disable "fake" samba authentication error messages
Andrew Morgan
morgan at transmeta.com
Thu Jul 2 19:59:33 GMT 1998
Luke Kenneth Casson Leighton writes:
> >
> > On Thu, 2 Jul 1998, Urs Rau wrote:
> >
> > > What bothers me is that samba is filling up my log files with a lot of
> > > extraneous/fake entries about authentication failures. "Extraneous/fake" -
> > > because all it is is a reflection of the way the protocol actually tries to login -
> > > going through the upper/lower case mutations as configured.
>
> This is due to the Windows machines forcing the password to be uppercased.
> A cracking algorithm is applied, which can be short-circuited by asking
> your users to only use lower case letters in passwords. This will still
> allow numbers and non-numeric characters but may still not satisfy the
> truly paranoid.
>
> The alternative is to use encrypted passwords, and maintain the UNIX and
> NT / LM password databases seperately: there are tools to do this.
This may be eliminated if it is possible to get samba to work like this:
conv(..., app_data)
{
/* use app_data to indicate how many times we've been called */
if ( first_time ) {
return string_as_typed
} else ( second_time ) {
return string_upper_cased
} else {
return nothing_more
}
}
main()
{
...
pam_start
if (pam_authenticate != PAM_SUCCESS
&& pam_authenticate != PAM_SUCCESS) {
/* bad - you should also check for MAX-TRIES
return... */
}
/* good */
pam_....
pam_end
...
}
Since pam_pwdb, which is probably what is generating a lot of your log
messages, keeps a record of who tried and failed and only logs a
message if each failure is not followd by a success. As long as you
keep calling pam_authenticate() and succeed once, I think you'll not
have a problem.
[It is the pam_end() call that cleans up pam_pwdb's mental note
(pam-data structure) that actually does the logging in this case.]
Perhaps the problem in samba is more complicated?
Cheers
Andrew
More information about the samba
mailing list