[Samba] Configuring pam_smbpass with Solaris

Fri Jul 5 05:53:52 MDT 2013

Continuing my investigation: I used tdbdump to compare the content of 
passdb.tdb, and the content there seems wrong.

Here it is the line created with smbclient (it's consistent if I replay 
it with the same password, only the "%\97" changes, yay for unsalted 
passwords)

data(206) = 
"\00\00\00\00\7F\A9T|\7F\A9T|\00\00\00\00%\97\D6Q\00\00\00\00\7F\A9T|\09\00\00\00user\00\09\00\00\00SERVER\00\01\00\00\00\00\01\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\EA\03\00\00\01\02\00\00\10\00\00\00bJ\ACA7\95\CD\C1\FF\176_\AF\1F\FE\89\10\00\00\00;\1BG\E4.\04c'n=\EDl\EF4\9F\93\00\00\00\00\10\00\00\00\A8\00\15\00\00\00 
\00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00"

The same line after modification via pam_smbpass, the content is 
noticeably different, whatever is stored there is not the same password:

data(206) = 
"\00\00\00\00\7F\A9T|\7F\A9T|\00\00\00\00\9D\97\D6Q\00\00\00\00\FF\FF\FF\7F\09\00\00\00user\00\09\00\00\00SERVER\00\01\00\00\00\00\01\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\EA\03\00\00\01\02\00\00\10\00\00\00bJ\ACA7\95\CD\C1\FF\176_\AF\1F\FE\89\10\00\00\00\1B\A3Z\A9\D1\9D\B8\E7\0C9\AE\C1\BC\F2BB\00\00\00\00\10\00\00\00\A8\00\15\00\00\00 
\00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00"

If nobody can shed a light on this, I'll file a bug, the code is 10 year 
old, it might have got some bitrot.

Thanks,

Laurent

On 04/07/13 15:00, Laurent Blume wrote:
> Hello all.
>
> I'm trying to configure pam_smbpass for Samba 3.6.16 on Solaris 10.
>
> However, I'm getting a strange result: instead of sync'ing the password,
> it *removes* it. That is not quite what I expect...
>
> I have this line in /etc/pam.conf:
> other   password required       pam_smbpass_csw.so debug use_authtok
> try_first_pass nonull
>
> To start the test, I make sure passwords are already in sync:
> passwd user
> smbpasswd user
>
> Then I check it works:
> su - user
> smbclient \\\\server\\share
>
> Both succeed, so so far, all good.
>
> Now I try to change it using passwd, first as user:
> $ passwd
> Enter existing login password:
> New Password:
> Permission denied
>
> The logs show:
> Jul  4 14:50:17 server passwd[12830]: [ID 871885 auth.notice]
> (pam_smbpass) failed auth request by user for service passwd as user
> Jul  4 14:50:17 server passwd[12830]: [ID 507756 auth.notice]
> (pam_smbpass) failed auth request by user for service passwd as
> user(-18956203)
> Jul  4 14:50:17 server passwd[12830]: [ID 965784 auth.notice]
> (pam_smbpass) 1 authentication failure from user for service passwd as
> user(1000)
>
> If I try as root:
> # passwd user
> New Password:
> Re-enter new Password:
> passwd: password successfully changed for user
>
> su works with the new password:
> su - user
>
> Samba fails:
> $ smbclient \\\\server\\share
> Enter user's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> However, the same works with an empty password (press enter at the
> password request). Not good.
>
> The logs show:
> Jul  4 14:54:10 server passwd[12912]: [ID 632017 auth.notice]
> (pam_smbpass) password for (user/1000) changed by (root/0)
>
> Any idea what I did wrong?
>
> Laurent