pam-krb5 error when called from Samba

Andreas Ntaflos daff at pseudoterminal.org
Mon Aug 29 22:49:44 EDT 2011


Hello again,

I hope this list is not inappropriate for questions about pam-krb5. I am
trying to set up a standalone Samba server that integrates (as well as
possible) with our LDAP and Kerberos infrastructure. Obviously this is
cumbersome and difficult with the current state of affairs in Samba (and
a bit off-topic here). Using Kerberos 1.8.1 on Ubuntu 10.04.3.

On the Samba server I want to use pam-krb5 together with pam-smbpass so
changing the password via Samba changes both the Kerberos and the Samba
password.

Unfortunately my tests don't work. Enabling debugging on the PAM modules
I see this in the Samba server's auth.log when calling "smbpasswd -r" on
a remote machine.

pam_smbpass(samba:chauthtok): username [testuser] obtained
pam_smbpass(samba:chauthtok): Located account for testuser
pam_krb5(samba:chauthtok): pam_sm_chauthtok: entry (0xc000)
pam_krb5(samba:chauthtok): (user testuser) attempting authentication as
testuser at EXAMPLE.COM
pam_krb5(samba:chauthtok): (user testuser) error getting password:
Conversation error
pam_krb5(samba:chauthtok): pam_sm_chauthtok: exit (failure)
pam_smbpass(samba:chauthtok): username [testuser] obtained
pam_smbpass(samba:chauthtok): Located account for testuser
pam_krb5(samba:chauthtok): pam_sm_chauthtok: entry (0xc000)
pam_krb5(samba:chauthtok): (user testuser) attempting authentication as
testuser at EXAMPLE.COM
pam_krb5(samba:chauthtok): (user testuser) error getting password:
Conversation error
pam_krb5(samba:chauthtok): pam_sm_chauthtok: exit (failure)

Apparently pam-krb5 runs into a problem when being called from Samba. It
works fine when called via the 'passwd' program and changing the
Kerberos password in this way works correctly. The Kerberos server
itself doesn't show anything in the logs, even with debugging enabled.

I'd like to know what this error message by pam-krb5 means and how to
debug this further, if possible.

For reference, /etc/pam.d/samba looks like this:

auth       requisite   pam_krb5.so debug
auth       optional    pam_smbpass.so migrate debug
account    required    pam_krb5.so debug
password   optional    pam_smbpass.so nullok use_authtok try_first_pass
debug
password   required    pam_krb5.so use_authtok try_first_pass debug
session    required    pam_krb5.so debug

Thanks in advance,

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20110830/53a72fd8/attachment.bin


More information about the Kerberos mailing list