disable "fake" samba authentication error messages (fwd)

Luke Kenneth Casson Leighton lkcl at switchboard.net
Fri Jul 3 14:36:23 GMT 1998

---------- Forwarded message ----------
Date: Thu, 2 Jul 1998 12:59:33 -0700
From: Andrew Morgan <morgan at transmeta.com>
Reply-To: pam-list at redhat.com
To: pam-list at redhat.com
Cc: Urs Rau <urs at uk.om.org>,
    Multiple recipients of list <samba at samba.anu.edu.au>
Subject: Re: disable "fake" samba authentication error messages
Resent-Date: 2 Jul 1998 20:03:11 -0000
Resent-From: pam-list at redhat.com
Resent-cc: recipient.list.not.shown:;

Luke Kenneth Casson Leighton writes:
> > 
> > On Thu, 2 Jul 1998, Urs Rau wrote:
> > 
> > > What bothers me is that samba is filling up my log files with a lot of 
> > > extraneous/fake entries about authentication failures. "Extraneous/fake" - 
> > > because all it is is a reflection of the way the protocol actually tries to login - 
> > > going through the upper/lower case mutations as configured.
> This is due to the Windows machines forcing the password to be uppercased.
> A cracking algorithm is applied, which can be short-circuited by asking
> your users to only use lower case letters in passwords.  This will still
> allow numbers and non-numeric characters but may still not satisfy the
> truly paranoid.
> The alternative is to use encrypted passwords, and maintain the UNIX and
> NT / LM password databases seperately: there are tools to do this.

This may be eliminated if it is possible to get samba to work like this:

conv(..., app_data)
	/* use app_data to indicate how many times we've been called */
	if ( first_time ) {
		return string_as_typed
	} else ( second_time ) {
		return string_upper_cased
	} else {
		return nothing_more

	if (pam_authenticate != PAM_SUCCESS
		&& pam_authenticate != PAM_SUCCESS) {
		/* bad - you should also check for MAX-TRIES
		         return... */
	/* good */

Since pam_pwdb, which is probably what is generating a lot of your log
messages, keeps a record of who tried and failed and only logs a
message if each failure is not followd by a success.  As long as you
keep calling pam_authenticate() and succeed once, I think you'll not
have a problem.

[It is the pam_end() call that cleans up pam_pwdb's mental note
(pam-data structure) that actually does the logging in this case.]

Perhaps the problem in samba is more complicated?



To unsubscribe: mail -s unsubscribe pam-list-request at redhat.com < /dev/null

More information about the samba-technical mailing list