Integrate samba password in PAM

Bug #208419 reported by Patrice Vetsel on 2008-03-28
18
Affects Status Importance Assigned to Milestone
auth-client-config (Ubuntu)
Undecided
Jamie Strandboge
Hardy
Undecided
Jamie Strandboge
nautilus-share (Baltix)
Undecided
Unassigned
nautilus-share (Ubuntu)
Medium
Michael Vogt
Hardy
Medium
Michael Vogt
pam (Ubuntu)
Wishlist
Steve Langasek
Hardy
Wishlist
Steve Langasek
ubuntu-meta (Ubuntu)
Medium
Mathias Gug
Hardy
Medium
Mathias Gug

Bug Description

It will be a great enhancement if the samba password can be integrated in PAM for all users.
No more need to manually do a "sudo smbpasswd -a user", and nautilus-share (installed by default in Hardy) will be totally functionnal with guest or user-login methods.

Related branches

Chuck Short (zulcss) wrote :

Thanks for the bug report.

Changed in pam:
importance: Undecided → Wishlist
status: New → Triaged
Steve Langasek (vorlon) on 2008-04-08
Changed in pam:
assignee: nobody → vorlon
Steve Langasek (vorlon) wrote :

Attached is a proposed patch for this. This needs further testing before upload to hardy; as the saying goes, I have merely proved it correct, not tried it (extensively). :)

Steve Langasek (vorlon) wrote :

"needs testing" - I can make this package available via PPA if anyone thinks that would be of use.

Changed in pam:
status: Triaged → In Progress
xtknight (xt-knight) wrote :

Check my ppa: https://launchpad.net/~xt-knight/+archive

Not sure how the version ~5ppa1 will by affected by this line since it expects ubuntu6:

if [ -z "$2" ] || dpkg --compare-versions "$2" lt 0.99.7.1-5ubuntu6

On Tue, Apr 08, 2008 at 08:06:55PM -0000, xtknight wrote:
> Not sure how the version ~5ppa1 will by affected by this line since it
> expects ubuntu6:

> if [ -z "$2" ] || dpkg --compare-versions "$2" lt 0.99.7.1-5ubuntu6

I think you want to change your version number from -5ubuntu5~ppa1 to
-5ubuntu6~ppa1. -5ubuntu5~ppa1 is less than the /current/ version of pam in
the archive.

Otherwise, should work fine, the version check there is written exactly as
it was intended to be. :)

Patrice Vetsel (vetsel-patrice) wrote :

Patched pam packages seems to not work at all.

patched package installed, and system rebooted, samba installed.

I create an user : popo + pass : popo
i look at samba user with "sudo pdbedit -L -w", user is not listed -> PROBLEM
i restart samba "sudo /etc/init.d/samba restart" and, user is still not listed.

Ok. I force creation of user in samba : "sudo smbpasswd -a popo" and put "popo" as password.
i list samba users "sudo pdbedit -L -w", popo is listed and encrypted password is shown. I note it.

I login with popo, change my password and logout.
Be back in admin user, i verify if password is changed with "sudo pdbedit -L -w". No it's always the same -> PROBLEM

Patrice Vetsel (vetsel-patrice) wrote :

Not sure bu,t I can't find pam_smbpass.so in my system ?
Wich package provide it ? It must be installed no ?

Patrice Vetsel (vetsel-patrice) wrote :

ok libpam-smbpass installed, we should install it by default if we patch pam.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 0.99.7.1-5ubuntu6

---------------
pam (0.99.7.1-5ubuntu6) hardy; urgency=low

  * debian/local/common-{auth,password}, debian/libpam-runtime.postinst:
    Add pam_smbpass as an optional module in the stack, to keep NTLM
    passwords (for filesharing) in sync with the main system passwords on a
    best-effort basis. LP: #208419.

 -- Steve Langasek <email address hidden> Tue, 08 Apr 2008 18:21:40 +0000

Changed in pam:
status: In Progress → Fix Released
Changed in auth-client-config:
assignee: nobody → jamie-strandboge
Steve Langasek (vorlon) wrote :

The necessary changes to pam have been uploaded, but now there's a question of how to go about incorporating the libpam-smbpass package so that the password synchronization actually takes place.

