3916 – pam_winbind 3.0.23 does not honour try_first_pass and use_first_pass parameter

Bug 3916 - pam_winbind 3.0.23 does not honour try_first_pass and use_first_pass parameter

Summary: pam_winbind 3.0.23 does not honour try_first_pass and use_first_pass parameter

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	winbind (show other bugs)
Version:	3.0.23
Hardware:	x86 Solaris

Importance:	P3 normal
Target Milestone:	none
Assignee:	Guenther Deschner
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-07-07 13:57 UTC by db38
Modified:	2006-08-04 12:04 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
(524 bytes, text/plain) 2006-07-09 12:13 UTC, Katsuhiko Takahashi	no flags	Details
Modified pam_winbind.c with addition log messages to syslog (38.42 KB, text/plain) 2006-07-13 02:39 UTC, Dietrich Streifert	no flags	Details
pam_winbind.c diff against release 3.0.23 (1.51 KB, patch) 2006-07-13 04:00 UTC, Dietrich Streifert	no flags	Details
pam_winbind.c diff against release 3.0.23 (3.10 KB, patch) 2006-07-13 04:11 UTC, Dietrich Streifert	no flags	Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description db38 2006-07-07 13:57:30 UTC

I was able to compile pam_winbind using the Makefile.in from July 3, though it is no longer resident in source/nsswitch, but rather samba_home/lib/security.  However, pam_winbind no longer responds to try_first_pass or use_first_pass flags in /etc/pam.conf, and I'm stuck with double password prompting.  Any ideas?

Comment 1 Katsuhiko Takahashi 2006-07-09 12:13:35 UTC

Created attachment 2025 [details]

Comment 2 Katsuhiko Takahashi 2006-07-09 12:16:25 UTC

Comment on attachment 2025 [details]

Comment 3 db38 2006-07-10 16:18:12 UTC

(In reply to comment #2)
> (From update of attachment 2025 [details] [edit])
> 
Remote file name completion is not the bug I reported.

Comment 4 Dietrich Streifert 2006-07-12 09:15:31 UTC

The same here for 3.0.23 release. After upgrading from 3.0.22 to 3.0.23 paramter use_first_pass does not seem to be honoured if present in /etc/pam.conf.

pam.conf portion used by sshd:
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth optional           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth sufficient         pam_winbind.so.1 use_first_pass
login   auth required           pam_dial_auth.so.1
#

uname -a:
SunOS heliotrop 5.10 Generic_Patch_118844-30 i86pc i386 i86pc

Please consider changing the summery field to: "pam_winbind 3.0.23 does not honour try_first_pass and use_first_pass paramter".

Comment 5 Gerald (Jerry) Carter (dead mail address) 2006-07-12 10:06:00 UTC

Guenther, would you mind taking at look at this?  Thanks.

Comment 6 Dietrich Streifert 2006-07-13 02:35:45 UTC

I did some further debugging with solaris 10 sshd. I put some addition _pam_log(LOG_INFO,...) messages in the pam_winbind.c code. I attached the modified pam_winbind.c to this bug report so the output of syslog can be understood.

sshd core dumps on the first attempt to invoke pam_sm_authenticate (first password prompt) of pam_winbind and did never reach the part of _pam_init in pam_winbind.c where the arguments get processed. Here is the part of the syslog for the first attempt:

Jul 13 09:27:05 heliotrop pam_winbind[7728]: [ID 539465 auth.info] pam_winbind: pam_sm_authenticate,1 (flags: 0x0000)
Jul 13 09:27:05 heliotrop pam_winbind[7728]: [ID 414442 auth.info] pam_winbind: _pam_parse 1
Jul 13 09:27:05 heliotrop pam_winbind[7728]: [ID 414443 auth.info] pam_winbind: _pam_parse 2
Jul 13 09:27:05 heliotrop pam_winbind[7728]: [ID 339217 auth.info] pam_winbind: _pam_parse 3 mod
Jul 13 09:27:05 heliotrop pam_winbind[7728]: [ID 199944 auth.info] pam_winbind: _pam_parse 3 iniparser_load ok
Jul 13 09:27:05 heliotrop pam_winbind[7728]: [ID 924463 auth.info] pam_winbind: _pam_parse 3 *d == NULL


