Samba 2.2.X, PAM and Kerberos5

Steve Langasek vorlon at netexpress.net
Wed May 15 07:26:02 GMT 2002 

Hello,

On Wed, May 15, 2002 at 04:20:36PM +1000, Bogdan Iamandei wrote:

> 	I am trying to put together the latest samba 2.2 from CVS, PAM
> and Kerberos5 on a Solaris8 platform. Although it does compile fine,
> attempting to make it work through pam_krb5 fails miserably.

> I have configured the /etc/pam.conf to read:
> # Samba Auth
> samba   auth      required        /usr/lib/security/pam_krb5.so.1
> samba   account   required        /usr/lib/security/pam_krb5.so.1
> samba   session   required        /usr/lib/security/pam_krb5.so.1
> samba   password  required        /usr/lib/security/pam_krb5.so.1
> #

> The messages I receive in the logs are like this:

> [2002/05/15 15:30:27, 0] passdb/pampass.c:smb_pam_conv(125)
>  smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !
> [2002/05/15 15:30:27, 0] passdb/pampass.c:smb_pam_passcheck(827)
>  smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User username !

> For some reason - it appears that only samba has this problem, proftpd
> or telnet or just about any other application work fine against
> pam_krb5.

> My questions are:

> 0). Are the lines in my pam.conf correct?
> 1). Is this a bug or a feature? :)
> 2). Is the Sun's PAM/Kerberos5 implementation b0rken?
> 3). If 2) is true - how comes the other applications are not failing?:)
> 4). Any ideeas on how to circumvent this... unpleasant b0rkeness?

As far as it goes, your above configuration looks correct.  Have you
checked wherever your syslog auth  facility logs to, to see if pam_krb5
is logging any information that might be useful?

Are you using the Solaris pam_krb5 module, or a third-party module?

I'm not sure why the 'appdata_ptr == NULL' check is there, but I seem to
remember that it's true that Solaris does not honor the appdata_ptr
field.  If Samba now depends on sane handling of appdata_ptr, then it's
likely that this won't work on Solaris.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20020515/ed3fd740/attachment.bin

More information about the samba-technical mailing list