I've spoken with Kees Cook about the security implications, and he strongly discourages enabling libpam-smbpass password synchronization by default on the grounds that the NTLM password hashing is weaker than the Unix password hashing. I've conceded this point, so I think the correct thing to do here is to install libpam-smbpass at the same time that samba is installed. For servers this means making it part of the samba-server task, and for desktops that means hooking into nautilus-share so that it will install both packages when filesharing is requested.

In the desktop case, we may want to provide users with some notice about the fact that not all users will automatically have passwords available; however, because the PAM integration will auto-sync passwords from the Unix password store to the Samba password store on every successful /authentication/, not just on password changes, if bug #212098 is addressed then this already takes care of the problem for most desktop users.

Changed in nautilus-share:
assignee: nobody → ubuntu-desktop
importance: Undecided → Medium
status: New → Confirmed
Changed in ubuntu-meta:
importance: Undecided → Medium
status: New → Confirmed
Changed in nautilus-share:
assignee: ubuntu-desktop → desktop-bugs
Changed in auth-client-config:
status: New → In Progress
Changed in auth-client-config:
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package auth-client-config - 0.6.1

---------------
auth-client-config (0.6.1) hardy; urgency=low

  * update cracklib profile to use pam_smbpass.so (LP: #208419)
  * debian/control: update Vcs-Bzr field

 -- Jamie Strandboge <email address hidden> Tue, 11 Mar 2008 16:15:58 -0400

Changed in auth-client-config:
status: Fix Committed → Fix Released
Mathias Gug (mathiaz) on 2008-04-09
Changed in ubuntu-meta:
assignee: nobody → mathiaz
Mathias Gug (mathiaz) on 2008-04-10
Changed in ubuntu-meta:
status: Confirmed → Invalid
Michael Vogt (mvo) on 2008-04-10
Changed in nautilus-share:
assignee: desktop-bugs → mvo
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nautilus-share - 0.7.2-0ubuntu5

---------------
nautilus-share (0.7.2-0ubuntu5) hardy; urgency=low

  * 02_install_missing_samba.dpatch:
    - install libpam-smbpass in addition to samba (LP: #208419)

 -- Michael Vogt <email address hidden> Thu, 10 Apr 2008 11:46:49 +0200

Changed in nautilus-share:
status: In Progress → Fix Released
Daniel Hahler (blueyed) wrote :

If pam_smbpass.so (from libpam-smbpass) is not installed, this causes log spam in /var/log/auth.log (see bug 216990).

Mantas Kriaučiūnas (mantas) wrote :

Launchpad Janitor wrote on 2008-04-10:
> This bug was fixed in the package nautilus-share - 0.7.2-0ubuntu5
> * 02_install_missing_samba.dpatch:
> - install libpam-smbpass in addition to samba (LP: #208419)

Unfortunately this is only partial fix, it works only when user hasn't both packages - samba and libpam-smbpass in his system. If user has samba package already installed then nautilus-share doesn't install libpam-smbpass package :(

It's very easy to reproduce:
1. install samba and do not install libpam-smbpass package (remove it if it's already installed)
2. Press right click on any subfolder from your home folder and choose "Sharing Option" from menu.
3. Click on "Share this folder" and then click button "Create Share"

As you see - you can share a folder even if you haven't libpam-smbpass installed and you don't get a dialog with suggestion to install needed libpam-smbpass package :(

Btw, AFAIK nautilus-share package should have libpam-smbpass package in Recommends or Suggests field, like samba package.

I can report this as separate bugreport, just tell me :)

Changed in nautilus-share:
status: Fix Released → In Progress
Mathias Gug (mathiaz) wrote :

Could you report that as a separate bug report ?

Thanks.

Michael Vogt (mvo) on 2009-03-12
Changed in nautilus-share:
status: In Progress → Fix Released
Changed in nautilus-share (Baltix):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers