When user tries to change his/her password via pam_winbind.so, pam_set_item(3PAM) is called twice (at _winbind_read_password() and pam_sm_chauthtok() in nsswitch/pam_winbind.c) with PAM_OLDAUTHTOK and the old password. The second pam_set_item() call (at pam_sm_chauthtok()) is redundantly because the old password for pam_set_item() has same value (pointer to char*) before (at _winbind_read_password()). _winbind_read_password(..., const char **pass) { ... authtok_flag = on(WINBIND__OLD_PASSWORD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK; ... retval = pam_set_item(pamh, authtok_flag, token); _pam_delete(token); /* clean it up */ if (retval != PAM_SUCCESS || (retval = _pam_get_item(pamh, authtok_flag, &item)) != PAM_SUCCESS) { _pam_log(pamh, ctrl, LOG_CRIT, "error manipulating password"); return retval; } *pass = item; ... } pam_sm_chauthtok() { ... if (flags & PAM_PRELIM_CHECK) { ret = _winbind_read_password(..., (const char **) &pass_old); ... ret = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old); ... } else if (flags & PAM_UPDATE_AUTHTOK) { ... } ... } On the other hand, on Solaris, the pam_set_item() call clears the previous set password (by pam_set_item()) in PAM informations (maybe security reason). For example: const char *item; ## Get PAM_OLDAUTHTOK data from PAM pam_get_item(pamh, PAM_OLDAUTHTOK, &item); ## Put item to PAM_OLDAUTHTOK data in PAM ## 1. Clear previous PAM_OLDAUTHTOK data (in *item) in PAM ## 2. Set new data (in *item) as PAM_OLDAUTHTOK in PAM pam_set_item(pamh, PAM_OLDAUTHTOK, &item); ## Get PAM_OLDAUTHTOK data from PAM again pam_get_item(pamh, PAM_OLDAUTHTOK, &item); ## Show PAM_OLDAUTHTOK (it is broken on Solaris) puts(item); That is why, password changing failed via pam_winbind.so on Solaris.
Created attachment 3271 [details] Proposed patch: Remove redundant pam_set_item() call
Created attachment 3922 [details] Updated patch for 3.2.8 (v3-2-test) Remove a redundant pam_set_item() call for a PAM item "PAM_OLDAUTHTOK" because it was already stored in _winbind_read_password() or a previous stacked PAM module.
Raising version number as requested by the reporter.
Any volunteer to review the patches? Would be nice to include the patches in 3.3.8.
Created attachment 7469 [details] Patch for Samba 3.6 (v3-6-test)
Ira, Slow, Jiri: can you review/test this? I would be great to get this ancient bug with attached patch fixed finally...