[Pkg-samba-maint] Bug#661751: libpam-smbpass: pam_smbldap ldap and ssl does not work

John McMonagle johnm at advocap.org
Thu Mar 1 00:16:50 UTC 2012 

Package: libpam-smbpass
Version: 2:3.5.6~dfsg-3squeeze6
Severity: normal

Have samba pdc using smbldap etc.
Running debian squeeze with samba  3.5.6
Working on getting pam to keep ldap and  windows passsword in sync.
have been using smbldap-passwd with some added password tests to change 
passwords.

smbldap-passwd works
smbpasswd works
in auth part of pam the migrate works with pam_smbldap
smbclient -L localhost  authenticates OK.

If I use no ssl or tls for ldap connections in smb.conf 
passwd will change the windows password.
If the connection to the master ldap server uses ssl or tls I get this error 
in auth.log.

Feb 15 13:21:51 nfondy passwd[30090]: pam_smbpass(passwd:chauthtok): Cannot 
access samba password database, not running as root.

Again it works with out tsl or ssl.

common-passwd:
# here are the per-package modules (the "Primary" block)
password        requisite                       pam_passwdqc.so
password        [success=2 default=ignore]      pam_unix.so obscure 
use_authtok try_first_pass sha512
password        [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 
try_first_pass
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
password        optional                        pam_smbpass.so nullok 
use_authtok use_first_pass debug
# end of pam-auth-update config

For this test using in smb.conf:
 ldap ssl = off

  passdb backend = ldapsam:"ldaps://mstldap.advocap.org"

If I change ldaps to ldap it works.

I managed to trace in wireshark using the the ssl key for mstldap.

Makes one tls connection 
I see the key exhange etc and then a sucessfull ldap bind.
It closes that connection. I assume that's one of the other pam modules.

Then it tries starting another ssl connection from a new port but it does not work.
Doesn't even see a tls client hello.

Without ssl I can see passwords being changed etc.

I tried samba from backports and it's the same.

John


-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-xen-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-smbpass depends on:
ii  libc6             2.11.3-3               Embedded GNU C Library: Shared lib
ii  libcap2           1:2.19-3               support for getting/setting POSIX.
ii  libldap-2.4-2     2.4.23-7.2             OpenLDAP libraries
ii  libpam-runtime    1.1.1-6.1+squeeze1     Runtime support for the PAM librar
ii  libpam0g          1.1.1-6.1+squeeze1     Pluggable Authentication Modules l
ii  libtalloc2        2.0.1-1                hierarchical pool based memory all
ii  libwbclient0      2:3.5.6~dfsg-3squeeze6 Samba winbind client library
ii  samba-common      2:3.5.6~dfsg-3squeeze6 common files used by both the Samb

libpam-smbpass recommends no packages.

Versions of packages libpam-smbpass suggests:
ii  samba             2:3.5.6~dfsg-3squeeze6 SMB/CIFS file, print, and login se

-- no debconf information

More information about the Pkg-samba-maint mailing list