W2K Domain Login Problem with 2.2.0

Steve Langasek vorlon at netexpress.net
Mon Apr 23 21:14:29 GMT 2001


On Mon, 23 Apr 2001, Steve Langasek wrote:

> OK, this I recognize.  Had to dig through the source to pam_unix to be sure.

> A very serious problem for PAM modules, one you unfortunately won't find
> documented in any PAM howtos, is that the application and modules have no way
> to communicate information regarding filesystem credentials.  It is *very*
> difficult for a PAM module to change the process's uid/euid without losing
> information.  It can be done under Linux -- newer versions of the Linux-PAM
> pam_unix module do it -- but since there's PAM code out there that /doesn't/
> know how to handle uids, Samba should wrap all PAM calls with
> become_root()/unbecome_root().  As a general rule, all apps should assume
> maximum possible credentials prior to invoking PAM.

Jeremy,

Attached is a patch against SAMBA_2_2 CVS which wraps the important PAM
calls.  Unfortunately, the passdb/pampass.o object is also linked in by
bin/smbpasswd and bin/rpcclient, so this patch leaves those utilities in an
uncompilable state and probably shouldn't be applied to the tree.  It's a
starting point for fixing the current PAM bug, however.  Can you verify
whether pam_unix+domain logons works for you after applying this patch?  I
don't have any systems using broken versions of pam_unix that I can test this
with.

Cheers,
Steve Langasek
postmodern programmer
-------------- next part --------------
diff -u -w -r1.1.2.15 pampass.c
--- passdb/pampass.c	2001/04/23 06:22:05	1.1.2.15
+++ passdb/pampass.c	2001/04/23 21:06:37
@@ -204,7 +204,9 @@
 	 */
 	
 	DEBUG(4,("PAM: Authenticate User: %s\n", user));
+	become_root();
 	pam_error = pam_authenticate(pamh, PAM_SILENT); /* Can we authenticate user? */
+	unbecome_root();
 	switch( pam_error ){
 		case PAM_AUTH_ERR:
 			DEBUG(2, ("PAM: Athentication Error\n"));
@@ -246,7 +248,9 @@
 	int pam_error;
 
 	DEBUG(4,("PAM: Account Management for User: %s\n", user));
+	become_root();
 	pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */
+	unbecome_root();
 	switch( pam_error ) {
 		case PAM_AUTHTOK_EXPIRED:
 			DEBUG(2, ("PAM: User is valid but password is expired\n"));
@@ -288,7 +292,9 @@
 	 */
 
 	DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user));
+	become_root();
 	pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); 
+	unbecome_root();
 	switch( pam_error ) {
 		case PAM_CRED_UNAVAIL:
 			DEBUG(0, ("PAM: Credentials not found for user:%s", user ));
@@ -336,11 +342,15 @@
 #endif
 
 	if (flag) {
+		become_root();
 		pam_error = pam_open_session(pamh, PAM_SILENT);
+		unbecome_root();
 		if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0))
 			return False;
 	} else {
+		become_root();
 		pam_error = pam_close_session(pamh, PAM_SILENT);
+		unbecome_root();
 		if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0))
 			return False;
 	}


More information about the samba-technical mailing list