I was able to compile pam_winbind using the Makefile.in from July 3, though it is no longer resident in source/nsswitch, but rather samba_home/lib/security. However, pam_winbind no longer responds to try_first_pass or use_first_pass flags in /etc/pam.conf, and I'm stuck with double password prompting. Any ideas?
Created attachment 2025 [details]
Comment on attachment 2025 [details]
(In reply to comment #2) > (From update of attachment 2025 [details] [edit]) > Remote file name completion is not the bug I reported.
The same here for 3.0.23 release. After upgrading from 3.0.22 to 3.0.23 paramter use_first_pass does not seem to be honoured if present in /etc/pam.conf. pam.conf portion used by sshd: # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth optional pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth sufficient pam_winbind.so.1 use_first_pass login auth required pam_dial_auth.so.1 # uname -a: SunOS heliotrop 5.10 Generic_Patch_118844-30 i86pc i386 i86pc Please consider changing the summery field to: "pam_winbind 3.0.23 does not honour try_first_pass and use_first_pass paramter".
Guenther, would you mind taking at look at this? Thanks.
I did some further debugging with solaris 10 sshd. I put some addition _pam_log(LOG_INFO,...) messages in the pam_winbind.c code. I attached the modified pam_winbind.c to this bug report so the output of syslog can be understood. sshd core dumps on the first attempt to invoke pam_sm_authenticate (first password prompt) of pam_winbind and did never reach the part of _pam_init in pam_winbind.c where the arguments get processed. Here is the part of the syslog for the first attempt: Jul 13 09:27:05 heliotrop pam_winbind[7728]: [ID 539465 auth.info] pam_winbind: pam_sm_authenticate,1 (flags: 0x0000) Jul 13 09:27:05 heliotrop pam_winbind[7728]: [ID 414442 auth.info] pam_winbind: _pam_parse 1 Jul 13 09:27:05 heliotrop pam_winbind[7728]: [ID 414443 auth.info] pam_winbind: _pam_parse 2 Jul 13 09:27:05 heliotrop pam_winbind[7728]: [ID 339217 auth.info] pam_winbind: _pam_parse 3 mod Jul 13 09:27:05 heliotrop pam_winbind[7728]: [ID 199944 auth.info] pam_winbind: _pam_parse 3 iniparser_load ok Jul 13 09:27:05 heliotrop pam_winbind[7728]: [ID 924463 auth.info] pam_winbind: _pam_parse 3 *d == NULL The second password prompt succeeds and syslog shows following messages: Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 572310 auth.info] Verify user `moik' Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 358037 auth.notice] user 'moik' granted access Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 414442 auth.info] pam_winbind: _pam_parse 1 Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 558227 auth.notice] user 'moik' OK Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 358037 auth.notice] user 'moik' granted access Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 414442 auth.info] pam_winbind: _pam_parse 1 Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 925041 auth.info] pam_parse: option use_first_pass Jul 13 09:28:09 heliotrop sshd[7728]: [ID 800047 auth.info] Accepted keyboard-interactive for moik from 192.168.0.52 port 33038 ssh2 So I assume that somehow the stack gets corrupt at the first call of pam_sm_authenticate. The stack trace of the sshd core dump is: heliotrop{root}[/]: pstack /core core '/core' of 7642: /usr/lib/ssh/sshd d1be2652 ???????? (8111b80, 1, 80472f0, 80472ec, d1bf8ee8, 8047320) d1be4403 ???????? (8111b80, 0, 0, d1be8a57, 0, 804737c) d1be49b2 pam_sm_authenticate (8111b80, 0, 1, 810eaa8) + e7 d2ac2524 run_stack (8111b80, 0, 1, 9, 1, d2ad67a4) + 148 d2ac270d pam_authenticate (8111b80, 0) + 2b 080636de ???????? (8110a80) 08063685 auth2_pam (8110a80) + 51 08063353 ???????? (8110a80) 08060e43 ???????? (32, 6, 8110a80) 0807944e dispatch_run (0, 8110a80, 8110a80) + 49 08060b60 do_authentication2 (8047e3c, 8047dc0, d2bfb840, 4e96, 81ed, 5) + 7c 0805d9df main (1, 8047e04, 8047e0c) + e0a 0805bad2 ???????? (1, 8047ea4, 0, 8047eb6, 8047ed2, 8047eeb)
Created attachment 2028 [details] Modified pam_winbind.c with addition log messages to syslog
I think I found the bug: In _pam_init (pam_winbind.c) there are two for statements which consume the parameters argc and argv. The first loop decrements argc and increments argv while trying to find out if a config file argument is given to pam_winbind. The second for statement, which does the usual loop through argv, assumes that argc and argv are at initial state so, in best case the loop is never entered and parameters like use_first_pass are not recognized. Patch follows as soon as my crashed solaris box is up again.
Created attachment 2029 [details] pam_winbind.c diff against release 3.0.23
(In reply to comment #8) > In _pam_init (pam_winbind.c) there are two for statements which consume the ^^^^^^^^^ This should be _pam_parse.
Created attachment 2030 [details] pam_winbind.c diff against release 3.0.23 New, hopefully correct diff. This is not my day ;-)
I can confirm the proposed patch works as advertised. Many thanks Dietrich.
Thanks for the patch. In the future is is better to submit patches in 'diff -u' format. I'll review this later today.
Checked in for 3.0.23a
(In reply to comment #5) > Guenther, would you mind taking at look at this? Thanks. Sorry Jerry, I was totally absorbed giving courses the last days. Thanks for taking care of that. (my ugly copy-paste fault btw.)
closing. Fixed in 3.0.23a