disable "fake" samba authentication error messages (fwd)
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Fri Jul 3 14:36:23 GMT 1998
---------- Forwarded message ----------
Date: Thu, 2 Jul 1998 12:59:33 -0700
From: Andrew Morgan <morgan at transmeta.com>
Reply-To: pam-list at redhat.com
To: pam-list at redhat.com
Cc: Urs Rau <urs at uk.om.org>,
Multiple recipients of list <samba at samba.anu.edu.au>
Subject: Re: disable "fake" samba authentication error messages
Resent-Date: 2 Jul 1998 20:03:11 -0000
Resent-From: pam-list at redhat.com
Resent-cc: recipient.list.not.shown:;
Luke Kenneth Casson Leighton writes:
> >
> > On Thu, 2 Jul 1998, Urs Rau wrote:
> >
> > > What bothers me is that samba is filling up my log files with a lot of
> > > extraneous/fake entries about authentication failures. "Extraneous/fake" -
> > > because all it is is a reflection of the way the protocol actually tries to login -
> > > going through the upper/lower case mutations as configured.
>
> This is due to the Windows machines forcing the password to be uppercased.
> A cracking algorithm is applied, which can be short-circuited by asking
> your users to only use lower case letters in passwords. This will still
> allow numbers and non-numeric characters but may still not satisfy the
> truly paranoid.
>
> The alternative is to use encrypted passwords, and maintain the UNIX and
> NT / LM password databases seperately: there are tools to do this.
This may be eliminated if it is possible to get samba to work like this:
conv(..., app_data)
{
/* use app_data to indicate how many times we've been called */
if ( first_time ) {
return string_as_typed
} else ( second_time ) {
return string_upper_cased
} else {
return nothing_more
}
}
main()
{
...
pam_start
if (pam_authenticate != PAM_SUCCESS
&& pam_authenticate != PAM_SUCCESS) {
/* bad - you should also check for MAX-TRIES
return... */
}
/* good */
pam_....
pam_end
...
}
Since pam_pwdb, which is probably what is generating a lot of your log
messages, keeps a record of who tried and failed and only logs a
message if each failure is not followd by a success. As long as you
keep calling pam_authenticate() and succeed once, I think you'll not
have a problem.
[It is the pam_end() call that cleans up pam_pwdb's mental note
(pam-data structure) that actually does the logging in this case.]
Perhaps the problem in samba is more complicated?
Cheers
Andrew
--
To unsubscribe: mail -s unsubscribe pam-list-request at redhat.com < /dev/null
More information about the samba-technical
mailing list