Ubuntu
samba package

passwd doesn't work with pam_winbind

Bug #681598 reported by Jason Gunthorpe
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

Binary package hint: samba

At all! This seems to be related to https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/comments/10

Since this is the PAM configuration for winbind straight out of the box I think it should work! Removing the use_authtok does seem to get things unstuck.

Ultimately means all users get locked out of their accounts because the password expires and it cannot be reset. So, it is pretty serious.

$ passwd
Changing password for utest
(current) NT password:
passwd: Authentication token manipulation error
passwd: password unchanged

Nov 25 14:28:51 jggl passwd[7456]: pam_unix(passwd:chauthtok): user "utest" does not exist in /etc/passwd
Nov 25 14:28:51 jggl passwd[7456]: pam_winbind(passwd:chauthtok): [pamh: 0xcfdad0] ENTER: pam_sm_chauthtok (flags: 0x4000)
Nov 25 14:28:51 jggl passwd[7456]: pam_winbind(passwd:chauthtok): username [utest] obtained
Nov 25 14:28:51 jggl passwd[7456]: pam_winbind(passwd:chauthtok): getting password (0x0000002b)
Nov 25 14:28:53 jggl passwd[7456]: pam_winbind(passwd:chauthtok): request wbcLogonUser succeeded
Nov 25 14:28:53 jggl passwd[7456]: pam_winbind(passwd:chauthtok): user 'utest' granted access
Nov 25 14:28:53 jggl passwd[7456]: pam_winbind(passwd:chauthtok): [pamh: 0xcfdad0] LEAVE: pam_sm_chauthtok returning 0 (PAM_SUCCESS)
Nov 25 14:28:53 jggl passwd[7456]: pam_unix(passwd:chauthtok): user "utest" does not exist in /etc/passwd
Nov 25 14:28:53 jggl passwd[7456]: pam_winbind(passwd:chauthtok): [pamh: 0xcfdad0] ENTER: pam_sm_chauthtok (flags: 0x2000)
Nov 25 14:28:53 jggl passwd[7456]: pam_winbind(passwd:chauthtok): username [utest] obtained
Nov 25 14:28:53 jggl passwd[7456]: pam_winbind(passwd:chauthtok): getting password (0x00000013)
Nov 25 14:28:53 jggl passwd[7456]: pam_winbind(passwd:chauthtok): password - new password not obtained
Nov 25 14:28:53 jggl passwd[7456]: pam_winbind(passwd:chauthtok): [pamh: 0xcfdad0] LEAVE: pam_sm_chauthtok returning 21 (PAM_AUTHTOK_RECOVER_ERR)

/etc/pam.d/common-passwd

# here are the per-package modules (the "Primary" block)
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
# end of pam-auth-update config

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: winbind 2:3.5.4~dfsg-1ubuntu8
ProcVersionSignature: Ubuntu 2.6.35-22.35-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
Architecture: amd64
Date: Thu Nov 25 14:19:48 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
 PATH=(custom, no user)
 LANG=C
 SHELL=/bin/bash
SambaClientRegression: No
SourcePackage: samba

Revision history for this message
Jason Gunthorpe (jgunthorpe) wrote :
visibility: private → public
Marc Deslauriers (mdeslaur)
security vulnerability: yes → no
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

I think given the conversation in 570944 we can call this confirmed. Thierry/Steve,
has any agreement been reached as to what should be done?

Changed in samba (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Steve Langasek (vorlon) wrote :

My suggestion in bug #570944 (of which this should probably be marked as a duplicate) is to ensure pam_unix always prompts for a password even when the user is unknown.

Revision history for this message
Jason Gunthorpe (jgunthorpe) wrote : Re: [Bug 681598] Re: passwd doesn't work with pam_winbind

Unless someone has a plan to actually go and fix pam_unix, I'd suggest a
better idea is to update pam_winbind's /usr/share/pam-configs/winbind to get
rid of use_authtok.

The objection that this disables strength checking modules is fair, but in
practice nobody will care - the AD server already does strength checking.
That 'passwd' doesn't work AT ALL, is rather more serious and everyone using
winbind will ultimately care about that.

Jason

On Thu, Dec 2, 2010 at 11:24 AM, Serge Hallyn <email address hidden>wrote:

> *** This bug is a duplicate of bug 570944 ***
> https://bugs.launchpad.net/bugs/570944
>
> ** This bug has been marked a duplicate of bug 570944
> passwd : gives "Authentication token manipulation error"
> * You can subscribe to bug 570944 by following this link:
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944/+subscribe
>
> --
> You received this bug notification because you are a direct subscriber
> of the bug.
> https://bugs.launchpad.net/bugs/681598
>
> Title:
> passwd doesn't work with pam_winbind
>

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.