6687 – pam_session not correctly handled

Bug 6687 - pam_session not correctly handled

Summary: pam_session not correctly handled

Status:	RESOLVED INVALID

Alias:	None

Product:	Samba 3.4
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	3.4.0
Hardware:	Other Linux

Importance:	P3 normal
Target Milestone:	---
Assignee:	Guenther Deschner
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-09-03 00:49 UTC by Blindauer Emmanuel (dead mail address)
Modified:	2009-09-03 18:05 UTC (History)
CC List:	0 users

See Also:

Attachments
smb.conf (2.80 KB, text/plain) 2009-09-03 03:25 UTC, Blindauer Emmanuel (dead mail address)	no flags	Details
smb 3.2.7, log level 5 (73.00 KB, text/plain) 2009-09-03 06:46 UTC, Blindauer Emmanuel (dead mail address)	no flags	Details
smb 3.4.0, log level 5 (74.30 KB, text/plain) 2009-09-03 06:47 UTC, Blindauer Emmanuel (dead mail address)	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Blindauer Emmanuel (dead mail address) 2009-09-03 00:49:36 UTC

Hi
I've tried to upgrade me 3.2.7 file server to 3.4.0, samba member of an AD 2003, using winbind.

I use pam_mkhomedir in pam_session to create the [homes]  share for each user.
It seems that something has gone wrong because there is no more call to pam_session

Instead, the server says it can't access the /home/$user share which is normal as it hasn't been created.

I've traced the call to pam_session in 23.2.7, and looked for the log in same place for 3.4.0, there is no call to "smb_pam_start" in 3.4.0

the 3.4.0 log with the falling creation:

  Get_Pwnam_internals did find user [DPTINFO+s.altun]!
[2009/09/03 07:24:18,  5] auth/auth_util.c:1517(fill_sam_account)
  fill_sam_account: located username was [DPTINFO+s.altun]
[2009/09/03 07:24:18,  4] lib/substitute.c:504(automount_server)
  Home server: oie
[2009/09/03 07:24:18,  4] lib/substitute.c:504(automount_server)
  Home server: oie
[2009/09/03 07:24:18,  3] auth/auth.c:271(check_ntlm_password)
  check_ntlm_password: winbind authentication for user [s.altun] succeeded
[2009/09/03 07:24:18,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/09/03 07:24:18,  3] smbd/uid.c:428(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/09/03 07:24:18,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/09/03 07:24:18,  5] auth/token_util.c:522(debug_nt_user_token)
  NT user token: (NULL)
[2009/09/03 07:24:18,  5] auth/token_util.c:548(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2009/09/03 07:24:18,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/09/03 07:24:18,  5] auth/auth.c:297(check_ntlm_password)
  check_ntlm_password:  PAM Account for user [DPTINFO+s.altun] succeeded
[2009/09/03 07:24:18,  2] auth/auth.c:310(check_ntlm_password)
  check_ntlm_password:  authentication for user [s.altun] -> [s.altun] -> [DPTINFO+s.altun] succeeded



