Using default pam/samba configuration leads to authorization errors from swat: Jun 9 23:58:26 myhost xinetd[9818]: START: swat pid=15267 from=127.0.0.1 Jun 9 23:58:26 myhost swat[15267]: PAM pam_parse: expecting return value; [...include] Jun 9 23:58:26 myhost swat[15267]: PAM unable to dlopen(/lib64/security/system-auth) Jun 9 23:58:26 myhost swat[15267]: PAM [dlerror: /lib64/security/system-auth: cannot ope n shared object file: No such file or directory] Jun 9 23:58:26 myhost swat[15267]: PAM adding faulty module: /lib64/security/system-auth Jun 9 23:58:26 myhost swat[15267]: PAM pam_parse: expecting return value; [...include] Jun 9 23:58:26 myhost pam_smbpass[15267]: [2005/06/09 23:58:26, 0] auth/pampass.c:smb_pa m_account(573) Jun 9 23:58:26 myhost pam_smbpass[15267]: smb_pam_account: PAM: UNKNOWN PAM ERROR (28) during Account Management for User: root Jun 9 23:58:26 myhost pam_smbpass[15267]: [2005/06/09 23:58:26, 0] auth/pampass.c:smb_pa m_passcheck(816) Jun 9 23:58:26 myhost pam_smbpass[15267]: smb_pam_passcheck: PAM: smb_pam_account fail ed - Rejecting User root ! Changing /etc/pam.d swat to: #%PAM-1.0 # * pam_smbpass.so authenticates against the smbpasswd file # * changed Redhat's 'pam_stack' with 'include' for *BSD compatibility # (Diego "Flameeyes" Petteno') auth required pam_smbpass.so nodelay #account include system-auth #session include system-auth account required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf fixes the problem. Reproducible: Always Steps to Reproduce: 1. Enable swat in /etc/xinetd.d/swat 2. Connect to http://localhost:901 using browser 3. Try to login using valid samba usr/password (created using smbpasswd -a) Actual Results: Failure. Check system log for above problems. Expected Results: Should have logged into swat control pages. Changes to /etc/pam.d/samba as above fix problem. myhost pam.d # emerge info Portage 2.0.51.19 (default-linux/amd64/2005.0, gcc-3.4.3, glibc-2.3.4.20041102-r1, 2.6.11-gentoo-r7 x86_64) ================================================================= System uname: 2.6.11-gentoo-r7 x86_64 AMD Athlon(tm) 64 Processor 3000+ Gentoo Base System version 1.6.12 Python: dev-lang/python-2.3.5 [2.3.5 (#1, Jun 7 2005, 02:00:36)] dev-lang/python: 2.3.5 sys-apps/sandbox: [Not Present] sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.8.1-r4 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CFLAGS="-O2" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X acpi alsa apache2 arts berkdb bitmap-fonts cdr crypt cups curl docdvd dvdr eds esd exif f77 fam flac font-server foomaticdb fortran gdbm ggi gif gimpprint gnome gpm gstreamer gtk imagemagick imlib ipv6 jack java jp2 jpeg kde lzw lzw-tiff mad mng mozilla mp3 nas ncurses nls nptl ogg oggvorbis opengl oss pam perl png python qt quicktime readline real samba sdl ssl tcpd tiff truetype truetype-fonts type1-fonts unicode usb userlocales vorbis wmf xml2 xmms xpm xrandr xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
Interesting... flameeyes: what can be changed to remove needings for redhat's pam_stack.so?
Flameeyes, ping
One single alias for me is enough :) I also removed amd64 as that's not an amd64 issue. I think there was a misunderstanding: the modified pamd file with include directive should be used just for a new revision depending on virtual/pam. As I said on gentoo-dev, pam_stack is still needed for packages in arch, until pam-0.78 goes stable. The solution is having two set of dependencies (one for the stable version, with sys-libs/pam, one for the
One single alias for me is enough :) I also removed amd64 as that's not an amd64 issue. I think there was a misunderstanding: the modified pamd file with include directive should be used just for a new revision depending on virtual/pam. As I said on gentoo-dev, pam_stack is still needed for packages in arch, until pam-0.78 goes stable. The solution is having two set of dependencies (one for the stable version, with sys-libs/pam, one for the ~arch version with virtual/pam) and two pamd files.
thanks: reverting stable to old behaviour
(In reply to comment #4) > thanks: reverting stable to old behaviour Does that mean that you will bump the revision, or do I have to re-emerge samba manually to get this fixed (it completely broke my entire samba auth)?
> Does that mean that you will bump the revision, or do I have to re-emerge > samba manually to get this fixed (it completely broke my entire samba auth)? Never mind, I just saw the new(old) samba.pam file in /usr/portage/... Thanks, works again, Anno.
*** Bug 95695 has been marked as a duplicate of this bug. ***