Samba 2.2.X, PAM and Kerberos5

Mike Gerdts Michael.Gerdts at alcatel.com
Wed May 15 08:38:28 GMT 2002 

On Wed, 2002-05-15 at 10:23, Steve Langasek wrote:
> I'm not sure why the 'appdata_ptr == NULL' check is there, but I seem to
> remember that it's true that Solaris does not honor the appdata_ptr
> field.  If Samba now depends on sane handling of appdata_ptr, then it's
> likely that this won't work on Solaris.

As I was looking at implementing Kerberos, I found the Solaris pam_krb5
to be so bug-ridden that I had pretty much rejected it.

Bug 4464325 - su dumps core when pam_krb5 is enabled.  

    Reported 5/29/2001, fixed on Solaris 8 with 109805-05 (2/21/2002)

Bug ???? - pam_krb5.so.1 dumps core in pam_sm_setcred

    Reported 9/26/2001, fixed in Solaris 9 build 54, no fix for Solaris
    8 as of 5/15/2002

Service order 62638039 - in.rshd dumps core after configuring Kerberos

    Case was closed stating it was a documentation error.  I was never
    told that this case was going to be closed.  I only found out it was
    closed after the fact.  No fix or workaround was even suggested. 
    Really nice to see that network facing services that must run as
    root can be caused to core dump due to a "documentation error".

Bug 4507496 - pam_krb5 is confused between pam_authenticate and
pam_setcred

    Reported 10/12/2001, not fixed as of 5/15/2002

Note that none of these problems are fixed for Solaris 7 (SEAM 1.0).
Using pam_krb5 1.31 from Redhat 7.1 resolved every one of these issues.

And now to wander offtopic (and vent) a bit...

Sun's kerberos implementation has several other issues that made me
quite leary of using any parts of it.  I tried to work with Sun to
resolve these issues for Solaris 7 and 8, but they were unable to find
the time to work on Solaris 7 or 8 in favor of new development on 9.

If you are using a Sun kerberos implementation, be sure that you have an
empty /.k5login.  Else, root/anyhost.yourdomain.com at YOURDOMAIN.COM can
telnet/rsh/whatever to root on any other host without giving a password
and without the standard remote root login restrictions that one would
expect to be controlled by /etc/default/login.  See krb5_auth_rules(5)
from SEAM for details.  As a result of this unexpected behavior I
requested the following as part of a service call, but got no response.

     Could you please file two RFE's?
    
        1) Update each "Sun Enterprise Authentication Mechanism x.y.z"
        Guide"  with the warning mentioned above.  There should also be a
        mention of this difference in the "SEAM Interoperability with MIT"
        section of "SEAM x.y.z Installation and Release Notes".
        
        2) Update telned(1M), rlogind(1M) and rshd(1M) to include the
        warning and update the SEE ALSO section of each of the man pages to
        refer to krb5_auth_rules(5).

Mike

More information about the samba-technical mailing list