the 3.2.7 with the call to pampass.c:
  Get_Pwnam_internals did find user [DPTINFO+s.altun]!
[2009/09/03 07:36:36,  5] auth/auth_util.c:fill_sam_account(1404)
  fill_sam_account: located username was [DPTINFO+s.altun]
[2009/09/03 07:36:36,  4] lib/substitute.c:automount_server(500)
  Home server: oie
[2009/09/03 07:36:36,  4] lib/substitute.c:automount_server(500)
  Home server: oie
[2009/09/03 07:36:36,  3] auth/auth.c:check_ntlm_password(269)
  check_ntlm_password: winbind authentication for user [s.altun] succeeded
[2009/09/03 07:36:36,  3] smbd/sec_ctx.c:push_sec_ctx(224)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/09/03 07:36:36,  3] smbd/uid.c:push_conn_ctx(407)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/09/03 07:36:36,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/09/03 07:36:36,  5] auth/token_util.c:debug_nt_user_token(466)
  NT user token: (NULL)
[2009/09/03 07:36:36,  5] auth/token_util.c:debug_unix_user_token(492)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2009/09/03 07:36:36,  4] auth/pampass.c:smb_pam_start(470)
  smb_pam_start: PAM: Init user: DPTINFO+s.altun
[2009/09/03 07:36:36,  4] auth/pampass.c:smb_pam_start(487)
  smb_pam_start: PAM: setting rhost to: ::ffff:130.79.80.98
[2009/09/03 07:36:36,  4] auth/pampass.c:smb_pam_start(496)
  smb_pam_start: PAM: setting tty
[2009/09/03 07:36:36,  4] auth/pampass.c:smb_pam_start(504)
  smb_pam_start: PAM: Init passed for user: DPTINFO+s.altun
[2009/09/03 07:36:36,  4] auth/pampass.c:smb_pam_account(562)
  smb_pam_account: PAM: Account Management for User: DPTINFO+s.altun
[2009/09/03 07:36:36,  4] auth/pampass.c:smb_pam_account(581)
  smb_pam_account: PAM: Account OK for User: DPTINFO+s.altun
[2009/09/03 07:36:36,  4] auth/pampass.c:smb_pam_end(450)
  smb_pam_end: PAM: PAM_END OK.
[2009/09/03 07:36:36,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/09/03 07:36:36,  5] auth/auth.c:check_ntlm_password(295)
  check_ntlm_password:  PAM Account for user [DPTINFO+s.altun] succeeded
[2009/09/03 07:36:36,  2] auth/auth.c:check_ntlm_password(308)
  check_ntlm_password:  authentication for user [s.altun] -> [s.altun] -> [DPTINFO+s.altun] succeeded

Comment 1 Guenther Deschner 2009-09-03 03:11:06 UTC

Could you please upload your smb.conf ?

Comment 2 Blindauer Emmanuel (dead mail address) 2009-09-03 03:25:10 UTC

Created attachment 4634 [details]
smb.conf

Comment 3 Blindauer Emmanuel (dead mail address) 2009-09-03 06:46:59 UTC

Created attachment 4635 [details]
smb 3.2.7,  log level 5

Comment 4 Blindauer Emmanuel (dead mail address) 2009-09-03 06:47:19 UTC

Created attachment 4636 [details]
smb 3.4.0,  log level 5

Comment 5 Guenther Deschner 2009-09-03 14:53:49 UTC

The only explanation I have for this is that smbd has not been built with pam support. Could you please check (and paste here) the output of:

smbd -b | grep PAM

Thanks.

Comment 6 Blindauer Emmanuel (dead mail address) 2009-09-03 15:26:50 UTC

I'm not sure about the real values from smbd -b :

# ./smbd -b | grep PAM
   HAVE_SECURITY_PAM_APPL_H
   HAVE_SECURITY_PAM_EXT_H
   HAVE_SECURITY_PAM_MODULES_H
   HAVE_SECURITY__PAM_MACROS_H
   HAVE_LIBPAM
   HAVE_PAM_GET_DATA
   HAVE_PAM_VSYSLOG
   WITH_PAM
   WITH_PAM_MODULES
   WITH_PAM
   WITH_PAM_MODULES

With the first try, I have made a build with:

./configure --prefix=/usr/local/samba/ 

After that, I've rebuild all with :
./configure --with-syslog --with-winbind --with-ads --with-acl-support --with-pam --with-quotas --prefix=/usr/local/samba/

but I didn't make a make clean between both build (I assumed that new config.h -> full recompilation )

I'll try with a clean rebuild of these tools.

Comment 7 Blindauer Emmanuel (dead mail address) 2009-09-03 16:54:52 UTC

Ok, I've made a "make clean", and rebuilded and installed all programs, and now, PAM is working correctly.
My fault, sorry.

Comment 8 Guenther Deschner 2009-09-03 18:05:35 UTC

:-) Glad it works now.