[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: disable "fake" samba authentication error messages

Luke Kenneth Casson Leighton writes:
> > 
> > On Thu, 2 Jul 1998, Urs Rau wrote:
> > 
> > > What bothers me is that samba is filling up my log files with a lot of 
> > > extraneous/fake entries about authentication failures. "Extraneous/fake" - 
> > > because all it is is a reflection of the way the protocol actually tries to login - 
> > > going through the upper/lower case mutations as configured.
> This is due to the Windows machines forcing the password to be uppercased.
> A cracking algorithm is applied, which can be short-circuited by asking
> your users to only use lower case letters in passwords.  This will still
> allow numbers and non-numeric characters but may still not satisfy the
> truly paranoid.
> The alternative is to use encrypted passwords, and maintain the UNIX and
> NT / LM password databases seperately: there are tools to do this.

This may be eliminated if it is possible to get samba to work like this:

conv(..., app_data)
	/* use app_data to indicate how many times we've been called */
	if ( first_time ) {
		return string_as_typed
	} else ( second_time ) {
		return string_upper_cased
	} else {
		return nothing_more

	if (pam_authenticate != PAM_SUCCESS
		&& pam_authenticate != PAM_SUCCESS) {
		/* bad - you should also check for MAX-TRIES
		         return... */
	/* good */

Since pam_pwdb, which is probably what is generating a lot of your log
messages, keeps a record of who tried and failed and only logs a
message if each failure is not followd by a success.  As long as you
keep calling pam_authenticate() and succeed once, I think you'll not
have a problem.

[It is the pam_end() call that cleans up pam_pwdb's mental note
(pam-data structure) that actually does the logging in this case.]

Perhaps the problem in samba is more complicated?



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []