Re: pam_smbpass.so

To: Joe Pfeiffer <pfeiffer@cs.nmsu.edu>, debian-user@lists.debian.org
Subject: Re: pam_smbpass.so
From: Christian Seiler <christian@iwakd.de>
Date: Mon, 22 Feb 2016 20:59:48 +0100
Message-id: <[🔎] 56CB68B4.2080407@iwakd.de>
In-reply-to: <[🔎] 1b8u2iyegz.fsf@pfeifferfamily.net>
References: <[🔎] 1br3gcy3k0.fsf@pfeifferfamily.net> <56C36422.6040007@iwakd.de> <22212.39885.713134.525465@pfeifferfamily.net> <[🔎] 56C4A239.2040104@iwakd.de> <[🔎] 1b8u2iyegz.fsf@pfeifferfamily.net>

On 02/18/2016 02:49 AM, Joe Pfeiffer wrote:
> Christian Seiler <christian@iwakd.de> writes:
>> Just a hunch: do you run dovecot chroot'ed? If so, then it is most
>> likely the case that the specific PAM module is not available within
>> the chroot and that's why it produces that message.
> 
> No, it isn't chrooted -- if it were, I'd expect the other pam modules to
> give the same issues (for that matter, I'd expect it to not be able to
> find pam.d!).

So I just looked a bit at the PAM source code and found the following:

1. the message you see is generated from libpam/pam_handlers.c [1] from
   within the function _pam_load_module, using the mod_path argument
   passed to that function (which is not modified)

2. the function _pam_load_module is only called from _pam_add_handler,
   which calls it in two cases [2]:

    a. module name starts with a /, then it uses that directly
    b. module name doesn't start with a /, then it prepends
       DEFAULT_MODULE_PATH

   In Debian, DEFAULT_MODULE_PATH is /lib/<triplet>/security (set via
   debian/rules --libdir=/lib/<triplet> for dh_auto_configure [3],
   then used by configure.in as the default argument for
   --enable-securedir if that's not specified [4], which it isn't in
   debian/rules, and then used my Makefile.am to specify the variable
   to the C source [5]).

[1] http://sources.debian.net/src/pam/1.1.8-3.2/libpam/pam_handlers.c/#L705
[2] http://sources.debian.net/src/pam/1.1.8-3.2/libpam/pam_handlers.c/#L760
[3] http://sources.debian.net/src/pam/1.1.8-3.2/debian/rules/#L30
[4] http://sources.debian.net/src/pam/1.1.8-3.2/configure.in/#L274
[5] http://sources.debian.net/src/pam/1.1.8-3.2/libpam/Makefile.am/#L5

If I look at your configuration file, we clearly have 

> # and here are more per-package modules (the "Additional" block)
> auth    optional        pam_mount.so
> auth    optional                        pam_smbpass.so migrate

that the pam_smbpass.so is a relative path, so the code path 2(b)
should be taken, so the error you see shouldn't appear.

This is _really_ weird, especially since (as you said) the other
modules should also be affected...

I'm drawing a blank, sorry. Other than stracing the dovecot auth
process hand hoping you find something in the (presumeably huge) log
of that, I don't think I have any idea on how to debug that. Sorry.

Regards,
Christian

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- pam_smbpass.so
  - From: Joe Pfeiffer <pfeiffer@cs.nmsu.edu>
- Re: pam_smbpass.so
  - From: Christian Seiler <christian@iwakd.de>
- Re: pam_smbpass.so
  - From: Joe Pfeiffer <pfeiffer@cs.nmsu.edu>

Prev by Date: Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
Next by Date: CRM Users List
Previous by thread: Re: pam_smbpass.so
Next by thread: How to tell the system to load right name for wireless card?
Index(es):
- Date
- Thread