[PATCH] Re: W2K Domain Login Problem with 2.2.0

Andrew Bartlett abartlet at pcug.org.au
Tue Apr 24 21:24:15 GMT 2001


Steve Langasek wrote:
> 
> On Tue, 24 Apr 2001, Andrew Bartlett wrote:
> 
> > Steve Langasek wrote:
> 
> > > On Tue, 24 Apr 2001, Andrew Bartlett wrote:
> 
> > > > Finally, an explaination that MAKES SENSE.  Whats more, the reason it
> > > > worked for me is that I use NIS, so didn't need to be root.
> 
> > > It also explains why PAM fails for some operations and not for others; owing
> > > to RPC, Samba isn't always calling PAM from the same security context.  Still,
> > > I'd like some empirical confirmation that my patch fixes the problem before
> > > concluding that this is what's really happening.
> 
> > The attached patch fixes the become_root()/unbecome_root() needed for
> > account checking, and adds password changing via PAM.  It moves
> > pam_setcred into a seperate function, and deletes credentials on close.
> > I think it knocks out all the known issues with PAM at the moment, bar
> > the chaining of pamh handles from pam use to pam use.  It also doesn't
> > stuff up our linking with the various other utilities in PAM.  I would
> > be VERY supprised if this doesn't fix it - as its ONLY nt domain stuff
> > thats called from nobody, and this bugs victums report being able to
> > mount the shares correctly - where there is also a pam account check.
> 
> What problem does the code below fix?  If you are concerned that some modules
> will change passwords without checking the old password when called as root,
> you should call pam_authenticate() first rather than trying to fake up a
> set-uid /bin/passwd.  It is /not/ reasonable to expect pam_chauthtok() to
> authenticate the user for you.  Some modules will authenticate the user
> because they have to, some will do so as a convenience for the application
> writer.  It's possible that some modules will /not/ take this as a cue to
> authenticate the user before updating the authentication token, so the safest
> way to handle this is simply to always ensure the user has been authenticated
> (with pam_authenticate() or otherwise) before pam_chauthtok() is called.
> 
> Steve Langasek
> postmodern programmer
> 
> +#if 0
> +       if (as_root) {
> +               become_root();
> +       } else {
> +               struct passwd *passwd = sys_getpwnam(user);
> +
> +               if (passwd == NULL) {
> +                       return False;
> +               } else {
> +                       int ruid;
> +                       ruid = passwd->pw_uid;
> +                       /* We need to look the same as a set-uid /bin/passwd */
> +                       save_re_uid();
> +                       setreuid(ruid, 0);  /* HACK!!!  I just need this to work, there
> +                                              probably a much better/more portable way
> +                                              to do this */
> +                       assert_uid(ruid, 0);
> +               }
> +       }
> +#endif
> +

We already authenticate the user well before we get to the unix password
sync code (against our encrypted db).  In my latest patch I've dropped
the other (not as_root) stuff - as I can't tell you its perfecty
correct, or even tested.  See http://samba.org/samba-patches?findid=355

(I'm dropping of the net for a few days - I'll pick this up when I
return).

Andrew Bartlett
abartlet at pcug.org.au
-- 
Andrew Bartlett
abartlet at pcug.org.au




More information about the samba-technical mailing list