[Samba] Password sync in 3.6.0 on OS X 10.7, Lion

Jeremy Allison jra at samba.org
Fri Aug 19 10:43:30 MDT 2011


On Fri, Aug 19, 2011 at 09:11:22AM -0500, Martin Diers wrote:
> My company, which is a mac-heavy shop in the printing industry, needed
> to migrate to a faster file server. As our directory trees are very
> large, both Samba, and Netatalk were bogging down badly on our Linux
> server (Samba, due to heavy CPU usage during directory listings - the
> case-sensitive file system issue, and netatalk because the cnid db was
> getting too big).

Did you look into the Samba large directory HOWTO to fix this ?

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/largefile.html

> Our solution was to switch to a Mac server running a Thunderbolt RAID
> array. This forced us into using Lion, as the only Snow Leopard machines
> with thunderbolt ports are laptops. The new server as extremely fast
> even with our large file systems. But SMBX is causing numerous problems.
> 
> Yesterday, I succeeded in getting Samba 3.6.0 compiled and running on
> Lion, and now have a working Macports package. Only one patch was
> required: to address issues with NGROUPS_MAX on Lion, which prevented
> smbd from starting. (FYI: Because groups can be nested in Lion, but
> getgrouplist() reports the list without nesting, the number of groups in
> some system account used by Samba, exceeds NGROUPS_MAX. The fix just
> forces it to 32 in lib/system.c - ugly, but it works).
> 
> I do not understand how Apple's OpenDirectory integration used to work
> with Samba in versions <= 10.6. I assume they maintained smbpasswd
> tokens inside OpenDirectory. Regardless, this is no longer done in Lion.
> Instead, I attempted to use the pam_smbpass module to sync passwords
> with the tdb backend.
> 
> I copied the complied pam_smbpass.dynlib module to
> /usr/lib/pam/pam_smbpass.so.2.
> 
> I then setup /etc/pam.d/passwd like so:
> 
> auth       required       pam_permit.so
> account    required       pam_opendirectory.so
> password   requisite       pam_opendirectory.so
> password  required      pam_smbpass.so nullok use_authtok try_first_pass
> session    required       pam_permit.so
> 
> This prevents user accounts on the Server from changing their own
> password at all. The root user can still change individual system
> account passwords, but no smbpasswd syncing takes place.
> 
> I have tried several variants on the "password required" line. All of
> them exhibit the same behavior.
> 
> I have been unable to find any debug or log information that sheds much
> light on this behavior. When the user attempts to change their password,
> this is what is shown in /var/log/secure.log:
> 
> passwd[229]: in _openpam_check_error_code(): pam_sm_chauthtok():
> unexpected return value 12

>From the source code here :

http://trac.des.no/openpam/browser/trunk/include/security/pam_constants.h

enum {
51	        PAM_SUCCESS                     =   0,
52	        PAM_OPEN_ERR                    =   1,
53	        PAM_SYMBOL_ERR                  =   2,
54	        PAM_SERVICE_ERR                 =   3,
55	        PAM_SYSTEM_ERR                  =   4,
56	        PAM_BUF_ERR                     =   5,
57	        PAM_CONV_ERR                    =   6,
58	        PAM_PERM_DENIED                 =   7,
59	        PAM_MAXTRIES                    =   8,
60	        PAM_AUTH_ERR                    =   9,
61	        PAM_NEW_AUTHTOK_REQD            =  10,
62	        PAM_CRED_INSUFFICIENT           =  11,
63	        PAM_AUTHINFO_UNAVAIL            =  12,
64	        PAM_USER_UNKNOWN                =  13,
65	        PAM_CRED_UNAVAIL                =  14,
66	        PAM_CRED_EXPIRED                =  15,
67	        PAM_CRED_ERR                    =  16,
68	        PAM_ACCT_EXPIRED                =  17,
69	        PAM_AUTHTOK_EXPIRED             =  18,
70	        PAM_SESSION_ERR                 =  19,
71	        PAM_AUTHTOK_ERR                 =  20,
72	        PAM_AUTHTOK_RECOVERY_ERR        =  21,
73	        PAM_AUTHTOK_LOCK_BUSY           =  22,
74	        PAM_AUTHTOK_DISABLE_AGING       =  23,
75	        PAM_NO_MODULE_DATA              =  24,
76	        PAM_IGNORE                      =  25,
77	        PAM_ABORT                       =  26,
78	        PAM_TRY_AGAIN                   =  27,
79	        PAM_MODULE_UNKNOWN              =  28,
80	        PAM_DOMAIN_UNKNOWN              =  29,
81	        PAM_NUM_ERRORS                                  /* OpenPAM extension */
82	};
> And this is what the user sees:
> 
> $ passwd
> Changing password for <user>.
> passwd: authentication information is unavailable

Indeed - 12 == PAM_AUTHINFO_UNAVAIL.

> smbd.log shows nothing at all.
> 
> If the user's password is changed using the root account, no errors of
> any kind are logged, and no smbpasswd sync takes place.
> 
> I know that pam_smbpass works in FreeBSD, which also uses OpenPam, so I
> doubt it is an OpenPam incompatibility. I'm just not sure where to look
> next.

Might be a modified version of OpenPam used by MacOSX - not sure.

Can you look in the Darwin source code to see when PAM_AUTHINFO_UNAVAIL
is returned ?

Jeremy.


More information about the samba mailing list