Contributed by jose on from the cross-platform-authentication dept.
I've found similar problems mentioned all over the web from *BSD users, but no solutions. Linux seems to be OK -- at least, I haven't found any reports of the same problem on Linux.
I've just spent half a day or so reading code to try and work out how to fix it. When the user tries to change the password, you gets loads of entries in the log like this
[2003/10/16 10:26:33, 0] /usr/ports/net/samba/stable/w-samba-2.2.8a/samba-2.2.8a /source/lib/util_sec.c:assert_gid(114) Failed to set gid privileges to (0,1003) now set to (1003,1003) uid=(0,1003)What this means is it tried to set the real gid to 0 when...
real gid = 1003 effective gid = 1003 real uid = 0 effective uid = 1003which of course fails, because according to man 2 setgid, it's only permitted if the "effective user ID is that of the superuser, or if the specified group ID is the same as the effective group ID", which is not the case.
Question 1: Am I right in thinking this is the problem?
Question 2: Er, any ideas how to fix this?
I tried making it set the uid first (when changing to root) and then the gid, but it didn't have any effect. But then, it's quite highly abstracted so it's difficult to know what to change.
Any ideas?"
I've never had to worry much about Samba and passwords, but I figure this is a common problem. Anyone have a solution for Ben?
(Comments are closed)
By gregf () gregf@bigtimegeeks.com on mailto:gregf@bigtimegeeks.com
passwd program = /usr/bin/passwd %u
passwd chat = *old*password* %on *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn *passwd:*all*authentication*tokens*updated*successfully*
Comments
By Anonymous Coward () on
The passwd chat / passwd program configurations in smb.conf have nothing to do with this problem, at least under FreeBSD.
As far as I know, there's not solution yet... but using samba-3 :)
Comments
By gregf () gregf@bigtimegeeks.com on mailto:gregf@bigtimegeeks.com
By Ben () on
The UNIX accounts are created with no password, and have nologin as their shell.
I don't think it would be possible to use the passwd script with the smbpasswd utility (rather than passwd) because this will happen after the attempt to change the smbpasswd.
Or maybe this is a way forward?
Comments
By Peter N. M. Hansteen () peter@datadok.no on http://www.datadok.no
; unless you want to keep win95 clients, you need
; to use password encryption
encrypt passwords = Yes
update encrypted = Yes
; specify smb passwd file
smb passwd file = /etc/smbpasswd
; and specify to keep smb and unix password synced
; useful at least if people occasionally use other
; services
unix password sync = Yes
; then say how unix passwords are set
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn *passwd:*all*authentication*tokens*updated*successfully*
By Jimmythegeek () on
on redhat 7.3, using OpenLDAP.
We get a password expiration dialogue every time a user changes the password. We can see that the password expiration field gets set to infinity by one script, but gets set to 0 (must change now) by a finalization step I haven't been able to track down.
I finally just wrote a script to go through the ldap database and set the password expiration field separately.
I am looking forward to Samba 3.0
By Dan Brosemer () odin@cleannorth.org on mailto:odin@cleannorth.org
This is the world's *worst* fix, but it works for me. I don't suggest trying to do anything real with this patch in place, but I do, and it hasn't blown up on me... yet. ------ patch-util_sec_c ------- --- lib/util_sec.c.orig Wed Jul 17 09:47:49 2002 +++ lib/util_sec.c Sun Sep 7 18:15:38 2003 @@ -94,8 +94,8 @@ static void assert_uid(uid_t ruid, uid_t DEBUG(0,("Failed to set uid privileges to (%d,%d) now set to (%d,%d)n", (int)ruid, (int)euid, (int)getuid(), (int)geteuid())); - smb_panic("failed to set uidn"); - exit(1); +// smb_panic("failed to set uidn"); +// exit(1); } } } @@ -112,8 +112,8 @@ static void assert_gid(gid_t rgid, gid_t (int)rgid, (int)egid, (int)getgid(), (int)getegid(), (int)getuid(), (int)geteuid())); - smb_panic("failed to set gidn"); - exit(1); +// smb_panic("failed to set gidn"); +// exit(1); } } } @@ -199,7 +199,6 @@ void set_effective_uid(uid_t uid) setuidx(ID_EFFECTIVE, uid); #endif - assert_uid(-1, uid); } /**************************************************************************** @@ -224,7 +223,6 @@ void set_effective_gid(gid_t gid) setgidx(ID_EFFECTIVE, gid); #endif - assert_gid(-1, gid); } static uid_t saved_euid, saved_ruid; @@ -330,8 +328,7 @@ int set_re_uid(void) return -1; #endif - assert_uid(uid, uid); - return 0; + return -1; }
By Dan Brosemer () odin@cleannorth.org on mailto:odin@cleannorth.org
http://cleannorth.org/~odin/patch-lib_util_sec_c
Comments
By Anonymous Coward () on
The patch above does fix it (though for some reason I had to apply by hand) - at least on Free - BUT - I'd have to have a good look over it before applying it to a production box.
Has anyone submitted this to the Samba team ?
-Oh, I'm not sure that Unix password sync works even after applying this patch.
Anyway - nice job Dan.
Comments
By Dan Brosemer () odin@cleannorth.org on mailto:odin@cleannorth.org
Dear god, I hope not. It's a terrible hack.
> Oh, I'm not sure that Unix password sync works even after applying this patch.
It does, at least for me on OpenBSD 3.3-stable and did on 3.2-stable when I ran it.
A password chat line needs to be specified in the smb.conf file, but that's no big deal.
Comments
By tedu () on
Comments
By Anonymous Coward () on
Thats kinda what I meant - jolt the samba team into looking at this - bugzilla for samba doesnt even seem to have anything for this problem.
I guess I'll report it to them through bugzilla (It affects Free && Open - prolly Net as well) - Dan, any objections to including your "patch" as proof of concept ? - not as an actual fix (we can use the words horrible hack ...;-)
I actually have a 2.2.8a OpenBSD box which I'd like to see fixed (and haven't applied your hack too !)
What I'd really like to do is spend some time looking at this and try and try and supply something near a suitable patch - but who knows when I'll have time for that.
Comments
By Dan Brosemer () odin@cleannorth.org on mailto:odin@cleannorth.org
It's probably good enough to point out the problem in the samba code. I think the only reason I get away with running a production machine with it is my users don't change their passwords very often. (but, then, do anyone's users?)
If you'd drop me an email with the bugzilla link when you get around to it, I'd appreciate it.
Thanks.
-Dan
By Paul () pwehrweinATREMhotmailDOTcom on mailto:pwehrweinATREMhotmailDOTcom
Thanks