severity: normal

Have samba pdc using smbldap etc.
Running debian squeeze with samba  3.5.6
Working on getting pam to keep ldap and  windows passsword in sync.
have been using smbldap-passwd with some added password tests to change 
passwords.

smbldap-passwd works
smbpasswd works
in auth part of pam the migrate works with pam_smbldap
smbclient -L localhost  authenticates OK.

If I use no ssl or tls for ldap connections in smb.conf 
passwd will change the windows password.
If the connection to the master ldap server uses ssl or tls I get this error 
in auth.log.

Feb 15 13:21:51 nfondy passwd[30090]: pam_smbpass(passwd:chauthtok): Cannot 
access samba password database, not running as root.

Again it works with out tsl or ssl.

common-passwd:
# here are the per-package modules (the "Primary" block)
password        requisite                       pam_passwdqc.so
password        [success=2 default=ignore]      pam_unix.so obscure 
use_authtok try_first_pass sha512
password        [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 
try_first_pass
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
password        optional                        pam_smbpass.so nullok 
use_authtok use_first_pass debug
# end of pam-auth-update config

For this test using in smb.conf:
 ldap ssl = off

  passdb backend = ldapsam:"ldaps://mstldap.advocap.org"

If I change ldaps to ldap it works.

I managed to trace in wireshark using the the ssl key for mstldap.

Makes one tls connection 
I see the key exhange etc and then a sucessfull ldap bind.
It closes that connection. I assume that's one of the other pam modules.

Then it tries starting another ssl connection from a new port but it does not 
work.
Doesn't even see a tls client hello.

Without ssl I can see passwords being changed etc.

I tried samba from backports and it's the same.

John


-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-xen-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-smbpass depends on:
ii  libc6             2.11.3-3               Embedded GNU C Library: Shared lib
ii  libcap2           1:2.19-3               support for getting/setting POSIX.
ii  libldap-2.4-2     2.4.23-7.2             OpenLDAP libraries
ii  libpam-runtime    1.1.1-6.1+squeeze1     Runtime support for the PAM librar
ii  libpam0g          1.1.1-6.1+squeeze1     Pluggable Authentication Modules l
ii  libtalloc2        2.0.1-1                hierarchical pool based memory all
ii  libwbclient0      2:3.5.6~dfsg-3squeeze6 Samba winbind client library
ii  samba-common      2:3.5.6~dfsg-3squeeze6 common files used by both the Samb

libpam-smbpass recommends no packages.

Versions of packages libpam-smbpass suggests:
ii  samba             2:3.5.6~dfsg-3squeeze6 SMB/CIFS file, print, and login se

-- no debconf information



--- End Message ---
--- Begin Message ---
Version: 2:4.3.3+dfsg-1

libpam-smbpasswd was removed.

Regards
-- 
Mathieu Parent

--- End Message ---

Reply via email to