1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On Thursday 08 April 2004 15:42, Volkov Peter Alexandrovich wrote: |
5 |
> Hi. |
6 |
> |
7 |
> I have Samba server. I'd like to use it as WINS server and, as this |
8 |
> computer is only samba server, so it's a good idea to make it local |
9 |
> master browser. It's Ok with configuration of PAM, but some time after |
10 |
> server was up users became to blame me for bad network browsing. I |
11 |
> blame PAM. |
12 |
> |
13 |
> The first sing was during ssh login. It takes long time to connect on |
14 |
> a absolutly free server! Then during system startup after starting |
15 |
> last service everything hangs on >20 seconds and only after this I can |
16 |
> see login invitation. |
17 |
> |
18 |
> Yesterday I rebuilded system from stage 3, and for 1 day everything |
19 |
> worked very fast (as it must to work) but now again this delay doesn't |
20 |
> allow users to browse in a normal way (As this computer is local |
21 |
> master browser (NBT)). |
22 |
> |
23 |
> A little experiment to understand that it is really PAM. I've started |
24 |
> sshd -d to see what is going on. So: file-server root # sshd -d |
25 |
> debug1: sshd version OpenSSH_3.7.1p2 |
26 |
> debug1: read PEM private key done: type RSA |
27 |
> debug1: private host key: #0 type 1 RSA |
28 |
> debug1: read PEM private key done: type DSA |
29 |
> debug1: private host key: #1 type 2 DSA |
30 |
> socket: Address family not supported by protocol |
31 |
> debug1: Bind to port 22 on 0.0.0.0. |
32 |
> Server listening on 0.0.0.0 port 22. |
33 |
> debug1: Server will not fork when running in debugging mode. |
34 |
> |
35 |
> At this point server is waiting for connections... then I'm trying to |
36 |
> connect : |
37 |
> |
38 |
> Connection from 172.16.0.1 port 32781 |
39 |
> debug1: Client protocol version 2.0; client software version |
40 |
> OpenSSH_3.7.1p2 debug1: match: OpenSSH_3.7.1p2 pat OpenSSH* |
41 |
> debug1: Enabling compatibility mode for protocol 2.0 |
42 |
> debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 |
43 |
> debug1: permanently_set_uid: 22/22 |
44 |
> debug1: list_hostkey_types: ssh-rsa,ssh-dss |
45 |
> debug1: SSH2_MSG_KEXINIT sent |
46 |
> debug1: SSH2_MSG_KEXINIT received |
47 |
> debug1: kex: client->server aes128-cbc hmac-md5 none |
48 |
> debug1: kex: server->client aes128-cbc hmac-md5 none |
49 |
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received |
50 |
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent |
51 |
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT |
52 |
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent |
53 |
> debug1: SSH2_MSG_NEWKEYS sent |
54 |
> debug1: expecting SSH2_MSG_NEWKEYS |
55 |
> debug1: SSH2_MSG_NEWKEYS received |
56 |
> debug1: KEX done |
57 |
> debug1: userauth-request for user root service ssh-connection method |
58 |
> none debug1: attempt 0 failures 0 |
59 |
> debug1: PAM: initializing for "root" |
60 |
> |
61 |
> At this point process stops on >20 seconds and then with the next |
62 |
> strings of text the password promt was show to me... |
63 |
> |
64 |
> As Samba uses PAM for authentification for now I am sure that it is |
65 |
> PAM that slows down the whole windows networking. |
66 |
> |
67 |
> I have 4 boxes with identical configuration (although the hardware |
68 |
> differs a bit) but this happens only on one of them. |
69 |
> |
70 |
> How to speedup PAM? How can I find out more details about problem? |
71 |
|
72 |
How is your pam authentication set up? What are the contents |
73 |
of /etc/pam.d/sshd, /etc/pam.d/system-auth |
74 |
and /etc/pam.d/system-auth-winbind |
75 |
|
76 |
If you use system-auth-winbind. Then don't use pam authentication for |
77 |
samba. Also in general using standard authentication for samba is quite |
78 |
insecure. It seems that the problem is caused by some kind of |
79 |
authentication loop. |
80 |
|
81 |
Paul |
82 |
|
83 |
- -- |
84 |
Paul de Vrieze |
85 |
Gentoo Developer |
86 |
Mail: pauldv@g.o |
87 |
Homepage: http://www.devrieze.net |
88 |
-----BEGIN PGP SIGNATURE----- |
89 |
Version: GnuPG v1.2.4 (GNU/Linux) |
90 |
|
91 |
iD8DBQFAdVo4bKx5DBjWFdsRAj6gAJ9sMB20ydkmtjFGS5wwVZ1w5+kZogCbB6Z1 |
92 |
IV3B2LdalNYuFeoYQ1dSAuk= |
93 |
=JnzT |
94 |
-----END PGP SIGNATURE----- |
95 |
|
96 |
-- |
97 |
gentoo-security@g.o mailing list |