[Samba] Password sync in 3.6.0 on OS X 10.7, Lion
Jeremy Allison
jra at samba.org
Fri Aug 19 10:43:30 MDT 2011
On Fri, Aug 19, 2011 at 09:11:22AM -0500, Martin Diers wrote:
> My company, which is a mac-heavy shop in the printing industry, needed
> to migrate to a faster file server. As our directory trees are very
> large, both Samba, and Netatalk were bogging down badly on our Linux
> server (Samba, due to heavy CPU usage during directory listings - the
> case-sensitive file system issue, and netatalk because the cnid db was
> getting too big).
Did you look into the Samba large directory HOWTO to fix this ?
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/largefile.html
> Our solution was to switch to a Mac server running a Thunderbolt RAID
> array. This forced us into using Lion, as the only Snow Leopard machines
> with thunderbolt ports are laptops. The new server as extremely fast
> even with our large file systems. But SMBX is causing numerous problems.
>
> Yesterday, I succeeded in getting Samba 3.6.0 compiled and running on
> Lion, and now have a working Macports package. Only one patch was
> required: to address issues with NGROUPS_MAX on Lion, which prevented
> smbd from starting. (FYI: Because groups can be nested in Lion, but
> getgrouplist() reports the list without nesting, the number of groups in
> some system account used by Samba, exceeds NGROUPS_MAX. The fix just
> forces it to 32 in lib/system.c - ugly, but it works).
>
> I do not understand how Apple's OpenDirectory integration used to work
> with Samba in versions <= 10.6. I assume they maintained smbpasswd
> tokens inside OpenDirectory. Regardless, this is no longer done in Lion.
> Instead, I attempted to use the pam_smbpass module to sync passwords
> with the tdb backend.
>
> I copied the complied pam_smbpass.dynlib module to
> /usr/lib/pam/pam_smbpass.so.2.
>
> I then setup /etc/pam.d/passwd like so:
>
> auth required pam_permit.so
> account required pam_opendirectory.so
> password requisite pam_opendirectory.so
> password required pam_smbpass.so nullok use_authtok try_first_pass
> session required pam_permit.so
>
> This prevents user accounts on the Server from changing their own
> password at all. The root user can still change individual system
> account passwords, but no smbpasswd syncing takes place.
>
> I have tried several variants on the "password required" line. All of
> them exhibit the same behavior.
>
> I have been unable to find any debug or log information that sheds much
> light on this behavior. When the user attempts to change their password,
> this is what is shown in /var/log/secure.log:
>
> passwd[229]: in _openpam_check_error_code(): pam_sm_chauthtok():
> unexpected return value 12
>From the source code here :
http://trac.des.no/openpam/browser/trunk/include/security/pam_constants.h
enum {
51 PAM_SUCCESS = 0,
52 PAM_OPEN_ERR = 1,
53 PAM_SYMBOL_ERR = 2,
54 PAM_SERVICE_ERR = 3,
55 PAM_SYSTEM_ERR = 4,
56 PAM_BUF_ERR = 5,
57 PAM_CONV_ERR = 6,
58 PAM_PERM_DENIED = 7,
59 PAM_MAXTRIES = 8,
60 PAM_AUTH_ERR = 9,
61 PAM_NEW_AUTHTOK_REQD = 10,
62 PAM_CRED_INSUFFICIENT = 11,
63 PAM_AUTHINFO_UNAVAIL = 12,
64 PAM_USER_UNKNOWN = 13,
65 PAM_CRED_UNAVAIL = 14,
66 PAM_CRED_EXPIRED = 15,
67 PAM_CRED_ERR = 16,
68 PAM_ACCT_EXPIRED = 17,
69 PAM_AUTHTOK_EXPIRED = 18,
70 PAM_SESSION_ERR = 19,
71 PAM_AUTHTOK_ERR = 20,
72 PAM_AUTHTOK_RECOVERY_ERR = 21,
73 PAM_AUTHTOK_LOCK_BUSY = 22,
74 PAM_AUTHTOK_DISABLE_AGING = 23,
75 PAM_NO_MODULE_DATA = 24,
76 PAM_IGNORE = 25,
77 PAM_ABORT = 26,
78 PAM_TRY_AGAIN = 27,
79 PAM_MODULE_UNKNOWN = 28,
80 PAM_DOMAIN_UNKNOWN = 29,
81 PAM_NUM_ERRORS /* OpenPAM extension */
82 };
> And this is what the user sees:
>
> $ passwd
> Changing password for <user>.
> passwd: authentication information is unavailable
Indeed - 12 == PAM_AUTHINFO_UNAVAIL.
> smbd.log shows nothing at all.
>
> If the user's password is changed using the root account, no errors of
> any kind are logged, and no smbpasswd sync takes place.
>
> I know that pam_smbpass works in FreeBSD, which also uses OpenPam, so I
> doubt it is an OpenPam incompatibility. I'm just not sure where to look
> next.
Might be a modified version of OpenPam used by MacOSX - not sure.
Can you look in the Darwin source code to see when PAM_AUTHINFO_UNAVAIL
is returned ?
Jeremy.
More information about the samba
mailing list