pam-krb5 error when called from Samba

Russ Allbery rra at stanford.edu
Mon Aug 29 23:39:37 EDT 2011


Andreas Ntaflos <daff at pseudoterminal.org> writes:

> I hope this list is not inappropriate for questions about pam-krb5.

This is perfectly fine, at least as far as I'm concerned.  :)

> Unfortunately my tests don't work. Enabling debugging on the PAM modules
> I see this in the Samba server's auth.log when calling "smbpasswd -r" on
> a remote machine.

> pam_smbpass(samba:chauthtok): username [testuser] obtained
> pam_smbpass(samba:chauthtok): Located account for testuser
> pam_krb5(samba:chauthtok): pam_sm_chauthtok: entry (0xc000)
> pam_krb5(samba:chauthtok): (user testuser) attempting authentication as
> testuser at EXAMPLE.COM
> pam_krb5(samba:chauthtok): (user testuser) error getting password:
> Conversation error
> pam_krb5(samba:chauthtok): pam_sm_chauthtok: exit (failure)

"Conversation error" means that when pam-krb5 tried to prompt for the
password, it was unable to do so, usually because the application didn't
provide a conversation callback.  How does smbpasswd -r provide the
password to PAM?  You may need a custom PAM configuration for it that uses
the PAM options use_first_pass and use_authtok, so that the PAM module
will read the password from the stored PAM state rather than trying to
prompt for it.  However....

> For reference, /etc/pam.d/samba looks like this:

> auth       requisite   pam_krb5.so debug
> auth       optional    pam_smbpass.so migrate debug
> account    required    pam_krb5.so debug
> password   optional    pam_smbpass.so nullok use_authtok try_first_pass
> debug
> password   required    pam_krb5.so use_authtok try_first_pass debug
> session    required    pam_krb5.so debug

...it looks like that's what you've already got.  Although I'm confused,
since both pam_smbpass and pam_krb5 are configured to use a password
stored in the stack by a previous module, but there's no previous module.
*Someone* needs to be responsible for prompting for the password.

I'm not personally very familiar with smbpasswd -r or how it works, so I
may be missing some aspect of this.  (Presumably there's some reason why
you want to use that and not just passwd configured with Samba and
Kerberos PAM modules.)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list