The second password prompt succeeds and syslog shows following messages:

Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 572310 auth.info] Verify user `moik'
Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 358037 auth.notice] user 'moik' granted access
Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 414442 auth.info] pam_winbind: _pam_parse 1
Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 558227 auth.notice] user 'moik' OK
Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 358037 auth.notice] user 'moik' granted access
Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 414442 auth.info] pam_winbind: _pam_parse 1
Jul 13 09:28:09 heliotrop pam_winbind[7728]: [ID 925041 auth.info] pam_parse: option use_first_pass
Jul 13 09:28:09 heliotrop sshd[7728]: [ID 800047 auth.info] Accepted keyboard-interactive for moik from 192.168.0.52 port 33038 ssh2

So I assume that somehow the stack gets corrupt at the first call of pam_sm_authenticate.

The stack trace of the sshd core dump is:

heliotrop{root}[/]: pstack /core
core '/core' of 7642:   /usr/lib/ssh/sshd
 d1be2652 ???????? (8111b80, 1, 80472f0, 80472ec, d1bf8ee8, 8047320)
 d1be4403 ???????? (8111b80, 0, 0, d1be8a57, 0, 804737c)
 d1be49b2 pam_sm_authenticate (8111b80, 0, 1, 810eaa8) + e7
 d2ac2524 run_stack (8111b80, 0, 1, 9, 1, d2ad67a4) + 148
 d2ac270d pam_authenticate (8111b80, 0) + 2b
 080636de ???????? (8110a80)
 08063685 auth2_pam (8110a80) + 51
 08063353 ???????? (8110a80)
 08060e43 ???????? (32, 6, 8110a80)
 0807944e dispatch_run (0, 8110a80, 8110a80) + 49
 08060b60 do_authentication2 (8047e3c, 8047dc0, d2bfb840, 4e96, 81ed, 5) + 7c
 0805d9df main     (1, 8047e04, 8047e0c) + e0a
 0805bad2 ???????? (1, 8047ea4, 0, 8047eb6, 8047ed2, 8047eeb)

Comment 7 Dietrich Streifert 2006-07-13 02:39:49 UTC

Created attachment 2028 [details]
Modified pam_winbind.c with addition log messages to syslog

Comment 8 Dietrich Streifert 2006-07-13 03:18:38 UTC

I think I found the bug:

In _pam_init (pam_winbind.c) there are two for statements which consume the parameters argc and argv. The first loop decrements argc and increments argv while trying to find out if a config file argument is given to pam_winbind.

The second for statement, which does the usual loop through argv, assumes that argc and argv are at initial state so, in best case the loop is never entered and parameters like use_first_pass are not recognized.

Patch follows as soon as my crashed solaris box is up again.

Comment 9 Dietrich Streifert 2006-07-13 04:00:18 UTC

Created attachment 2029 [details]
pam_winbind.c diff against release 3.0.23

Comment 10 Dietrich Streifert 2006-07-13 04:01:09 UTC

(In reply to comment #8)

> In _pam_init (pam_winbind.c) there are two for statements which consume the
     ^^^^^^^^^

This should be _pam_parse.

Comment 11 Dietrich Streifert 2006-07-13 04:11:01 UTC

Created attachment 2030 [details]
pam_winbind.c diff against release 3.0.23

New, hopefully correct diff. This is not my day ;-)

Comment 12 Rex Dieter 2006-07-13 10:58:12 UTC

I can confirm the proposed patch works as advertised.  Many thanks Dietrich.

Comment 13 Gerald (Jerry) Carter (dead mail address) 2006-07-13 11:15:41 UTC

Thanks for the patch.  In the future is is better to submit 
patches in 'diff -u' format. I'll review this later today.

Comment 14 Gerald (Jerry) Carter (dead mail address) 2006-07-13 11:31:33 UTC

Checked in for 3.0.23a

Comment 15 Guenther Deschner 2006-07-14 08:10:00 UTC

(In reply to comment #5)
> Guenther, would you mind taking at look at this?  Thanks. 

Sorry Jerry, I was totally absorbed giving courses the last days.
Thanks for taking care of that.

(my ugly copy-paste fault btw.)

Comment 16 Gerald (Jerry) Carter (dead mail address) 2006-08-04 12:04:04 UTC

closing.  Fixed in 3.0.23a