[PATCH] Re: W2K Domain Login Problem with 2.2.0

Steve Langasek vorlon at netexpress.net
Tue Apr 24 17:27:28 GMT 2001

On Tue, 24 Apr 2001, Andrew Bartlett wrote:

> Steve Langasek wrote:

> > On Tue, 24 Apr 2001, Andrew Bartlett wrote:

> > > Finally, an explaination that MAKES SENSE.  Whats more, the reason it
> > > worked for me is that I use NIS, so didn't need to be root.

> > It also explains why PAM fails for some operations and not for others; owing
> > to RPC, Samba isn't always calling PAM from the same security context.  Still,
> > I'd like some empirical confirmation that my patch fixes the problem before
> > concluding that this is what's really happening.

> The attached patch fixes the become_root()/unbecome_root() needed for
> account checking, and adds password changing via PAM.  It moves
> pam_setcred into a seperate function, and deletes credentials on close.
> I think it knocks out all the known issues with PAM at the moment, bar
> the chaining of pamh handles from pam use to pam use.  It also doesn't
> stuff up our linking with the various other utilities in PAM.  I would
> be VERY supprised if this doesn't fix it - as its ONLY nt domain stuff
> thats called from nobody, and this bugs victums report being able to
> mount the shares correctly - where there is also a pam account check.

What problem does the code below fix?  If you are concerned that some modules
will change passwords without checking the old password when called as root,
you should call pam_authenticate() first rather than trying to fake up a
set-uid /bin/passwd.  It is /not/ reasonable to expect pam_chauthtok() to
authenticate the user for you.  Some modules will authenticate the user
because they have to, some will do so as a convenience for the application
writer.  It's possible that some modules will /not/ take this as a cue to
authenticate the user before updating the authentication token, so the safest
way to handle this is simply to always ensure the user has been authenticated
(with pam_authenticate() or otherwise) before pam_chauthtok() is called.

Steve Langasek
postmodern programmer

+#if 0
+       if (as_root) {
+               become_root();
+       } else {
+               struct passwd *passwd = sys_getpwnam(user);
+               if (passwd == NULL) {
+                       return False;
+               } else {
+                       int ruid;
+                       ruid = passwd->pw_uid;
+                       /* We need to look the same as a set-uid /bin/passwd */
+                       save_re_uid();
+                       setreuid(ruid, 0);  /* HACK!!!  I just need this to work, there
+                                              probably a much better/more portable way
+                                              to do this */
+                       assert_uid(ruid, 0);
+               }
+       }

More information about the samba-technical mailing list