Samba 2.2.X, PAM and Kerberos5
Hi, I am trying to put together the latest samba 2.2 from CVS, PAM and Kerberos5 on a Solaris8 platform. Although it does compile fine, attempting to make it work through pam_krb5 fails miserably. I have configured the /etc/pam.conf to read: # Samba Auth samba auth required/usr/lib/security/pam_krb5.so.1 samba account required/usr/lib/security/pam_krb5.so.1 samba session required/usr/lib/security/pam_krb5.so.1 samba password required/usr/lib/security/pam_krb5.so.1 # The messages I receive in the logs are like this: [2002/05/15 15:30:27, 0] passdb/pampass.c:smb_pam_conv(125) smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL ! [2002/05/15 15:30:27, 0] passdb/pampass.c:smb_pam_passcheck(827) smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User username ! For some reason - it appears that only samba has this problem, proftpd or telnet or just about any other application work fine against pam_krb5. My questions are: 0). Are the lines in my pam.conf correct? 1). Is this a bug or a feature? :) 2). Is the Sun's PAM/Kerberos5 implementation b0rken? 3). If 2) is true - how comes the other applications are not failing?:) 4). Any ideeas on how to circumvent this... unpleasant b0rkeness? Regards, Bogdan. PS: If more info is needed - please *do ask*. I would like to have this sorted, since it's rather important. -- I have seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhauser Gate. All those moments will be lost in time, like tears in rain. Time to die.
Re: Samba 2.2.X, PAM and Kerberos5
On Wed, 2002-05-15 at 10:23, Steve Langasek wrote: I'm not sure why the 'appdata_ptr == NULL' check is there, but I seem to remember that it's true that Solaris does not honor the appdata_ptr field. If Samba now depends on sane handling of appdata_ptr, then it's likely that this won't work on Solaris. As I was looking at implementing Kerberos, I found the Solaris pam_krb5 to be so bug-ridden that I had pretty much rejected it. Bug 4464325 - su dumps core when pam_krb5 is enabled. Reported 5/29/2001, fixed on Solaris 8 with 109805-05 (2/21/2002) Bug - pam_krb5.so.1 dumps core in pam_sm_setcred Reported 9/26/2001, fixed in Solaris 9 build 54, no fix for Solaris 8 as of 5/15/2002 Service order 62638039 - in.rshd dumps core after configuring Kerberos Case was closed stating it was a documentation error. I was never told that this case was going to be closed. I only found out it was closed after the fact. No fix or workaround was even suggested. Really nice to see that network facing services that must run as root can be caused to core dump due to a documentation error. Bug 4507496 - pam_krb5 is confused between pam_authenticate and pam_setcred Reported 10/12/2001, not fixed as of 5/15/2002 Note that none of these problems are fixed for Solaris 7 (SEAM 1.0). Using pam_krb5 1.31 from Redhat 7.1 resolved every one of these issues. And now to wander offtopic (and vent) a bit... Sun's kerberos implementation has several other issues that made me quite leary of using any parts of it. I tried to work with Sun to resolve these issues for Solaris 7 and 8, but they were unable to find the time to work on Solaris 7 or 8 in favor of new development on 9. If you are using a Sun kerberos implementation, be sure that you have an empty /.k5login. Else, [EMAIL PROTECTED] can telnet/rsh/whatever to root on any other host without giving a password and without the standard remote root login restrictions that one would expect to be controlled by /etc/default/login. See krb5_auth_rules(5) from SEAM for details. As a result of this unexpected behavior I requested the following as part of a service call, but got no response. Could you please file two RFE's? 1) Update each Sun Enterprise Authentication Mechanism x.y.z Guide with the warning mentioned above. There should also be a mention of this difference in the SEAM Interoperability with MIT section of SEAM x.y.z Installation and Release Notes. 2) Update telned(1M), rlogind(1M) and rshd(1M) to include the warning and update the SEE ALSO section of each of the man pages to refer to krb5_auth_rules(5). Mike
Re: Samba 2.2.X, PAM and Kerberos5
Steve Langasek wrote: [...] As far as it goes, your above configuration looks correct. Have you checked wherever your syslog auth facility logs to, to see if pam_krb5 is logging any information that might be useful? Hmm, although it seems it supports the debug switch, the module seems mute as a fish. Are you using the Solaris pam_krb5 module, or a third-party module? The original (apparently in more than one way) Solaris module. I'll be compiling and packaging the MIT kerberos today and then try the whole thing against that one. I'll let you know how this goes. I'm not sure why the 'appdata_ptr == NULL' check is there, but I seem to remember that it's true that Solaris does not honor the appdata_ptr field. If Samba now depends on sane handling of appdata_ptr, then it's likely that this won't work on Solaris. Grrr!! wonderful. Mkay then, I think that this little Solaris (mis)feature would be nice to be at least mentioned somewhere in the docs, in case some other masochist considers going down this path. :) Thanks, Bogdan. -- I have seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhauser Gate. All those moments will be lost in time, like tears in rain. Time to die.
