Changing password from Windows with Samba 2.2.8a

Contributed by jose on 2003-10-20 from the cross-platform-authentication dept.

Ben asks: "I'm having issues with Samba 2.2.8a on OpenBSD. I've got it set up as a domain controller with roaming profiles, and it's all working very nicely apart from that the user can't change the password from Windows.
I've found similar problems mentioned all over the web from *BSD users, but no solutions. Linux seems to be OK -- at least, I haven't found any reports of the same problem on Linux.
I've just spent half a day or so reading code to try and work out how to fix it. When the user tries to change the password, you gets loads of entries in the log like this
[2003/10/16 10:26:33, 0] /usr/ports/net/samba/stable/w-samba-2.2.8a/samba-2.2.8a /source/lib/util_sec.c:assert_gid(114) Failed to set gid privileges to (0,1003) now set to (1003,1003) uid=(0,1003)
What this means is it tried to set the real gid to 0 when...
real gid = 1003 effective gid = 1003 real uid = 0 effective uid = 1003
which of course fails, because according to man 2 setgid, it's only permitted if the "effective user ID is that of the superuser, or if the specified group ID is the same as the effective group ID", which is not the case.
Question 1: Am I right in thinking this is the problem?
Question 2: Er, any ideas how to fix this?
I tried making it set the uid first (when changing to root) and then the gid, but it didn't have any effect. But then, it's quite highly abstracted so it's difficult to know what to change.

Any ideas?"

I've never had to worry much about Samba and passwords, but I figure this is a common problem. Anyone have a solution for Ben?

(Comments are closed)

Comments

By gregf () gregf@bigtimegeeks.com on 2003-10-20 12:21 mailto:gregf@bigtimegeeks.com

You need to use the password chat option in your smb.conf. Here is an example that works with linux.

passwd program = /usr/bin/passwd %u
passwd chat = *old*password* %on *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn *passwd:*all*authentication*tokens*updated*successfully*
Comments
1. By Anonymous Coward () on 2003-10-21 01:15
  
  A lot of people are having this exact same problem under FreeBSD (there's even a PR about this issue).
  The passwd chat / passwd program configurations in smb.conf have nothing to do with this problem, at least under FreeBSD.
  As far as I know, there's not solution yet... but using samba-3 :)
  Comments
  1. By gregf () gregf@bigtimegeeks.com on 2003-10-20 18:08 mailto:gregf@bigtimegeeks.com
    
    Only problem with that is Samba 3 segfaults on startup on openbsd 3.4.
2. By Ben () on 2003-10-21 01:58
  
  It's not the setting of the UNIX password, it's the setting of the SMB password. I think the problem comes when it tries to update the smbpasswd file.
  
  The UNIX accounts are created with no password, and have nologin as their shell.
  
  I don't think it would be possible to use the passwd script with the smbpasswd utility (rather than passwd) because this will happen after the attempt to change the smbpasswd.
  
  Or maybe this is a way forward?
  Comments
  1. By Peter N. M. Hansteen () peter@datadok.no on 2003-10-23 02:47 http://www.datadok.no
    
    For true seamlessness, you also need to specify password syncing. The magic words are,
    
    ; unless you want to keep win95 clients, you need
    ; to use password encryption
    encrypt passwords = Yes
    update encrypted = Yes
    ; specify smb passwd file
    smb passwd file = /etc/smbpasswd
    ; and specify to keep smb and unix password synced
    ; useful at least if people occasionally use other
    ; services
    unix password sync = Yes
    ; then say how unix passwords are set
    passwd program = /usr/bin/passwd %u
    passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn *passwd:*all*authentication*tokens*updated*successfully*
By Jimmythegeek () on 2003-10-20 16:57

I'm using Samba Version 2.2.8a
on redhat 7.3, using OpenLDAP.

We get a password expiration dialogue every time a user changes the password. We can see that the password expiration field gets set to infinity by one script, but gets set to 0 (must change now) by a finalization step I haven't been able to track down.

I finally just wrote a script to go through the ldap database and set the password expiration field separately.

