pam-krb5 error when called from Samba

Andreas Ntaflos daff at pseudoterminal.org
Tue Aug 30 18:52:29 EDT 2011 

Russ, thank you for your reply!

On 2011-08-30 05:39, Russ Allbery wrote:
> "Conversation error" means that when pam-krb5 tried to prompt for the
> password, it was unable to do so, usually because the application didn't
> provide a conversation callback.  How does smbpasswd -r provide the
> password to PAM?  You may need a custom PAM configuration for it that uses
> the PAM options use_first_pass and use_authtok, so that the PAM module
> will read the password from the stored PAM state rather than trying to
> prompt for it.  However....

I have only recently started trying to understand how Samba setups
(standalone or PDC) would work together with Kerberos (and LDAP) so I am
not even sure if calling "smbpasswd -r" from a remote machine is the
right approach. Smbpasswd prompts for the old and new passwords so it
seems that Samba should take care of the conversation details and
passing the authtok.

Now, it is very possible that I am wrong in my whole approach to this
Samba/Kerberos thing. I've read what seems like hundreds of pages of
documentation and mailing list archives spanning the last ten years but
there doesn't seem to be a clear-cut way for integrating Samba, Kerberos
and LDAP aside from using AD.

>> For reference, /etc/pam.d/samba looks like this:
> 
>> auth       requisite   pam_krb5.so debug
>> auth       optional    pam_smbpass.so migrate debug
>> account    required    pam_krb5.so debug
>> password   optional    pam_smbpass.so nullok use_authtok try_first_pass
>> debug
>> password   required    pam_krb5.so use_authtok try_first_pass debug
>> session    required    pam_krb5.so debug
> 
> ...it looks like that's what you've already got.  Although I'm confused,
> since both pam_smbpass and pam_krb5 are configured to use a password
> stored in the stack by a previous module, but there's no previous module.
> *Someone* needs to be responsible for prompting for the password.

The above PAM configuration is directly from the Samba documentation in
[1], but maybe details have changed since those pages were last updated
(in 2003). However, this configuration snippet is also packaged with
libpam-smbpass so it shouldn't be too outdated, I'd think.

I posted here to understand the error message pam-krb5 throws, so thank
you for enlightening me :)

> I'm not personally very familiar with smbpasswd -r or how it works, so I
> may be missing some aspect of this.  (Presumably there's some reason why
> you want to use that and not just passwd configured with Samba and
> Kerberos PAM modules.)

I am certainly even less familiar with how smbpasswd; the -r switch
makes it change the user's password on the remote machine specified and
apparently works at least partially, according to the Samba logs. I also
believe that this is the way a user on a Windows machine that is part of
the domain the Samba PDC serves would change his password. But maybe I
am completely off here.

But your last point (passwd that changes krb5 and smb passwords) sounds
interesting. Could you perhaps hint at a PAM configuration that would
accomplish this? I have spent all of last night reading about and
configuring PAM and the words "requisite", "required", "optional", etc.
are starting to blend together.

Thank you!

Andreas

[1] http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20110831/a29a9c2f/attachment.bin

More information about the Kerberos mailing list