ports/118677: [net/samba3] Unix password synchronization with PAM does not work under Samba 3

Thu Dec 13 19:00:05 UTC 2007

>Number:         118677
>Category:       ports
>Synopsis:       [net/samba3] Unix password synchronization with PAM does not work under Samba 3
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 13 19:00:04 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Javier Martín Rueda
>Release:        FreeBSD 6.2 RELEASE
>Organization:
Universidad Politécnica de Madrid
>Environment:
FreeBSD mad6.diatel.upm.es 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 19 21:07:07 CET 2007     root at fbsd.localdomain:/usr/obj/usr/src/sys/AURORA  i386

>Description:
I set up a Windows NT domain with Samba as the PDC. I activate unix password synchronization in Samba, so that when a user changes the password from a Windows client it is updated in the Unix database as well. The problem is that it does not work. The Windows client reports "You don't have permission to change your password".

The relevant Samba configuration is:

unix password sync = yes
pam password change = yes
passwd chat = *Old*Password:* %o *New*Password* %n *Retype*New*Password* %n

I also create /etc/pam.d/samba with:

password        required        pam_unix.so

By the way, password synchronization without PAM doesn't work either. The problem is that findpty() in source/chgpasswd.c attempts to find an unused pseudoterminal device by opening /dev/pty00, /dev/pty01, etc. That doesn't work because the devices don't show up in /dev unless they are in use. I suppose that either some rules should be added to /etc/devfs.rules to make them come up even if they are free, or maybe the Samba code should be changed to use openpty(3).
>How-To-Repeat:
Configure Samba and PAM as described in "full description" and try to change a user's password from Windows. You will get "You don't have permission to change your password".

>Fix:
The pam_unix module creates a child process to execute pwd_mkdb and then executes waitpid() to check if the child finished ok. The problem is that the smbd daemon captures SIGCHLD and pam_unix doesn't get that signal, and concludes that the pwd_mkdb process must have failed somehow.

I enclose a patch to temporarily disable SIGCHLD capture while PAM executes. Just drop it in the files directory of the samba port and rebuild it.


Patch attached with submission follows:

--- smbd/chgpasswd.c.orig	Thu Mar  1 05:54:06 2007
+++ smbd/chgpasswd.c	Thu Dec 13 20:32:44 2007
@@ -502,11 +502,19 @@
 		if (as_root)
 			become_root();
 
+		/*
+		 * We need to temporarily stop CatchChild from eating
+		 * SIGCLD signals as it also eats the exit status code.
+		 * NOTE: pam_unix.so creates a child to run pwd_mkdb.
+		 */
+
+		CatchChildLeaveStatus();
 		if (pass) {
 			ret = smb_pam_passchange(pass->pw_name, oldpass, newpass);
 		} else {
 			ret = smb_pam_passchange(name, oldpass, newpass);
 		}
+		CatchChild();
 			
 		if (as_root)
 			unbecome_root();


>Release-Note:
>Audit-Trail:
>Unformatted:

