Re: pam_smbpass.so

To: debian-user@lists.debian.org
Subject: Re: pam_smbpass.so
From: Joe Pfeiffer <pfeiffer@cs.nmsu.edu>
Date: Wed, 17 Feb 2016 18:49:48 -0700
Message-id: <[🔎] 1b8u2iyegz.fsf@pfeifferfamily.net>
References: <[🔎] 1br3gcy3k0.fsf@pfeifferfamily.net> <56C36422.6040007@iwakd.de> <22212.39885.713134.525465@pfeifferfamily.net> <[🔎] 56C4A239.2040104@iwakd.de>

Christian Seiler <christian@iwakd.de> writes:

> Hi,
>
> On 02/17/2016 05:11 PM, Joe Pfeiffer wrote:
>> Christian Seiler writes:
>>> [Suggesting journalctl -o verbose to debug this]
>> I'm running a current Debian testing installation, and journal is
>> enabled.
>> 
>> It turns out it's only coming from /usr/lib/dovecot/auth.  What's
>> weird is in /etc/pam.d/, the only files using the module are
>> common-auth and common-password, so I'd expect to see the error coming
>> either every time someone authenticates through anything, or any time
>> someone changes their password, and I'm not seeing either of those
>> cases -- just dovecot.
>
> Just a hunch: do you run dovecot chroot'ed? If so, then it is most
> likely the case that the specific PAM module is not available within
> the chroot and that's why it produces that message.

No, it isn't chrooted -- if it were, I'd expect the other pam modules to
give the same issues (for that matter, I'd expect it to not be able to
find pam.d!).

> If that's not the case: what's the contents of /etc/pam.d/dovecot?
> And /etc/pam.d/common-auth?

/etc/pam.d/dovecot:
#%PAM-1.0

@include common-auth
@include common-account
@include common-session

/etc/pam.d/common-auth:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    required                        pam_abl.so config=/etc/security/pam_abl.conf
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional        pam_mount.so
auth    optional                        pam_smbpass.so migrate
auth    optional                        pam_cap.so
# end of pam-auth-update config

(note the line
auth    optional                        pam_smbpass.so migrate
is added when libpam-smbpass is installed)

Reply to:

Follow-Ups:
- Re: pam_smbpass.so
  - From: Christian Seiler <christian@iwakd.de>

References:
- pam_smbpass.so
  - From: Joe Pfeiffer <pfeiffer@cs.nmsu.edu>
- Re: pam_smbpass.so
  - From: Christian Seiler <christian@iwakd.de>

Prev by Date: Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
Next by Date: Re: pam_smbpass.so
Previous by thread: Re: pam_smbpass.so
Next by thread: Re: pam_smbpass.so
Index(es):
- Date
- Thread