749035 – net-fs/samba-4.11.x: misconfigured system-auth-winbind shipped, pam integration broken with >=sys-libs/pam-1.4.0

Bug 749035 - net-fs/samba-4.11.x: misconfigured system-auth-winbind shipped, pam integration broken with >=sys-libs/pam-1.4.0

Summary: net-fs/samba-4.11.x: misconfigured system-auth-winbind shipped, pam integrati...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's SAMBA Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-10-14 18:13 UTC by EK
Modified:	2022-12-11 16:17 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description EK 2020-10-14 18:13:43 UTC

Samba is installed as a dependency with following flags:

net-fs/samba-4.11.13::gentoo  USE="acl pam system-mitkrb5 winbind -addc -addns -ads -ceph -client -cluster -cups -debug (-dmapi) (-fam) -gpg -iprint -json -ldap -profiling-data -python -quota (-selinux) -snapper -syslog (-system-heimdal) -systemd (-test) -zeroconf" PYTHON_SINGLE_TARGET="python3_7 -python3_6 -python3_8"

Thus, flags "pam" and "winbind" are set.

In recent net-fs/samba/samba-4.11.13.ebuild, corresponding block installs /etc/pam.d/system-auth-winbind:

        if use pam && use winbind ; then
                newpamd "${CONFDIR}/system-auth-winbind.pam" system-auth-winbind
                # bugs #376853 and #590374
                insinto /etc/security
                doins examples/pam_winbind/pam_winbind.conf
        fi

CONFDIR is hardcoded in eubuild as follows:

#CONFDIR="${FILESDIR}/$(get_version_component_range 1-2)"
CONFDIR="${FILESDIR}/4.4"

Thus, samba package installs pam module as old as samba-4.4 version. This pam template contains following lines:

password    required      pam_cracklib.so retry=3
password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    required      pam_deny.so

However, with sys-auth/pambase-20201010 and sys-libs/pam-1.4.0_p20200829 module pam_cracklib.so becomes deprecated. Line "required pam_cracklib.so" will render into always failing authentication due to absence of required module.

Comment 1 SacredRide 2020-10-14 18:50:07 UTC

Might be useful to coordinate with https://bugs.gentoo.org/show_bug.cgi?id=748405 and wait until that one has settled. Changes in system-auth could be pending and impacting include/substack statements depending on pambase such as this one here.

Comment 2 EK 2020-10-14 19:24:22 UTC

BTW, same configuration is shipped with samba-4.13, thus, all available samba versions have same issue.

Comment 3 Mikle Kolyada (RETIRED) archtester

2020-10-14 19:51:08 UTC

(In reply to SacredRide from comment #1)
> Might be useful to coordinate with
> https://bugs.gentoo.org/show_bug.cgi?id=748405 and wait until that one has
> settled. Changes in system-auth could be pending and impacting
> include/substack statements depending on pambase such as this one here.

These are completly different things, samba is providing its own stack file, which does not rely on the existing pambase files

Comment 4 Michael Jones 2021-04-03 19:27:05 UTC

(In reply to Mikle Kolyada from comment #3)
> (In reply to SacredRide from comment #1)
> > Might be useful to coordinate with
> > https://bugs.gentoo.org/show_bug.cgi?id=748405 and wait until that one has
> > settled. Changes in system-auth could be pending and impacting
> > include/substack statements depending on pambase such as this one here.
> 
> These are completly different things, samba is providing its own stack file,
> which does not rely on the existing pambase files

Has adding a "winbind" use-flag to sys-auth/pambase been considered, instead of allowing the samba ebuild to drop bad configs into /etc/pam.d?