disable "fake" samba authentication error messages

Charlie Brady cbrady at ind.tansu.com.au
Sat Jul 4 07:24:43 GMT 1998 

On Fri, 3 Jul 1998, Andrew Morgan wrote:

> Luke Kenneth Casson Leighton writes:
> >
> > This is due to the Windows machines forcing the password to be uppercased.
> > A cracking algorithm is applied, which can be short-circuited by asking
> > your users to only use lower case letters in passwords.  This will still
> > allow numbers and non-numeric characters but may still not satisfy the
> > truly paranoid.

That's not exactly true Luke. Samba first tries to authenticate using the
password as it arrived from the client. If the client is forcing upper
case, and the users are using only lower case letters, then there will be
one message logged for *every* successful logon. If samba were to first
try the lowercased password (and the other conditions were unchanged),
then the "problem" would go away.

That said, samba 1.9.18 (p6 at least) uses PAM_SILENT to try to get pwdb
to stay quiet. This might be a rather brutal way to deal with the problem.
 
> > The alternative is to use encrypted passwords, and maintain the UNIX and
> > NT / LM password databases seperately: there are tools to do this.

...


> This may be eliminated if it is possible to get samba to work like this:

...

> 	pam_start
> 	if (pam_authenticate != PAM_SUCCESS
> 		&& pam_authenticate != PAM_SUCCESS) {
> 		/* bad - you should also check for MAX-TRIES
> 		         return... */
> 	}
> 	/* good */
> 	pam_....
> 	pam_end
> ..
> }
>
..
> 
> Since pam_pwdb, which is probably what is generating a lot of your log
> messages, keeps a record of who tried and failed and only logs a
> message if each failure is not followd by a success.  As long as you
> keep calling pam_authenticate() and succeed once, I think you'll not
> have a problem.
> 
> [It is the pam_end() call that cleans up pam_pwdb's mental note
> (pam-data structure) that actually does the logging in this case.]

It might be possible to do this, but the samba authentication code would
need to be re-arranged a bit to do so.

Charlie Brady - Telstra  |internet: cbrady at ind.tansu.com.au
Network Products         |Snail    : Locked Bag 6581, GPO Sydney 2001 Australia
Platform Technologies    |Physical : Lvl 2, 175 Liverpool St, Sydney 2000
 IN-Sub Unit - Sydney    | Phone: +61 2 9206 3470 Fax: +61 2 9281 1301

More information about the samba mailing list