PAM, winbind, samba 3 CVS version problem

Alan Munter alan.munter at nist.gov
Mon Oct 27 23:05:48 GMT 2003 

I am not a PAM expert, but pam_winbind seems to be doing some funny
things.  I have the source and I am going to take a crack at sorting out
what is going on (because now I am interested in it), but perhaps
someone here is already working on it.

With John Terpstra's help I got the current CVS version (current as of
10/22/03) up and running on a RH 9.0 machine.  It is a member of my Win
2003 AD domain and after adding a pam_winbind.so line in the auth and
account sections of PAM it happily allows local users (from /etc/passwd)
like root to log in and also allows Windows domain users to log in.  The
one thing that I can't get working is pam_winbind.so in the "password"
section.  

I think I know what is going wrong.  After reading the PAM documentation
at kernel.org it seems like pam_winbind should send back the
PAM_USER_UNKNOWN flag and exit immediately if it does not find the user
in the Windows domain.  I could then specify, instead of "sufficient" in
my pam config something like [success=done new_authtok_reqd=done
default=ignore user_unknown=ignore].

I am assuming that the usernames that winbind can find out about are the
ones that get listed when I do "wbinfo -u."  Instead of sending back
this flag when the user is unknown to winbind (like in the case of local
logins, i.e. root) it seems to be sending back something that PAM does
not understand.

Here is what /etc/pam.d/system-auth looks like with pam_winbind not in
the password section since it is not working:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_winbind.so
auth        sufficient    /lib/security/$ISA/pam_unix.so use_first_pass
likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     sufficient    /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type=
password    sufficient    /lib/security/$ISA/pam_unix.so use_authtok
nullok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so


Here are some log entries from a successful ssh login as root to the
Linux machine, which would be using pam_winbind.so from the auth
section:

Oct 27 16:46:55 temp pam_winbind[11443]: request failed: Unexpected
information received, PAM error was 4, NT error was
NT_STATUS_INVALID_PARAMETER
Oct 27 16:46:55 temp pam_winbind[11443]: internal module error (retval =
4, user = `root'
Oct 27 16:46:55 temp pam_winbind[11443]: user 'root' granted acces
Oct 27 16:46:55 temp sshd(pam_unix)[11443]: session opened for user root
by (uid=0)

Note that this was a successful login, but it is still giving these
errors.  

The error messages seem to indicate that the module is giving some
return value that PAM doesn't understand which, in the case of the
"auth" section is OK as PAM just moves on to the next module in the
stack which would be pam_unix.so.  However, in the case of the
"password" section it is not OK because it waits to fail until it has
asked for your "Current NT Password" and your new NT Password even
though it should know by that point that it will not be able to
successfully do anything about it.

Here is what happens when I add the line:

password    [user_unknown=ignore success=done new_authtok_reqd=ok
default=ignore] /lib/security/$ISA/pam_winbind.so

above the pam_unix.so line in the password section and try to change the
password as a local user named fred who is not in the Windows domain.

[fred at temp fred]$ passwd
Changing password for user fred.
Changing password for fred
(current) NT password: 
Changing password for fred
(current) UNIX password: 
New password: 
Retype new password: 
Enter new NT password: 
Retype new NT password: 
No password supplied
No password supplied
No password supplied
passwd: Authentication token manipulation error

It does not matter what I type for the current NT password for fred, it
then just immediately asks me for the current UNIX password.  The
current UNIX password is checked and gives a token manipulation error if
it is wrong immediately.  See how wierd it looks?  The winbind part
comes back at the end and tries again.  Here are the log entries for the
above transaction:

Oct 27 17:57:41 temp pam_winbind[11900]: request failed:
NT_STATUS_INVALID_PARAMETER, PAM error was 4, NT error was
NT_STATUS_INVALID_PARAMETER
Oct 27 17:57:41 temp pam_winbind[11900]: internal module error (retval =
4, user = `fred'
Oct 27 17:57:41 temp passwd(pam_unix)[11900]: new password not
acceptable

Is this some problem with my PAM setup?  I don't think so, but perhaps
it is.

Is this a known problem and is it being worked on by someone here?  I am
keen to help sort this out, but since I am not an expert I will probably
need some advice on where to start tackling the problem.  Or if whoever
is familiar with the pam_winbind code wants me to try out a few quick
hacks at the problem I am very willing to give it a try.

Sorry for the length of this post, but I wanted to be thorough in
explaining the problem as I saw it.

Thanks,

Alan
-- 
Alan E. Munter                         NIST Center for Neutron Research
Physical Scientist                     100 Bureau Dr., Stop 8562
alan.munter at nist.gov                   Gaithersburg, MD 20899-8562
http://www.ncnr.nist.gov/              (301)975-6244

More information about the samba-technical mailing list