W2K Domain Login Problem with 2.2.0
Steve Langasek
vorlon at netexpress.net
Mon Apr 23 21:14:29 GMT 2001
On Mon, 23 Apr 2001, Steve Langasek wrote:
> OK, this I recognize. Had to dig through the source to pam_unix to be sure.
> A very serious problem for PAM modules, one you unfortunately won't find
> documented in any PAM howtos, is that the application and modules have no way
> to communicate information regarding filesystem credentials. It is *very*
> difficult for a PAM module to change the process's uid/euid without losing
> information. It can be done under Linux -- newer versions of the Linux-PAM
> pam_unix module do it -- but since there's PAM code out there that /doesn't/
> know how to handle uids, Samba should wrap all PAM calls with
> become_root()/unbecome_root(). As a general rule, all apps should assume
> maximum possible credentials prior to invoking PAM.
Jeremy,
Attached is a patch against SAMBA_2_2 CVS which wraps the important PAM
calls. Unfortunately, the passdb/pampass.o object is also linked in by
bin/smbpasswd and bin/rpcclient, so this patch leaves those utilities in an
uncompilable state and probably shouldn't be applied to the tree. It's a
starting point for fixing the current PAM bug, however. Can you verify
whether pam_unix+domain logons works for you after applying this patch? I
don't have any systems using broken versions of pam_unix that I can test this
with.
Cheers,
Steve Langasek
postmodern programmer
-------------- next part --------------
diff -u -w -r1.1.2.15 pampass.c
--- passdb/pampass.c 2001/04/23 06:22:05 1.1.2.15
+++ passdb/pampass.c 2001/04/23 21:06:37
@@ -204,7 +204,9 @@
*/
DEBUG(4,("PAM: Authenticate User: %s\n", user));
+ become_root();
pam_error = pam_authenticate(pamh, PAM_SILENT); /* Can we authenticate user? */
+ unbecome_root();
switch( pam_error ){
case PAM_AUTH_ERR:
DEBUG(2, ("PAM: Athentication Error\n"));
@@ -246,7 +248,9 @@
int pam_error;
DEBUG(4,("PAM: Account Management for User: %s\n", user));
+ become_root();
pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */
+ unbecome_root();
switch( pam_error ) {
case PAM_AUTHTOK_EXPIRED:
DEBUG(2, ("PAM: User is valid but password is expired\n"));
@@ -288,7 +292,9 @@
*/
DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user));
+ become_root();
pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT));
+ unbecome_root();
switch( pam_error ) {
case PAM_CRED_UNAVAIL:
DEBUG(0, ("PAM: Credentials not found for user:%s", user ));
@@ -336,11 +342,15 @@
#endif
if (flag) {
+ become_root();
pam_error = pam_open_session(pamh, PAM_SILENT);
+ unbecome_root();
if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0))
return False;
} else {
+ become_root();
pam_error = pam_close_session(pamh, PAM_SILENT);
+ unbecome_root();
if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0))
return False;
}
More information about the samba-technical
mailing list