This bug occurs when you telnet to a Linux box from a host whose IP address is not resolvable to a hostname. There are some different methods for fixing this.
There is a bug in the login binary that is distributed with all version of Linux that use PAM, the login binary does not deep copy certain structures which it later relies on, but which pam_smb unfortunately tramples. There is patch available on the ftp site called login.c.diff,
e.g. With a Redhat 6.0 system , download the SRPMS for util-linux-2.9o-13, from a redhat mirror, and do the following
rpm -i util-linux-2.9o-13.src.rpm rpm -bp /usr/src/redhat/SPECS/util-linux.spec cd /usr/src/redhat/BUILD/util-linux-2.9o/login-utils patch -p0 < login.c.diff make login cp /bin/login /bin/login.oldbinary cp login /bin/login
And it should work.
Firstly get the patches to dtlogin from Sun, I'm unsure of the patch numbers but these are needed. Currently dtlogin on Solaris is not linked with libpam for some wierd reason, and pam_smb doesn't link itself automatically, so after running configure on a Solaris 2.6 box and -lpam to the EXTRALIBS at the top of the generated Makefile and then compile it.
Let me hear a HELL YES!. pam_smb unlike winbind isn't magic, it can't get enough information to provide NSS, passwd and group info. You must have local users pam_smb only saves sync'ing the password file.
In certain circumstances where only a yes/no answer is required, the nolocal option can be used, this is typically only on access control lists for websites, proxy servers and dialin servers.
This is due to two pam_smb module running simultaneously and trying to talk to the same NT server, the NT server gets confused when the same NetBIOS name tries to login twice at the same time, a retry should always work, but this problem can be annoying especially with automatic e-mail clients and the like.
Run v2 in daemon mode to solve this issue.
This is a several part answer:
It is reccommended that pam_smb be listed after the local system authentication. This is because in larger environments, an NT domain controller may have X number of failed requests for a user account cause the account to lock. Therefore, by listing it second to local authentication, a valid local authentication will not cause a "failed" attempted from the perspective of the NT Domain controllers. You will most likely need to change the AUTH entry before it from required to sufficient and remember to include the "use_first_pass" option on the pam_smb line. Example:
auth sufficient /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_smb_auth.so debug cachetime=20 use_first_pass
It is reccommended that pam_smb be listed after the local system authentication. This is because in larger environments, an NT domain controller may have X number of failed requests for a user account cause the account to lock. Therefore, by listing it second to local authentication, a valid local authentication will not cause a "failed" attempted from the perspective of the NT Domain controllers. You will most likely need to change the AUTH entry before it from required to sufficient and remember to include the "use_first_pass" option on the pam_smb line. Example:
auth sufficient /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_smb_auth.so debug cachetime=20 use_first_pass
For version 1.9.8 (development version) you need be very concerned! However, there is some excellent news: for releases post 1.9.8 the authentication cache only stores MD5 hashes of the passwords. Optionally, you could use the Makefile.crypt in the pamsmbd directory to replace the MD5 hash with standard UNIX crypt. Both are one way hashes with no means for decryption thus keeping anything in the cache is fairly safe. Also, the cache files should be stored similar to Shadows files on a system, such that only root (the user running pamsmbd) should have any access to it. The largest difference between crypt and MD5 from the pam_smb perspective is that UNIX crypt only uses the first 8 characters of the password. Being the NT passwords can be longer than 8 characters, we believe the MD5 is probably the safer way to go.
This can be dynamicly controled without requiring a restart of any component by simply making changes to your pam.conf (Solaris/HP-UX/etc...) or appropriate files in your "pam.d" directory. You will need to pass the "cachetime=N" param on the pam_smb line. Where N = the number of minutes to cache the authentication. The default value is 15 minutes. If N=0 then, pamsmbd will not keep a cache. If N=-1, then pamsmbd will not expire (not timeout) a cached entry.
auth required /lib/security/pam_smb_auth.so cachetime=20 use_first_pass
This can be dynamicly controled without requiring a restart of any component by simply making changes to your pam.conf (Solaris/HP-UX/etc...) or appropriate files in your "pam.d" directory. You will need to pass the "debug" param on the pam_smb line.
auth required /lib/security/pam_smb_auth.so debug use_first_pass