I am looking forward to Samba 3.0
By Dan Brosemer () odin@cleannorth.org on 2003-10-20 17:45 mailto:odin@cleannorth.org

This is the world's *worst* fix, but it works for me. I don't suggest trying to do anything real with this patch in place, but I do, and it hasn't blown up on me... yet. ------ patch-util_sec_c ------- --- lib/util_sec.c.orig Wed Jul 17 09:47:49 2002 +++ lib/util_sec.c Sun Sep 7 18:15:38 2003 @@ -94,8 +94,8 @@ static void assert_uid(uid_t ruid, uid_t DEBUG(0,("Failed to set uid privileges to (%d,%d) now set to (%d,%d)n", (int)ruid, (int)euid, (int)getuid(), (int)geteuid())); - smb_panic("failed to set uidn"); - exit(1); +// smb_panic("failed to set uidn"); +// exit(1); } } } @@ -112,8 +112,8 @@ static void assert_gid(gid_t rgid, gid_t (int)rgid, (int)egid, (int)getgid(), (int)getegid(), (int)getuid(), (int)geteuid())); - smb_panic("failed to set gidn"); - exit(1); +// smb_panic("failed to set gidn"); +// exit(1); } } } @@ -199,7 +199,6 @@ void set_effective_uid(uid_t uid) setuidx(ID_EFFECTIVE, uid); #endif - assert_uid(-1, uid); } /**************************************************************************** @@ -224,7 +223,6 @@ void set_effective_gid(gid_t gid) setgidx(ID_EFFECTIVE, gid); #endif - assert_gid(-1, gid); } static uid_t saved_euid, saved_ruid; @@ -330,8 +328,7 @@ int set_re_uid(void) return -1; #endif - assert_uid(uid, uid); - return 0; + return -1; }
By Dan Brosemer () odin@cleannorth.org on 2003-10-20 17:47 mailto:odin@cleannorth.org

Here. Try this, instead.

http://cleannorth.org/~odin/patch-lib_util_sec_c
Comments
1. By Anonymous Coward () on 2003-10-21 22:42
  
  I can confirm that this behaviour is present for Samba 2.2.8a on Free & Open.
  
  The patch above does fix it (though for some reason I had to apply by hand) - at least on Free - BUT - I'd have to have a good look over it before applying it to a production box.
  
  Has anyone submitted this to the Samba team ?
  
  -Oh, I'm not sure that Unix password sync works even after applying this patch.
  
  Anyway - nice job Dan.
  Comments
  1. By Dan Brosemer () odin@cleannorth.org on 2003-10-22 13:06 mailto:odin@cleannorth.org
    
    > Has anyone submitted this to the Samba team ?
    
    Dear god, I hope not. It's a terrible hack.
    
    > Oh, I'm not sure that Unix password sync works even after applying this patch.
    
    It does, at least for me on OpenBSD 3.3-stable and did on 3.2-stable when I ran it.
    
    A password chat line needs to be specified in the smb.conf file, but that's no big deal.
    
    Comments
    
    By tedu () on 2003-10-23 04:02
    
    something like this will have to be submitted back though. just because linux setgid lets you setgid(0) if not in group 0, does not mean other implementations will or should.
    
    Comments
    
    By Anonymous Coward () on 2003-10-23 11:14
    
    True -
    Thats kinda what I meant - jolt the samba team into looking at this - bugzilla for samba doesnt even seem to have anything for this problem.
    
    I guess I'll report it to them through bugzilla (It affects Free && Open - prolly Net as well) - Dan, any objections to including your "patch" as proof of concept ? - not as an actual fix (we can use the words horrible hack ...;-)
    
    I actually have a 2.2.8a OpenBSD box which I'd like to see fixed (and haven't applied your hack too !)
    
    What I'd really like to do is spend some time looking at this and try and try and supply something near a suitable patch - but who knows when I'll have time for that.
    
    Comments
    
    By Dan Brosemer () odin@cleannorth.org on 2003-10-24 01:16 mailto:odin@cleannorth.org
    
    Sure! Use the patch for anything you want... just don't blame me when everything falls to pieces. :)
    
    It's probably good enough to point out the problem in the samba code. I think the only reason I get away with running a production machine with it is my users don't change their passwords very often. (but, then, do anyone's users?)
    
    If you'd drop me an email with the bugzilla link when you get around to it, I'd appreciate it.
    
    Thanks.
    -Dan
By Paul () pwehrweinATREMhotmailDOTcom on 2003-11-06 16:27 mailto:pwehrweinATREMhotmailDOTcom

Any way you could share your pdc + roaming profile config for openbsd with me? I'm having a hell of a time setting that up as there are many different things said about it, most of which don't seem to apply to openbsd.
Thanks

Latest Articles

Wed, Apr 24
- 04:35 Game of Trees 0.98 released (0)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (11)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]