3240 – libpam-smbpass: Migrate support in password module

Bug 3240 - libpam-smbpass: Migrate support in password module

Summary: libpam-smbpass: Migrate support in password module

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	User/Group Accounts (show other bugs)
Version:	3.0.20b
Hardware:	All All

Importance:	P3 enhancement
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:	http://bugs.debian.org/cgi-bin/bugrep...
Keywords:

Depends on:
Blocks:

Reported:	2005-11-04 02:14 UTC by Christian Perrier (dead mail address)
Modified:	2005-11-05 00:34 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christian Perrier (dead mail address) 2005-11-04 02:14:09 UTC

This bug is an old one in the Debian BTS. I have no precise opinion on the 
suggestion as this part of the code is not something I use myself. 
 
The bug submitter proposed a patch which does not apply completely cleanly on 
current sources, but seens easy to adapt. 
 
I personnally classify this as a feature request. 
 
The bug submitter said: 
The auth component of libpam-smbpass contains an option, 'migrate', 
which adds users who authenticated in a prior module to the smbpasswd 
file, in order to ease migration to smbpasswd. However, this means that 
new users must log in at least once to be added to the smbpasswd file, 
making it still partially difficult to keep the passwd and smbpasswd 
file synchronized. 
 
This patch adds migrate functionality to the password component of 
libpam_smbpass. This means that, if the migrate option is set, 
libpam_smbpass will add the username and new password to the smbpasswd 
file if they are not already in it; if they are, it will change their 
smbpasswd. 
 
If migrate is not enabled, the module will function as before. If 
migrate is enabled, but the user is already in the smbpasswd file, it 
will function as before. 
 
Though there is the slight security risk that any user's password will 
be blindly changed by this module, and the risk that new users will be 
happily added by this module, neither is possible if the module is used 
properly. If the modules is preceded by pam_unix in requisite mode, 
pam_smbpass will not be excecuted if pam_unix fails- which it does in 
both cases mentioned above: an unknown user, and an invalid old 
password.  
 
This is a security issue because it enables keeping the two different 
password databases synchronized, allowing for better system management. 
If a password is changed from within Samba, enabling the 'pam password 
change' option in smb.conf will keep the UNIX password database current. 
If a password is changed via PAM, pam_smbpass will ensure that smbpasswd 
is updated. If a new user is added, the first time their password is 
changed, when their password is first set, probably by adduser, they 
will be automaticly added to smbpasswd. 
 
Care must be taken to remove users from smbpasswd when they are removed 
from passwd, but this is not new to pam_smbpass or this module.

Comment 1 Andrew Bartlett 2005-11-04 02:36:10 UTC

I'm having trouble making head or tail of this, but it seems to me that it
requests no change over running an automatic 'make all passwd users smbpasswd
users' script (which would set deliberatly invalid passwords).

Comment 2 Andrew Bartlett 2005-11-05 00:34:38 UTC

It is unclear this is a worthwhile feature, the patch is old and may well work
against the administrator's expectation.

Closing.