Bug 8832 - libpam-cracklib or libpam-passwdqc break SWAT
Summary: libpam-cracklib or libpam-passwdqc break SWAT
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: SWAT (show other bugs)
Version: 3.4.7
Hardware: x64 Linux
: P5 normal
Target Milestone: ---
Assignee: Kai Blin
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-29 09:49 UTC by Fajar Priyanto
Modified: 2013-09-02 12:55 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fajar Priyanto 2012-03-29 09:49:15 UTC
Ubuntu 10.04 LTS
Samba/Swat 3.4.7~dfsg-1u

I'm required to use cracklib or passwdqc in pam.d

But turns out that the above pam module break SWAT.

Swat says:
SAMR connection to machine NT_STATUS_ACCESS_DENIED failed. Error was
127.0.0.1, but LANMAN password changed are disabled
The passwd has NOT been changed.

log.smbd:
[2012/03/29 17:34:28,  0] auth/pampass.c:705(smb_pam_chauthtok)
 PAM: UNKNOWN PAM ERROR (19) for User: user2

I have confirmed that this is because of the pam modules. Removing the
pam modules restore SWAT ok again.

---
Example of /etc/pam.d/common-password
With cracklib:
password	requisite			pam_cracklib.so retry=3 minlen=8 difok=3
[default setting: see A]
With passwdqc:
password	requisite			pam_passwdqc.so 
[default setting: see A]

Default setting:
password	[success=2 default=ignore]	pam_unix.so obscure sha512
password	[success=1 default=ignore]	pam_winbind.so use_authtok try_first_pass
password	requisite			pam_deny.so
password	required			pam_permit.so
password	optional			pam_smbpass.so nullok use_authtok use_first_pass

Thank you.
Comment 1 Karolin Seeger 2012-08-28 07:38:45 UTC
Re-assigning to Kai.
Comment 2 Kai Blin 2012-08-28 07:47:06 UTC
I think I've seen this before somewhere, let me see if I can find the bug report with the analysis. I seem to remember that was actually an issue with another pam library and not with SWAT itself, but I'll recheck.
Comment 3 Kai Blin 2012-08-28 07:57:53 UTC
There we go. At least in Ubuntu 12.04 where I debugged this the last time, libpam-smbpass is broken and causes swat to fail. In 12.04, that leads to a crash, I haven't tried for 10.04 (or Samba 3.4.7).

Can you get me the output of "nm /lib/security/pam_smbpass.so" so we can check if this is the same problem?
Comment 4 Björn Jacke 2013-09-02 12:55:52 UTC
swat is removed in 4.1