[PATCH] Re: W2K Domain Login Problem with 2.2.0
Andrew Bartlett
abartlet at pcug.org.au
Tue Apr 24 21:24:15 GMT 2001
Steve Langasek wrote:
>
> On Tue, 24 Apr 2001, Andrew Bartlett wrote:
>
> > Steve Langasek wrote:
>
> > > On Tue, 24 Apr 2001, Andrew Bartlett wrote:
>
> > > > Finally, an explaination that MAKES SENSE. Whats more, the reason it
> > > > worked for me is that I use NIS, so didn't need to be root.
>
> > > It also explains why PAM fails for some operations and not for others; owing
> > > to RPC, Samba isn't always calling PAM from the same security context. Still,
> > > I'd like some empirical confirmation that my patch fixes the problem before
> > > concluding that this is what's really happening.
>
> > The attached patch fixes the become_root()/unbecome_root() needed for
> > account checking, and adds password changing via PAM. It moves
> > pam_setcred into a seperate function, and deletes credentials on close.
> > I think it knocks out all the known issues with PAM at the moment, bar
> > the chaining of pamh handles from pam use to pam use. It also doesn't
> > stuff up our linking with the various other utilities in PAM. I would
> > be VERY supprised if this doesn't fix it - as its ONLY nt domain stuff
> > thats called from nobody, and this bugs victums report being able to
> > mount the shares correctly - where there is also a pam account check.
>
> What problem does the code below fix? If you are concerned that some modules
> will change passwords without checking the old password when called as root,
> you should call pam_authenticate() first rather than trying to fake up a
> set-uid /bin/passwd. It is /not/ reasonable to expect pam_chauthtok() to
> authenticate the user for you. Some modules will authenticate the user
> because they have to, some will do so as a convenience for the application
> writer. It's possible that some modules will /not/ take this as a cue to
> authenticate the user before updating the authentication token, so the safest
> way to handle this is simply to always ensure the user has been authenticated
> (with pam_authenticate() or otherwise) before pam_chauthtok() is called.
>
> Steve Langasek
> postmodern programmer
>
> +#if 0
> + if (as_root) {
> + become_root();
> + } else {
> + struct passwd *passwd = sys_getpwnam(user);
> +
> + if (passwd == NULL) {
> + return False;
> + } else {
> + int ruid;
> + ruid = passwd->pw_uid;
> + /* We need to look the same as a set-uid /bin/passwd */
> + save_re_uid();
> + setreuid(ruid, 0); /* HACK!!! I just need this to work, there
> + probably a much better/more portable way
> + to do this */
> + assert_uid(ruid, 0);
> + }
> + }
> +#endif
> +
We already authenticate the user well before we get to the unix password
sync code (against our encrypted db). In my latest patch I've dropped
the other (not as_root) stuff - as I can't tell you its perfecty
correct, or even tested. See http://samba.org/samba-patches?findid=355
(I'm dropping of the net for a few days - I'll pick this up when I
return).
Andrew Bartlett
abartlet at pcug.org.au
--
Andrew Bartlett
abartlet at pcug.org.au
More information about the samba-technical
mailing list